Cybersecurity: Upstream risk mitigation starts with cybersecurity

From an often-ignored IT technicality, to a boardroom priority, the role of cybersecurity has shifted dramatically for energy companies in the last decade. For years, cybercrime targeting the oil industry has robbed CISOs and their security teams of business-critical resources, holding multinational corporations hostage as hackers demand millions of dollars in ransom. 

The Stuxnet incident of 2012 famously hit major U.S. oil companies, such as Chevron, ExxonMobil and Shell, as hackers targeted bid data, project plans and financial information. The Colonial Pipeline ransomware attack of May 2021 also saw an East Coast gas vector pay roughly $5 million to extortionists to recover its stolen data and allow its fuel to flow again. 

The O&G sector is not new to the idea of cyber-attacks. However, million-dollar pay-outs to hacker groups are only a fraction of the consequences of such an event. The reputational damage to a brand and the fallout of system downtime can put top-line growth at risk, denting share prices. 

Escalating geopolitical tensions have resulted in a 57% increase in attacks against the U.S.. Hacker groups are now using the same tactics against businesses in the U.S. and around the world, and with the exploration and production of oil growing to $4.3tr in size, protecting its assets is vital in a functioning society. 

Protecting the upstream industry. The upstream oil industry is making its way to the next level of digital evolution. Implementing the Internet of Things (IoT) and automation processes into its operational environment has ushered in time and cost savings, but similarly exposes infrastructure to a multitude of risks attached to oil exploration. 

Upstream oil companies use software programs to increase the efficiency of processes, such as accounting, land management and production operation. Sensitive assets, such as geospatial data, are stored on these programs, and if extorted, would be valuable information to sell to competitors. Alternatively, the hacking of IoT devices, such as sensors for valve monitoring, could be corrupted, causing potential safety concerns or delays in drilling. 

According to Deloitte, 42% of offshore facilities worldwide have been operational for over 15 years, with less than half of oil and gas companies using monitoring tools on their networks, Fig. 1. Of those companies, just 14% have fully operational security centers. A substantial proportion of O&G firms using legacy systems are not thoroughly testing their cybersecurity infrastructures in high-fidelity environments. This presents a fundamental risk to their business and a lack of preparation that is exposing the sector to malicious attacks. 

Fig. 1. Cybersecurity should be a priority for upstream organizations. Only half of offshore facilities, which have been operational for over 15 years, use monitoring tools on their networks. And only 14% have fully operational security centers.

The World Economic Forum recently listed cyberattacks as one of their top 10 risks over the next 10 years, alongside climate change, biodiversity loss and the cost-of-living crisis. This highlights critical infrastructure in the oil and gas industries as a primary safety concern. To counteract a threat landscape that is becoming more sophisticated each day, new cybersecurity technologies are looking to test, train and validate systems with increasing realism to mitigate the risk posed by cyber threats. 

Assessing the threat landscape. One of the many significant developments in the shifting geopolitical landscape over the last year has been the increased use of cyber-attacks as a tool of statecraft. Adversary states are now using their cyber capabilities to shift power dynamics between hackers and organizations to achieve their strategic objectives. Among the many reasons for state-based hackers targeting the industry, eliciting financial benefit and inflicting reputational damage are the main hallmarks of a seasoned hacking group. 

Ransomware and malware are the most popular ways to do this, posing existential threats to the oil industry, whether it is because oil companies do not have sufficient data and system backup procedures in place, or because of the agile and deadly nature of the techniques that enable it. U.S. President Joe Biden stated last year that “critical infrastructure owners and operators must accelerate efforts to lock their digital doors.” Consequently, exposing vulnerabilities before they can be exploited should be at the top of CEOs' minds when formulating a battle-ready cybersecurity strategy. 

Operationality of cyber ranges. The MIT Lincoln Laboratory, a research center of the U.S. Department of Defense, helped develop the first virtual testing environments known as cyber ranges. They were developed as a solution to maximize the realism of “red vs. blue” team training events. By practicing incident responses against actual attacks in a safe and isolated simulated network, permanent damage to networks can be avoided, Fig. 2. Most other practices are commonly viewed as inadequate for large, U.S. organizations at a heightened risk level. 

Fig. 2. Virtual testing environments enable computer scientists to practice incident responses against actual attacks to avoid permanent network damage.

