Technology: People vs. processes
With the constant emergence of new technology, sometimes employees get left behind. If companies don’t address this, they might pay a price higher than anticipated.
Over the past decade, the oil and gas industry has invested billions of dollars in new technologies in what seems to be a steady shift from physical to digital oilfields. As a result, processes and procedures have become more automated, meaning certain jobs do not require people to do them anymore.
Most automation advocates say this will help companies achieve higher production, more efficient operations and better connectivity between the office and the field. Going digital, however, holds its own set of challenges and one of them is making companies more susceptible to security threats.
The vast amount of data generated through automated processes and procedures makes for an easy target. Ensuring this data is secure and protected is something that oil and gas executives need to take seriously.
While most companies in the region conduct some level of training or awareness around security, it is largely not enough.
A recent survey by PwC found that just 51% of the respondents have a security awareness and training programme, down from 60% in the year before. Fayad says the primary mistake companies make is not including staff at all levels as part of their cyber security strategy.
Dr Walid R. Fayad, executive vice president at Booz Allen Hamilton, is of the opinion that cyber security has taken a back seat at many organisations as it is mistakenly seen as an impedance to efficiency and operational productivity. Energy companies should approach cyber security beyond software, technology and tools, but also in people and processes, he says.
“Recent statistical data has demonstrated that some 80% of malicious code requires human interaction to enable its operation. Phishing attempts, watering hole attacks, rouge media devices, all play a role in the adversarial attempts to bypass the sophisticated security guarding the information systems and industrial systems.
“Employees provide that first line of defence in preventing malware from entering the environment. Even completely air-gapped systems, save the human machine interfaces in a processing facility with no external connectivity, can be compromised by poor media management, and have detrimental effects,” he added, giving the Stuxnet virus as a most common example.
“Your business is only as cyber-strong as your weakest link,” Asaph Schulman, vice president of marketing at Checkmarx, told Business News Daily.
“Making sure all of your employees are on the same page through group discussions or a clear-cut list of guidelines about the company’s cyber security policies is key to fortifying your business and protecting your assets. Any device or app that accesses any company data is a potential cyber threat to your business. Make sure all your employees understand that and know how to protect [those devices and apps].”
Justin Lowe, energy cyber security expert at PA Consulting Group, thinks that employees can sometimes pose the biggest risk to a company’s security, which often proves the hardest to address. That is why training of personnel across all levels of the organisation be top every companies’ to-do list.
Traditionally, security training is assigned for the IT department and is on more general business systems training, Lowe said. More recently, however, companies have come to appreciate the importance of individual upskilling.
“The key message here is to make sure that the right training is developed and that is having some sort of skills framework, which means understanding what types of skills different personnel will need to have. You tend to find the people that understand security aren’t necessarily the best people to communicate the risks.
Security is an area where you can end up talking lots of technical obscure concepts that actually turn people off than actually help them understand what the issues are,” said Lowe.
To create better cyber security awareness within their companies, employers should have a top-to-bottom strategy.
“It is fundamental for training and awareness specialists to be working with business leaders to be able to articulate and communicate those risks to the rest of the employees.
The central people that everyone talks to need to be able to speak with external specialists or government representatives because it can be very difficult to understand exactly what is going on out there in the wild, what the latest threats are and how to respond to those,” Lowe said.
According to Fayad cyber security training and awareness needs more than just token adherence to basic awareness principles.
“Empowering staff to be part of the solution means also taking the time to educate them, at appropriate levels to the threats, risks, and actions that they can take to be part of the solution rather than a source of a cyber security breach and potential disaster,” said Fayad.
The specialist from Booz Allen Hamilton claims that software security at all stages from development, implementation and management to decommissioning requires a well thought-out and established strategy that aligns to corporate and industry standards.
“Oftentimes staff and management charged with development, implementation, and management of software platforms look at security as a hindrance to meeting deadlines or take the approach that security can be added later.
“Not only does this perspective create cost and resource issues to fix flaws later on in the lifecycle of the software, but it additionally can add to the potential for malware and malicious code to exploit the flaws in the configuration and design. This can lead to system downtime, which can result in billions of dollars of lost revenue in the energy sector, or the loss and theft of vital company and, or personal data,” Fayad explained.
To avoid this, executives should stop seeing security software as just another computer programme, but as a complementary element to its overall safety strategy.
“Software security best practices and methodologies play an increasingly important role in ensuring the energy sector maintains a secure and safe operational environment. With the threats to the energy sector looking for soft targets, poorly configured software without a strong security development process could spell disaster in terms of financial ramifications, environmental, or even loss of life, warns Fayad.
“Recent examples of energy companies being compromised, including large regional energy companies in the Gulf as well as Europe and the Americas, demonstrate the persistence of criminal enterprises and rogue states in obtaining vital information from energy companies.”
Fayad says industrial espionage can range from ransoming the data or selling it to competitors to using it to cause real-world physical damage to industrial systems.
“Sometimes the value of data or information systems is quite obvious, as is the case with industrial systems supporting production environments, or seismic data and reservoir and production data. In other cases single pieces of information can seem less vital. To the sophisticated advisory though it’s all-digital gold.”
Cyber attackers also use jigsaw espionage, where small pieces of information are collected, to construct a whole picture of a company’s operations and management and use this knowledge to cause harm.
“Recent examples of breaches at many world-wide companies in IT, finance, and telecommunications demonstrate the potential loss of revenues that even a minor breach can result in. The energy sector is also beginning to feel the impact from data breeches, and as the sector continues to emerge as a primary target for bad actors, the likelihood of a major incident will only increase,” he added.
However, in the rising frenzy of cyber attacks against oil and gas companies, leaders do not always appear to be making the right decisions.
“Often I find people jump to security solutions. They know there is a risk so they tend to buy the latest piece of software or the latest gadget. Usually, that is not the best return on investment and it is not necessarily a dramatic improvement. For example, data lost prevention software is great but can be very difficult to configure correctly and therefore to get working properly without impacting the normal business operations.
“We often find that people who jump into security solutions are not actually sitting back and thinking how to use their existing technology and do something better with their operating procedures; or just increase their awareness and get people to understand what they need to do rather than jump into a technology solution,” said Lowe.
“The days of air-gapped and siloed networks and systems are quickly coming to a close and the new ways of working where mobile data, cloud technologies, and integrated operations are quickly changing the traditional approaches to data security,” said Fayad.
“To secure the future of energy production, companies in the Gulf region and around the world will need to take a multi-faceted and dynamic approach”, he added.
“The promise that digitally enabled and advanced energy production hold, along with potential to capitalise on advances cloud computing, big data, and analytics are going to continue to drive the energy revolution that we are currently seeing in the world. But only the companies that realise that their greatest assets, their people, hold the key to advancing the energy revolution, will find themselves at the head of the game,” Fayed said.
Instead of fighting the trends or eschewing the challenges, companies will simply need to embrace and adapt. Only then, will they be able to reap the fruit of their hard work, he added.
“The historical focus on technology and software to provide security will also need to evolve to include the broader and more complete understanding of how people and process work hand-in-hand with technology to ensure the confidentiality, integrity, and availability of the most vital systems in the energy market and securing the future of oil and gas as a cornerstone of the economy of the Gulf.”
