by Karen Boman, Senior Editor
The average number of detected cybersecurity incidents and estimated total financial losses related to these attacks declined from 2013 to 2014. But many oil and gas companies have yet to deploy up-to-date monitoring and threat-detection processes and technologies, according to a recent survey by PwC.
In 2014, the average number of detected security incidents, or adverse incidents threatening some aspect of computer security, totaled 5,493, down from 6,511 in 2013, the survey of oil and gas companies found. Estimated total financial losses associated with these attacks was $4 million per incident in 2014, down 35 percent from the $6.1 million per incident in 2013, according to PwC’s report “The Global State of Information Security Survey (GSISS) 2015”.
PwC said the decline might be due to companies deploying technologies that can detect intrusions before they can do financial harm. One explanation for the seemingly counter-intuitive finding is that oil and gas companies increased security spending by 32 percent in 2013, which may have allowed them to implement solutions and processes to help prevent attacks.
“What’s more, as businesses deploy monitoring and logging technologies they will detect more incidents that are benign, which may lead to some organizations to discount them as security threats,” said Jim Guinn, managing director of PwC’s Advisory practice, in a statement.
PwC also attributed the drop in detected incidents due to the timing and cyclical nature of cyber attacks. After being relatively inactive until June, several large-scale coordinated attacks were announced. The firm expects a spike in detect incidents next year.
Spending on information security measures by oil and gas companies rose, from an average annual information security budget of $5 million in 2013 to $5.7 million in 2014. Information security spending as a percentage of oil and gas IT budgets also grew from $3.3 million in 2013 to $3.9 million in 2014, according to the report.
Despite the declines in the overall number of detected incidents and associated costs and rise in cybersecurity spending, one-third of oil and gas companies surveyed said they did not have an incident management response process in place. PwC found that not only should a plan be in place, but it also must be exercised on an annual basis using tabletop scenarios so that cyber-response professionals are comfortable with the plan and know how to execute it when an event occurs.
The number of cybersecurity incidents caused by current employees rose from 26 percent in 2013 to 48 percent in 2014, the survey found, and could have critical implications for oil and gas companies. This is partly due to employees becoming pawns of external threat actors, who use spear phishing to steal the credentials of employees with privileged access to data and networks, then use the information to infiltrate the company’s network.
But managing insider threats not only takes technology, but training workers to be aware of suspicious behavior and risk indicators. PwC said it was “troubling” to find that the number of companies that have an employee training and awareness program declined significantly from 54 percent in 2013 to 45 percent in 2014. PwC also noted that 35 percent of companies surveyed don’t perform personnel background checks, a very basic precaution. Tools to manage insider threats are often lacking, with the usage of most types of tools declining from 2013 to 2014.
Oil and gas companies also are falling short on training workers to become more aware of cyber threats. Companies need to treat cybersecurity as an operational imperative as they do with health, human and safety programs, said Guinn.
“Having personally worked offshore, I know that energy companies invest a lot in capital in training their staff on what to do in an actual emergency, and cybersecurity should be no different.”
The number of attacks launched by former employees against companies grew slightly from 27 percent to 29 percent. The number of cyber attacks from competitors also rose from 15 percent in 2013 to 25 percent in 2014, as did cyber attacks launched by current service providers, consultants and contractors, from 16 percent in 2013 to 21 percent in 2014.
Cyber criminals are targeting oil and gas companies to steal intellectual property, sabotage websites, hurt corporation reputations, and disrupt production. Over the past 12 months, the number of assaults oil and gas companies has risen, including the state-sponsored cyber-espionage campaign, also known as Dragonfly or Energetic Bear, infected industrial control systems of thousands of organizations across North America, Asia, and Europe.
Cyber attacks have not yet impacted production capabilities, but the situation is changing as these attacks are progressively maleficent, sophisticated, and hard to detect.
“Clearly, it’s no longer possible to protect all data, networks, and applications at the highest level,” said Guinn. “But a proactive cybersecurity program that enables businesses to prioritize protection and more quickly react to attacks is the best defense against today’s adversaries.”
The oil and gas industry faces an increased risk of cybersecurity the rising use of digital oilfield technology expands the attack survey, PwC reported. This sensor-based remote field equipment, which connects to operational and IT systems, contains embedded computer devices and operating systems that are generally not control with the same rigor as corporate IT systems, and typically lack built-in security guards. As a result, 15 percent of survey respondents said that, in 2014, their embedded systems were exploited, and 13 percent reported that operational systems were compromised.
Oil and gas companies surveyed do appear to be addressing this risk, with 42 percent of respondents saying they have a security strategy for the convergence of technologies, and an additional 25 percent are implementing a strategy.
Oil and gas companies surveyed saw foreign nation-states and current employees as the fastest growing sources of cybersecurity incidents for oil and gas companies. The number of survey respondents who cited foreign-nation states as a source of incidents rose 108 percent in 2014. Nation-states are keenly interested in oil and gas company intellectual property, such as drilling techniques, oil and gas findings, refinery engineering information, and merger and acquisition plans, and the survey found that only 50 percent of survey respondents to protect this property.
How the recent drop in oil prices could impact spending on cybersecurity remains to be seen. But the merger and acquisition activity that could result from the downturn could put at risk companies who do not adequately assess the security practices of target companies. Cyber adversaries may infiltrate smaller or distressed acquisition targets that presumably have less-mature security programs via third-party vendors, then wait for the target to be acquired by a larger organization.
“When the organizations’ information systems are integrated, the threat actors may attempt to access the networks of the acquiring firms and exfiltrate trade secrets, M&A data, and other valuable information.
Of the companies surveyed, 54 percent said they conducted compliance audits of third parties that handle personal data of customers and employees, while 55 percent said they perform risk-assessments on third-party vendors.