Data Security Alarms Should Be Sounding for Oil and Gas

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

 

 

 

Oil and gas industry executives don’t need to see a new Wikileaks story about secret CIA hacking tools or hear more about the electronic penetration of presidential campaigns to understand the seriousness of a potential digital hack to their operations.

But it’s a large step from knowing a risk exists to being ready for it. Achieving confidence in the ability to manage such risk can involve substantial new investments and operational adjustments, even for an industry accustomed to meeting regulatory, operational and market challenges.

Protiviti’s recently released 2017 Security and Privacy Survey indicates that oil and gas companies are facing their cybersecurity challenges in ways similar to other industries. The survey’s main findings include:

  • Nearly one in five companies cannot confidently identify or locate their “crown jewels,” or most valuable data assets, because they lack an effective enterprisewide data classification scheme and policies.
  • How well companies manage their vendors’ security practices marks a notable difference between top security performers and the rest.
  • Companies with a high level of board engagement in information security issues rate considerably higher than those without such involvement in nearly all facets of information security best practices. These companies also report a higher level of confidence in their ability to prevent an opportunistic data breach.

These findings largely correspond to what we have seen among our own energy clients. One difference we have noticed, however, is that energy companies tend to have little to no formal documentation on testing of security incident response plans, compared to other industries. This could mean that energy executives have not substantiated a basis for the same level of breach-prevention preparedness as some other industries. I would argue that as a critical infrastructure, they should.

Although Protiviti energy clients indicate they are committed to security, we see about the same 38-percent level of compliance with implementation of the five core information security policies identified in the Protiviti survey: acceptable use, records retention/destruction, data encryption, information security, and social media policies.

In addition, energy companies, specifically those in exploration and production (E&P), have been hesitant to invest in tools to identify where their “crown jewels” are stored, apparently on the basis that many do not feel their company is much at risk because it does not retain much sensitive data. However, many common processes at E&P companies (i.e., escheat and royalty owner payments) do involve sensitive information protected by state privacy laws (e.g., individual tax ID numbers are actually Social Security numbers). Further, company confidential information, such as reservoir data, land acquisition data, and merger and acquisition activity, would be considered data that requires identification and protection. Very commonly, even where these processes are mostly manual, this information is digitized (e.g., scanned documents) or entered into a system. If the company does not know what data exists and where, it will have a difficult time protecting it.

Energy executives and boards would be wise to ask themselves some worst case scenario questions and know the answers now rather than having to discover them under fire later:

  • If our data assets were compromised, could they be reconstructed, and how long would it take?
  • If field operations were disrupted by an attack on the operational control system, how much revenue would be lost per week? Per month?
  • If competitors or counter-parties were able to learn confidential details of our strategies and plans, where would our company be most vulnerable?

The bottom line is that what you don’t know, such as where your critical data is, can, and eventually will, hurt you. With all issues of cybersecurity, it’s only a matter of time.

Alyssa Brister and Luis Castillo from Protiviti’s Technology Consulting practice contributed to this post.

Will Hiring Hackers Help Energy’s Cybersecurity Efforts?

 

Tyler Chase

cal-slempBy Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Cal Slemp, Managing Director
IT Security and Privacy Practice Leader

 

The chief cybersecurity engineer for a major industrial process company advocated not long ago that oil and gas companies hire hackers to improve their cybersecurity defenses. At an annual European-Middle East-Africa user group conference in The Hague last October, Eric Knapp urged attendees to drop their negative perceptions and put hackers to work on their teams.

Knapp’s advice followed a presentation of survey findings stating that 82 percent of oil and gas industry respondents have experienced an increase in successful cyberattacks over the past 12 months. Executives of European petrochemical companies SARAS and SABIC estimated that cyberattacks cost businesses up to $400 billion per year.

Several weeks earlier, the World Energy Council (WEC) issued a report that, among other conclusions, found that the demand for cyber specialists is growing twice as fast as for all other IT jobs. The WEC cited research linking recent high-profile security breaches to a shortage of almost one million skilled cybersecurity professionals.

Our perspective:

The idea of leveraging “hackers” needs to be put into context. Many organizations have resources (internally or through consulting firms) who mimic the activity that various types of real hackers execute to illegally break into a company’s IT infrastructure. These “white hat” penetration testers are excellent at testing infrastructures, applications, networks and databases. The use of trained personnel who act as hackers but have written agreements and rules of engagement can make a lot of sense for an organization and is worth considering.

However, cybersecurity, much like other strategic initiatives, cannot be addressed with technology resources or tools alone. It requires a joint effort among departments and employees of all levels. In the same way that police cannot solve all crimes by themselves (despite being the “experts”), cybersecurity professionals need the knowledge and assistance of everyone in the organization. Employees who have been educated on matters of cybersecurity become empowered and thus an extension of the security program.

Finding the similarities between cyber risks and existing risks (e.g., safety) can help translate this subject to nontechnical resources. Many of the lessons learned with regard to overall risk management through more traditional departments, such as internal audit or compliance, can be applied to cybersecurity. Sharing data points that are already being collected by these departments can add value to analyzing security threats. At an even higher level, sharing information across the industry in cyber intelligence groups (CIGs) can allow firms to collaborate on specific threats and solutions, and share data that can add value to their overall threat analyses.

Is hiring “hackers” the answer to the cybersecurity challenge? It’s not quite that simple. White hat hackers certainly have a key skill set organizations need to face the growing threat of cyber crime, but the ultimate success of an organization lies in how well the leadership empowers the overall enterprise to combat cyber risks together.

Luis Castillo of Protiviti Technology Consulting contributed to the development of this content.

 

Fewer Oil Companies Are on the Edge of Bankruptcy — Is This Really Good News?

In this Industry Perspective series, we offer the views of Protiviti leaders on developments and news in specific industries. The perspective below focuses on Energy & Utilities.

 

Tyler Chase

robert-patrickBy Tyler Chase, Managing Director, Energy and Utilities Industry
and Robert L. Patrick, Director, Corporate Restructuring and Recovery

 

 

A recent update from Debtwire states that 135 oil companies headed for bankruptcy is good news compared to the 180 companies that were on the Debtwire list in January. According to the article, oil prices have recovered from their lows around $26 a barrel and are now hovering around $50, which has helped some companies stabilize. Most of the companies on Debtwire’s list have already eliminated jobs and closed plants, so the industry appears to have hit bottom, the article claims.

Our perspective:

It may be prudent for oil company management teams and investors to hold back on optimism-based strategies for the present time.

Oil market fundamentals and the U.S. economic outlook portend, at best, flat results for the foreseeable future. That said, and as crazy as it might sound, the energy industry was the highest performing industry in 2016, so those that have had positions in energy stocks have benefitted. However, investors who are willing to accept the oil market- and company-specific dangers inherent in placing capital into distressed oil and gas companies should not be looking for immediate returns in 2017.

Those who have been waiting for the industry to “hit bottom” before pulling the trigger on new investments, acquisitions or expansions might want to add this decreased trend of bankruptcies to other recent optimistic news (for example, an energy-friendly federal administration, oil stabilizing around $50/bbl, OPEC cutting production) as an indicator that the industry is headed in the right direction.

Bottom line: Even if a lower number of oil companies appear to be headed for bankruptcy, the industry’s stress is likely to continue and companies will need to continue to strengthen their profit-and-loss monitoring and forecasting, risk management analysis, and strategic planning processes.