HOUSTON—Cyberattackers are opportunistic, looking for easy targets, and once the mark has landed in the crosshairs, they are getting the job done quicker and cheaper.
Results from a study conducted by the Ponemon Institute reveal more than half of the cyber experts surveyed say the cost of a successful attack has fallen. The more technically proficient attackers spend on average $1,367 for specialized toolkits to carry out attacks.
The same study found that it typically takes less than two days to deter most attackers.
“The longer an organization can keep the attacker from executing a successful attack the stronger its ability to safeguard its sensitive and confidential information,” the report said. “The inflection point for deterring the majority of attacks is less than two days [40 hours] resulting in more than 60% of all attackers moving on to another target.”
A few details from the report were shared by a speaker during American Petroleum Institute’s Cybersecurity Conference & Expo, where oil and gas players gathered to share knowledge and learn more about cybersecurity in the energy space.
Cybersecurity may not be the public talk of earnings calls as companies adjust to market conditions. However, digital’s growing presence in the oil patch—with big data and moves to the Cloud—reinforces the need for cyber awareness in business structures to protect intellectual property, physical property or other valuable information.
A panel of chief information officers from Halliburton (NYSE: HAL), FMC Technologies (NYSE: FTI) and Hess Corp. (NYSE: HES) discussed cybersecurity issues and how their companies are defending themselves against threats, regardless of the lower commodity price environment.
“Lower oil price does not mean lower risk,” said William Rothe, vice president of enterprise systems for Hess. “Our overall cyber objectives can be compromised without having funding to pay for different programs. So we have to find ways to do more with less.”
This may mean more in-house work; however, market conditions don’t change the cybersecurity roadmap or the need to review risk profiles daily, Rothe added.
Although details on cybersecurity protocols and strategy may vary for the operator and service providers on the panel, there were commonalities. Each has solid governance, well-defined strategies and regularly board updates, looking at situations with the overall risk to the company in mind.
At Halliburton, the board is kept informed via monthly reports with information on topics such as phishing attacks or data infiltration, should there be any, Halliburton CIO Ken Braud said. Ultimately, senior-level executives are looking to understand “business disruptions as a result of a cybersecurity incident or a loss of data or [intellectual property],” Braud said, noting this includes customer data.
As technology plays a growing role in industry, the opportunity for threats also grows, mandating the need for cybersecurity efforts. These includes the Internet of Things, or anything with a sensor, Braud pointed out, noting that the level of some devices’ security frameworks are not at the level he would prefer.
“We consider anything on our network to be fair game for all the controls and practices that we apply for the greater enterprise,” Braud added. Aware of rapidly evolving challenges, he said the company is working diligently with operation fields across its product service lines and he’s confident that structures in place are sound.
When Hess Corp. began moving entire lines of business to the public Cloud in 2013, the move “allowed us to get really smart about what types of controls the public Cloud provided,” said William Rothe, vice president of enterprise systems for Hess Corp. “It’s taking control out of your own shop and putting it into another person’s shop.”
That may not be such a bad thing considering top Cloud providers, including market leader Amazon Web Services and Microsoft Azure, spend billions on Cloud-based security, including identity access management and data encryption, among other areas. They have a lot more resources and access to talent, Rothe said.
However, challenges remain for the oil and gas sector.
“The biggest challenge is there isn’t one set of standards out there today,” said Mark Freed, chief information securities officer for FMC Technologies. He noted that standards vary, changing by country and company.
Having standards show customers that the company has its act together with a program and metrics in place to deliver secure quality products, Braud added.
The set of standards is something that API is currently trying to improve, by working with companies via its IT security subcommittee. All seemed to agree that a set of industrywide cybersecurity standards are needed globally.
“As standards evolve, I think that commercially we will all be held accountable to deliver another level of granularity beyond just the framework,” Braud said.
Velda Addison can be reached at firstname.lastname@example.org.