Is the oil & gas industry doing enough to protect critical assets from cybersecurity risks? Many experts think that the answer is no.
Oil & gas presents a tempting target for cyber hackers, terrorists and nation states. As infrastructure becomes more networked and more computerized, oil & gas companies are more vulnerable to attacks that damage critical infrastructure or slow or halt production. “Hacktivists” may seek to disrupt operations to protest development or draw attention to a political agenda. Terrorists may have broader goals, such as crippling the economy of a petro-dependent nation or destabilizing an oil-producing region. Highly organized cyber-criminals are attracted to capturing and selling the personal and financial data stored in large corporate databases for corporate espionage. Nation states (i.e. Russia, China and Iran) are continuously seeking opportunities to quietly infiltrate critical infrastructure around the world to ensure that their capabilities to conduct cyber warfare are ready should a change in the geopolitical status quo present a need for a covert or overt attack.
Cybersecurity researchers at Battelle have incorporated the National Institute of Technology (NIST) Cybersecurity Framework for Critical Infrastructure into a Battelle-developed Cybersecurity Return on Investment Model to help oil & gas executives quantify enterprise-wide risk and determine the appropriate level of cybersecurity to protect key lines of business and industrial operations. The NIST Cybersecurity Framework for Critical Infrastructure offers three key elements:
- Profile: Aligns and improves cybersecurity based on business needs, tolerance for risk and available resources.
- Implementation Tiers: Provides context of current maturity of cybersecurity program and a path to develop desired maturity.
- Core: Provides a continuous cycle of business processes to create a highly effective cybersecurity program.
The Battelle Cybersecurity Return on Investment Model uses the results of a fully applied and documented NIST Cybersecurity Framework to analyze the existing cybersecurity architecture of an organization in order to de-conflict multiple layers of security products, processes and cyber personnel activities. The re-aligned architecture enables organizations to re-focus precious cybersecurity budgets to put a laser focus on re-deploying cybersecurity tools and personnel to address the real and likely risk posed by potential adversaries. This re-balancing of the cyber architecture ensures the best ROI from every cybersecurity budget dollar.
Cyber risk has become a hot topic in corporate boardrooms in the oil & gas industry over the last few years, especially in the wake of highly publicized attacks such as the 2012 “Shamoon” attack on Saudi Aramco and the significant industrial control system Stuxnet attack on the Iranian nuclear material enrichment program. In 2014, The National Association of Corporate Directors issued “Cyber-Risk Oversight” guidelines as part of the Director’s Handbook Series to over 30,000 of their members. The guidelines outline five steps that all corporate boards should consider as they seek to enhance their oversight of cyber risk. The Cybersecurity Framework can help board members and CISOs ensure that they are taking “due care” against cyber risks and meeting their fiduciary obligations to customers and shareholders.
The integration of the NIST Cybersecurity Framework, Battelle Cybersecurity ROI Model and the NACP’s “Cyber-Risk Oversight” guidance was developed by Battelle cybersecurity researchers Brian Schulz and Kevin Stoffell. Mr. Schultz is an internationally recognized expert in cybersecurity standards, policy and risk management with over 25 years of program and technical leadership experience. He is the Technical Director of Cyber Architecture and Advisory Services of the Cyber Innovation Unit within Battelle. He will be presenting the concepts of the integration of the framework, model and guidance at the American Petroleum Institute Cybersecurity Conference and Expo in Houston this November. Kevin Stoffell is a nationally recognized cybersecurity architecture expert and has over 18 years of experience in information systems operations and information systems security in academia, military and commercial environments. He will be presenting the concepts of the Battelle Cybersecurity ROI Model at the same conference.