By Ben DuBose
SAN ANTONIO -- Hackers exist. Theyre increasingly
targeting oil and gas industry companies. A single breach can
cost an average of $875,000 in intellectual property theft.
So what should industry companies do, besides be aware of
practice, says Dean Fox, vice president of cyber strategy
for URS and an Air Force veteran of 28 years. Fox spent his
last eight years in Hawaii in charge of all cyber security
against the top three regional threats, including China, Russia
and nation states such as North Korea.
Mr. Fox, who spoke at a Monday afternoon briefing on cyber
security, said the easiest way for hackers to gain access to a
computer network, as they did with Saudi Aramco in 2012, is by
spear fishing, or phishing.
It comes down to social engineering, he said.
For example, if I were a hacker and I could gather all
the email addresses of people at this conference, I could put
together a phishing email so that hopefully youd click on
it, and if your network isnt strong enough, begin to
Ive watched social engineering things that could
blow your mind, he said.
The average click rate for the energy industry
on phishing emails is 30%, he said. If I sent out 100
emails, Im bound to get about 30 connections, Mr.
Fox said. And I only need one.
However, if companies do phishing practice emails to their
members, research shows that drives the percentage down to
That is tremendous progress, Mr. Fox said.
Steven Smith, an FBI agent based in San Antonio, joined Mr.
Fox for the presentation and echoed that assessment. He said
oil and gas attacks are rising every year, and the bureau is
elevating the importance of cyber security in its daily
Its almost on par with counter terrorism
cases, Mr. Smith said. What were doing now,
were bringing in top industry professionals and giving
them temporary clearances to be briefed on the intrusion sets
The oil and gas sector represented 14% of cyber attacks
against the US in 2011, trailing only aerospace and defense
(17%) among surveyed industries, according to URS data.
Within the sector, smaller companies are more likely to be
targeted, Mr. Fox said.
As a hacker, I wouldnt go after the ExxonMobil
or Shell types, Mr. Fox said. I might try but I
wouldnt spend many resources. I would try the
sub-contractors because they probably have less security
protocols and those majors like Exxon share key information
with them. Id target the supply chain via phishing
And it can put those smaller companies that dont
have money to deal with it completely out of business,
Mr. Smith added.
So what is the solution? Practice is part of it. Others
include capital investments, such as staffing computer incident
response teams (CIRTs), conducting regular vulnerability
assessments and potentially working with cyber protection
companies such as URS.
However, some progress can be made through simple policy changes.
I recently went to a large nuclear decommissioning
site in Europe, Mr. Fox said. I
asked them how long it takes a fired employee to be taken off
the site. They said about 30 minutes.
I then asked how long it takes to remove their network
privileges. They said 14 days. So basically, they were
escorting employees off the site but still giving them network
access for two weeks.
Simply changing some policies sent them to a lower
risk profile, Mr. Fox said. It wasnt
Mr. Fox also stressed the importance of connecting a
companys IT department with its operational leaders.
We must foster discussions between operations and
cyber technology experts, Mr. Fox
said. That was the key for us in the Department of
Defense (DoD) in how we have moved forward.
Mr. Fox explained that a true risk assessment must include
three areas: threat, vulnerability and consequence. Most cyber
experts live in the threat world, Mr. Fox said, and
occasionally dabble toward vulnerability.
Meanwhile, most operational leaders deal with
If you come together under this model, you can drive
down the cyber security challenges, Mr. Fox said.
Dan Strachan, director of industrial relations and programs
for AFPM, moderated the briefing and said that 60% of his daily
duties at AFPM involve cyber security.
Were getting very involved in advocacy and
upcoming cyber legislation, he said. We do a lot of
work with the DHS and DoE.
Strachan said the cyber security committee at AFPM currently
has 36 members and is very busy. He stressed that
the committee is open to all AFPM members and encourages
industry professionals to join.
(Editor's note: This article appeared in Day 3 of the
official AFPM conference newspaper, published by Hydrocarbon Processing. To read the full
edition, please click here.)