From: The Data Center Journal

marcus evans

As has been widely reported, cyber threats to the oil and gas industry continue to increase in number and sophistication. Main threats involve cyber espionage and the insecurity of networked control systems. Industry-specific collaboration is needed to develop the security practices that are so critical to the future of the oil and gas industry.

The marcus evans Oil & Gas Cyber Security Conference will focus on improving security awareness, protecting intellectual property and sensitive information, securing networked ICS & SCADA systems, developing an incident response plan, and determining the direction of future cyber threats and security.

Frank Grace, Lead Cyber Security Analyst at Tesoro answered a series of questions provided by marcus evans. The responses below strictly reflect the views and beliefs of Frank Grace and not necessarily those of Tesoro.

marcus evans: What would you consider the defining attributes of the cyber threat landscape that the oil and gas industry is currently facing?

FG: Of primary concern to our industry, as well as several government-run agencies, is the critical infrastructure that facilitates production and consequently a significant amount of commerce. Not only are cyber threats to this infrastructure a constant factor, a single strategic breach in this area could mean significant loss of life and severe damage to production facilities and in some instances public and private, citizen-owned property.

For these reasons, much of my effort during the past 5+ years has been focused on many initiatives designed to achieve the following:

  1. Hide critical infrastructure from prying eyes
  2. Completely isolate it from access that could be controlled by malicious insiders or external entities
  3. Put in place measures designed to thwart, document, and automatically notify appropriate personnel about any effort to perform reconnaissance on, access, control or modify such infrastructure

Of secondary concern are threats to the retail portion of the business, some of which may be addressed with the initiatives mentioned.

marcus evans: What trends in cyber threats and security do you expect to see in the future? Why?

FG: In regards to cyber threats, I am beginning to see more overt efforts by the “bad guys” to leverage personal and public information in an attempt to minimize the amount of time and effort required to successfully breach an environment.

In my opinion, there may be some elements out there that must in some way feel as if they are “untouchable” by law enforcement and/or authorities because I am seeing more easily detectable attempts to gather personal, private information in order to gain unauthorized access to resources that the target(s) of such attempts may have the ability to control, view and modify.

What these elements do not realize is that there are individuals such as myself and others who will persist at stopping them until one of two things happen:

  1. The responsible individuals or groups are identified, apprehended and brought to justice
  2. The person(s) in charge of protecting targets are no longer living

With regards to security, I expect to see more companies investing in countermeasures designed to protect key human resources not only while on the job, but while at home or on the road. Forward-thinking companies such as one of my former employers (Rackspace Managed Hosting) have been doing this for years, but it is now being adopted by more private industry due to, in my opinion, the recent increase in publicity given to cyber security and social media.

marcus evans: What are the key components to a successful information assurance program?

FG: There are three key elements of a successful information assurance program: security awareness, threat management and periodic assessments.

marcus evans: In your opinion, what are the most important factors to consider when constructing an incident-response plan?

FG: In my opinion, the single most important thing to consider before constructing a plan is who to place on the company’s incident-response team.

For any plan to work, the core team should be made up of well-rounded, seasoned individuals who respect and are committed to helping one another. They need to be friends, ideally close ones who have significant shared history.

In addition, each individual on the team needs to have consistently displayed an above-average sense of ownership in ambiguous situations. You want your team to jump in and confidently take the appropriate actions required to mitigate, track and collect intelligence on threats they encounter on a continuous basis, regardless of whether or not it is in their job description or whose responsibility it is.

Finally, each team member should be passionate about protecting people and assets against threats, and have a history of going above and beyond the call of duty as a responder.

The second most important thing to consider is access and accounting. If the team does not have fully logged, encrypted and backed-up access to systems, networks, databases and the tools necessary to manage them, then building an effective response team will be an uphill battle at best.

Once you have these two essential prerequisites, the often lengthy, painstaking process of designing and building an effective incident-response program may begin.