Research from Surfshark shows the U.S. experiences the most data breaches of any country in the world. The U.S. Department of Defense recognized this and determined that to be effective at testing for network vulnerabilities against sophisticated adversaries, a simulated network would be needed. That simulation would become the cyber range and would act in a similar way to a live-fire rifle range. Teams could implement attacks as they would be done in the real world without concerns about causing permanent damage that comes with in-production testing. 

Simply put, MIT Lincoln Lab had developed systems that allowed for cyber live-fire exercises on an industrial scale for the first time, with the potential for experimenting with complex offensive and defensive techniques. Additionally, the high-fidelity nature of cyber ranges and non-scripted attack scenarios, conducting three years of cyber-attacks within a space of 24-hours meant it was possible to rigorously test and expose human vulnerabilities. 

These efforts were fruitful, as the lab was able to deploy its cyber range capabilities to nearly 100 laboratories, primarily supporting classified development projects for military and intelligence agencies. In addition to providing a safe and secure environment for testing and training, these cyber ranges also allowed the U.S. government to gain a preview into the latest cyber warfare capabilities being developed by the U.S., giving them a significant advantage against attackers. 

Defensive overhaul. The development of cyber ranges at MIT Lincoln Laboratory has been an important part of the U.S. government's efforts to stay ahead of emerging cyber threats while seeking to maintain its leadership status in the field of cyber warfare. 

Today, these same capabilities are now being made available to private infrastructure like oil and gas conglomerates, attractive to hackers due to the lucrative nature of the industry. Expanding the availability of high-fidelity cyber ranges to the private sector is predominantly a response to current threats, given the close relationship between the cybersecurity preparedness of the upstream oil sector and greater national security.  

As cyber threats transcend geographical borders, companies around the world are embracing simulated environments as a means to appropriately safeguard against the sophisticated threats of the future. Across the U.S. and around the world, government departments and critical infrastructure organizations have been testing their cybersecurity infrastructure in light of a cyber threat that has reached critical mass, with the UK Army recently conducting the largest military-led, live-fire cyber exercise in Western Europe. 

Benefit to businesses. There are several reasons why critical infrastructure organizations are implementing mil-spec cyber ranges. Because of the guaranteed-safe nature of its environment, companies can safely practice responding to cyber threats without the risk of damaging their actual systems or data. Additionally, cyber ranges are able to reduce adversary ‘stay time’ as they dwell dormant on a system. Hackers successful at this have the ability to move laterally throughout a network, potentially moving throughout the oil and gas value chain. 

In upstream oil activity, the only constant is change, which means the customization of a cybersecurity platform is required to meet the specific needs of an organization. For example, a company may want to simulate a cyber-attack that targets a particular part of a network, or one that uses a specific exfiltration technique targeted at exposing data. Military-grade cyber ranges can be configured to mimic the threat, allowing companies to test their defenses and identify any weaknesses that need to be addressed. 

Consequently, what is particularly attractive to companies about cyber ranges is the ability to safely practice and improve their cyber defense skills, customize training and testing to meet their specific needs, and stay ahead of emerging cyber threats. All the while, the range can be continually run to reveal and remove all possible vulnerabilities.  

Not only will cyber defenses that are tested and validated provide peace of mind to CEOs and their boards, but this proves to stakeholders and investors that their organization is prepared to operate under emergency conditions, should they arise. Best practice cybersecurity in 2023 can be reduced to four effective steps: 

1. Performing exercises aimed at reviewing your current breach and disclosure processes, in order to understand the gaps within an organization’s defense systems. 
2. Conducting live-fire, cyber range exercises to establish new benchmarks for success, aligning an organization’s people, processes and technology. From this, a dashboard can be established to track performance. 
3. Based on the results of the range exercise, organizations then need to start a program of continuous security improvements that would include updating their processes, training their teams, and optimizing their security stack. 
4. Developing a regular cadence of communication across leadership teams that can provide security and risk reviews for all new business initiatives and third-party programs, ensuring an end-to-end security mindset. 
5. Financial optimization and risk control are at the heart of an oil company’s mission. But in a world where new tools are released every day, it is increasingly difficult for CEOs to determine what specific measures will work to improve their security stack.  

Upgrades required. To gain the cyber preparedness needed to safeguard these growth factors, enlisting the technology of simulation spaces like cyber ranges can allow large companies to build scalable, flexible cyber environments to answer questions like, how might the latest attacks affect the security of my value chain? Although many systems still rely on anti-viral software and tabletop exercises, high-fidelity simulated networks make it possible to model a greater number of sophisticated attacks, creating network resilience in 2023.