EC News DeskThe recent ransomware attack on Colonial Pipeline in the US points to an alarming rise of cyberattacks on critical infrastructure. According to the World Economic Forum’s 2021 Global Risks Report, cybersecurity failures are among the top mid-term threats facing the world.
The Covid-19 pandemic resulted in the exponential rise of remote work culture across all sectors including oil and gas. It also exposed the sector to cybersecurity risks at an operational and enterprise level.
According to Maher Jadallah, Regional Director Middle East at Tenable, attackers thrive during times of uncertainty and 2020 has given them plenty to target. However, when introducing any new working practice, such as remote working, it is critical to do so securely. Organisations need to think through how this changes the threat landscape and introduce controls to limit or address this risk, he adds.
Rajesh Ganesan, Vice President, ManageEngine
Organisations have now started reassessing budget allocations and increasing investment in IT security.
The oil and gas industry is one of the most powerful financial sectors in the world, mentions Rajesh Ganesan, Vice President a ManageEngine. Its importance in both national and global economies has made the industry a high-value target for cybercrime. Threats like cryptojacking, nation-state attacks, attacks on smart devices, advanced phishing and ransomware attacks are currently some of the biggest threats the industry faces, he adds.
While Michel Huffaker, Director of Threat Intelligence at ThreatQuotient believes that the oil and gas sector has always faced significant cyberthreats, nation states interested in strategic energy stores, criminals seeking significant payouts for ransomware, and hacktivists looking to make a political or personal statement, among many others.
According to John Shier, Sr Research Scientist at Sophos the obvious global concern is ransomware which is equally true for oil and gas companies. Unfortunately, ransomware is often a symptom of an underlying security weakness. The reasons for ransomware’s success are varied and speak to a broader set of causes. We find ourselves in a world where many cybercriminals have specialised and offer their unique services to others.
There has been an acceleration of digitalisation recently and in the coming years this will only expand. This poses challenges to cybersecurity as more data is created, stored and utilised as well as more systems and processes within facilities become automated and online.
Shier says that digital transformation means that you are taking analog or manual processes and digitising or automating them. This naturally means that some or all the old processes will have a new digital dimension. These new processes may require additional technologies that are not already present in the organisation. As such, security needs will have to address these new processes and provide mitigations for a set of threats that may not have existed previously, he adds.
Jadallah that things to consider include controlling access to data, both whilst in storage and transit and to utilise endpoint protection on devices that are being used to access corporate data. Organisations should look to scan devices and applications to ensure that the latest software version is being used as this will reduce exposure to vulnerabilities attackers typically target.
Huffaker and Jadallah believe that Middle East companies are taking their cybersecurity seriously. Huffaker says that the Middle East, like all other regions, is playing catch-up, to some degree. Companies have policies and business goals and ethics to guide their decisions, but they move much slower than the cyber criminals and spies. In her opinion, the cybersecurity maturity trajectory in the region has enjoyed unmatched growth over the last decade.
Michel Huffaker, Director of Threat Intelligence at ThreatQuotientThe cybersecurity maturity trajectory in the region has enjoyed unmatched growth over the last decade
Jadallah says that at a time when organisations worldwide are facing a potentially lengthy period of economic uncertainty, it becomes more critical than ever to prioritise investments based on risk. There is also a clear operational benefit to be gained from performing risk management exercises which can serve as a bridge between the business and the infosec sides of the organisation. He believes that what is revealed in the process will help the entire organisation understand how to best prioritise resources to keep the business running even during a crisis.
Ganesan says that the relatively high concentration of oil and gas companies in the GCC region makes them an exclusive target for hackers like organised ransomware groups. As chief executives of organisations in the region become highly concerned about cybersecurity, a further rise in the adoption of endpoint protection solutions is expected, and security tools with data analytics will also remain important, he adds.
Huffaker stresses that it is important to educate your workforce on good cyber hygiene. She says they should not be just trained about phishing awareness and password management, but organisations must create internal systems that support low or no-friction implementation of those trainings.
John Shier, Sr Research Scientist at Sophos The obvious global concern is ransomware which is equally true for oil and gas companies.
Each vendor has its own products and solutions to help companies improve their cybersecurity posture. Huffaker adds that it is also critical to implement systems with threat intelligence-based strategy in mind. To do this, you must understand three main things: what you are protecting, how you are protecting it, and who is after what you are protecting. This understanding can only come from the melding of internal data and information with external threat intelligence. The ThreatQ threat intelligence platform, backed by its professional services, can bring this all together for organisations of any scale without reinventing their workflows.
Tenable’s cyber exposure management solutions enable organisations to take a holistic view of their infrastructure from cloud environments to operational technologies, infrastructure to containers, and remote workers to modern web-apps to identify those assets and systems that are critical to function, determine which vulnerabilities exist within these core areas that are being actively exploited and update these systems to fix those flaws first.
Jadallah says that in tandem, focus must also be placed on securing accounts, employees, service contractors, temporary workers, systems accounts and others and their access to and permissions across systems. This allows security teams to focus efforts on what matters most.
Shier remarks that doing security right is difficult and that is why there is no silver bullet in security. A good start, however, is building a solid security foundation. This includes having the right people, processes, and tools in place to give you a fighting chance.
He adds that a robust security culture ensures everyone is on duty when it comes to protecting the enterprise. Clear, easy-to-follow, and conservative processes will prevent simple mistakes from harming your business. Using the very latest prevention and protection technologies will defend your organisation against attackers when the first two fail. Taken together, these three are just a starting point on the never-ending road to a mature security program.
Sophos helps companies fight cybercrime in a few ways. First, they provide companies with products that prevent threats and unwanted software from infecting your devices and networks. Next, they provide a managed service like Sophos Managed Threat Response, MTR, that continuously monitors customer environments for those that do not have a security team, and a Rapid Response team to help companies who find themselves under active attack. Lastly, they provide insight into current threats and adversary tactics, and advice on how to best protect yourself through our various outreach channels.
Jadallah concludes by saying that the remote working hybrid model is likely to continue for the foreseeable in 2021, and possibly beyond. This shift to a remote, distributed workforce has led to a higher volume of critical and confidential information being transmitted electronically. Security leaders must ensure that their strategies are in lockstep with business priorities and can effectively communicate the security programme to business asset owners.
The pandemic situation has not only encouraged all organisations to deploy technologies to keep their operations running but has also driven CIOs to be more proactive in ensuring data security by better monitoring their endpoints. Acknowledging the heightened risks, organisations have now started reassessing their budget allocations and increasing their investment in IT security, concludes Ganesan.
The pandemic has reshaped the oil and gas sector, especially in terms of its move to remote work culture and thereby opening cybersecurity gaps in the critical infrastructure.
