It's a provocative reality, to say the least. Of all the U.S. industries, the energy industry is ranked second-highest in its vulnerability to suffer a cyber attack.
"People need to know that someone might want to come in and grab some of their goodies from time to time," said Zach Tudor, associate laboratory director of national and homeland security for Idaho National Laboratory. "I hear people across the infrastructure say, 'Oh, they would never attack us.' We call these things 'outsider awakenings' -- when somebody realizes, 'Oh yeah, I might actually be a target.'"
Addressing delegates to the 12th Annual Cybersecurity Conference for the Oil and Natural Gas Industry held recently in The Woodlands, Texas, Tudor noted infrastructure control-system security is critically lagging compared to the evolving threat and potential consequence.
"Hacking is a commodity, and effective intrusion detection is absent," Tudor said, adding best practices are inadequate and updates can be a source of malware.
Issues most significant to protecting critical infrastructure, Tudor said, include public and private collaboration, information sharing, resilient systems, interoperability and integration, increased autonomy, risk acceptance and management, cyber insurance, legacy infrastructure, systems engineering, and government roles and responsibilities.
"Public and private collaborations mean working with asset owners and vendors and with the government internationally," Tudor said. "Building that international community and building the trust between government and industry is really key. Our local power companies, our universities -- we all have to work together to solve these problems."
Tudor said it is incumbent upon industry in general, and the oil and gas industry specifically, to redefine the approach to cybersecurity in critical infrastructure.
"And not just critical infrastructure, but everything," Tudor continued. "We understand that there's no such thing as perfect security. We're not going to be able to keep everybody out. But we need to determine how we're going to operate when under attack: How do we respond when we've been attacked, and how do we recover? All of those things are about resilience."
The power of resilience
Tudor emphasized the necessity of industry stakeholders understanding more about resilience.
"How do we come together to be resilient as a whole and not just as individuals?" he queried. "When it comes to protection, experts are moving toward redundancy and resiliency because incidents are a matter of 'when,' not 'if.'"
Integrators, Tudor said, are essential elements to protecting all environments.
"Use your own best practices, and make sure your customers are using those best practices," Tudor said. "Understand where to get better information on how to spend limited dollars and resources on cybersecurity to get the best bang for the buck. Then let the utilities and government understand those problems and share the information, and distill it into something that is actionable intelligence and procedures. Do the basics well, and assimilate the information that comes to you."
Tudor recommended industry leaders "get good at the basic blocking and tackling" of cybersecurity.
"Let's just face it," he said. "So many of the successful attacks that we've seen have been not from advance system threats."
The good news, Tudor said, is new, useful methodologies are being researched and introduced to counteract cyber attacks.
"There are people coming together who are working in the government and in industry to make these things better," Tudor concluded. "So I am hopeful. We know that there's a lot to do. The adversaries are relentless, so we have to be relentless as well."
For ongoing industry updates, visit BICMagazine.com.
