For the first time, 18 global organizations from the oil and gas sectors are championing a unified approach to mitigating growing cyber risks and taking the Cyber Resilience Pledge. The action is in response to major security breaches in the past two years that have highlighted the vulnerability of Critical National Infrastructure (CNI). The pledge promotes a shift towards a resilience-by-design culture, ecosystem-wide cyber resilience plans, and greater collaboration between players.
This is great for the oil and gas industries, and for the nation at large, as those two sectors underpin a disproportionate amount of other CNI sectors. Their combined force also represents a vital Rubicon between the way our 21st century society runs now and what it could devolve into if a cyberattack cut off access to planes, trains, automobiles, and home heating (to name several upstream parties). This unified approach to cyber resilience is a welcome shift, and one that we’ll look at more in-depth as we examine: the reliance of modern society on oil and gas, the challenges of securing them against malware and other malicious attacks, and what this unified approach brings to their security that wasn’t there before.
The Cyber Resilience Pledge
Global leaders in the oil and gas industry convened at the World Economic Forum Meeting 2022 to take the Cyber Resilience Pledge, saying, in essence, enough is enough. “Launched with the support of organizations engaged in the World Economic Forum’s Cyber Resilience in Oil and Gas initiative, the pledge seeks to empower organizations to take concrete steps to enhance cyber resilience across their industry,” reads the World Economic Forum article on the event.
Says Alexander Klimburg, Head, Centre for Cybersecurity, World Economic Forum, “First endorsed by key CEOs in the oil and gas value chain, the Cyber Resilience Pledge is a landmark step as it signals recognition of the complexities of building a cyber-resilient industry ecosystem and a commitment towards collective action to achieve it.” He continues, “The World Economic Forum Centre for Cybersecurity is proud to have led this effort in conjunction with our partners. We look forward to scaling the pledge to other industries in the future.”
The pledge aims to empower industries to increase cyber resilience in their vertical, mobilizing global commitment towards improving cyber resilience across all industries. The members who endorse it commit to taking collective action towards that end.
Global Dependence on Oil and Gas
Despite the ongoing global shift to green energy, as of just 2019, nearly 85% of primary energy still came from coal, oil and gas, and fossil fuels took up a total of 64%. Although that number dropped in the US by 9% in 2020, the shift to complete dependence on renewable energy sources is still a long way off. The fact that oil and gas are still such a staple of everyday living hence justifies their status as ‘critical national infrastructure.’ meaning they are “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Important in and of themselves, oil and gas underpin most US critical national infrastructure sectors, as petroleum and natural gas are also used to produce electricity. The sectors are Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Financial Services, Food and Agriculture, Government Facilities, Healthcare, Information Technology, Nuclear, Transportation, Water, and of course, Energy – which includes oil, gas and electric.
Think about it – which one of these can run without electricity? Healthcare relies on digital records, wired operating rooms and lifesaving medical devices. Manufacturing isn’t done by hand, cell phone towers need the power to communicate, and can you imagine what would happen if Wallstreet were forced to trade securities without the internet for a week? As Steve Morgan, Editor-in-Chief of Cybercrime Magazine, stated, “A cyberattack could potentially disable the economy of a city, state or our entire country.”
While we’d like to shift the burden increasingly to renewables (and they did hit 29% of global electricity generation in 2020), the road is long to 100% sustainability and infrastructure (like the Smart Grid) is still needed. Even that requires current energy resources. Given the absolute dependence of modern life on electricity and the fossil fuels that create it, we face what the oil and gas industry have teamed up to face: that we must invest in securing the energy sources we have now.
Cybersecurity Challenges Facing the Energy Sector
In recent news, we’ve seen firsthand the cybersecurity challenges faced by oil, gas and CNI sectors at large. Remember Colonial Pipeline? In May of last year, the major US petroleum supplier was attacked by a Dark Side gang ransomware attack, resulting in a days-long shut down to their East Coast fuel supply and a whopping $4.4 million ransom. The U.S. electric grid’s 7,000 power plants, 3,300 utilities, 55,000 substations, and over 2.7 million miles of power lines make it prone to massive cyberattacks, as noted by Energy Secretary Jennifer Granholm. In a past interview, Granholm stated that there were nefarious bad actors who were very much capable of shutting down the country’s electrical grid.
To illustrate ways in which they might do that, let’s examine one of 5 major threats facing electricity organizations last year: ransomware. Ransomware is expected to cost businesses over $20 billion this year, which Gartner predicts will push security spending to $172 billion.
Ransomware attacks were the most common threat to organizations that use operational technology (OT) in 2020, according to IBM Security X-Force, and that’s especially an issue for the electric industry, which oil and gas does so much to support. As Ted Koppel stated in his New York Times Bestselling book, Lights Out, “the nature of the electric power industry is such that it combines modern technology with antiquated equipment. Some of that equipment is so large, so expensive, and so difficult to replace that it constitutes an entire category of vulnerability.” Old OT mixed with new IT is often a recipe for disaster in the power sector, giving cybercriminals an easy in with outdated security models and old, unpatched vulnerabilities from which they can pivot into the newly connected IT assets.
Other threats to CNI include state-sponsored attacks, disgruntled insiders, the rising threat of unsecured IoT (and Shadow IT), and the cyber talent shortage.
Proactive Cyber Resilience
Critical National Infrastructure (CNI) faces a plethora of cyber threats, and so long as those sectors represent vital interests of the American public – and are increasingly digitized – that’s not likely to change. As ransomware gangs ramp up operations, each individual power, water or healthcare organization represents a crucial link in the chain. As Amin H. Nasser, CEO of Saudi Aramco, stated, “As the world deepens its digital footprint, cyber threats are becoming more sophisticated…but one company, working alone, is effectively like locking the front gate while leaving the back door wide open.” Global oil and gas leaders joining forces to take the Cyber Resilience Pledge is a great start.
Find out how ITEGRITI GSD can help you plan, execute and sustain a cyber-resilient security posture in your enterprise.