By Ben DuBose
SAN ANTONIO -- Hackers exist. Theyre increasingly targeting oil and gas industry companies. A single breach can cost an average of $875,000 in intellectual property theft.
So what should industry companies do, besides be aware of the problem?
Practice, practice, practice, says Dean Fox, vice president of cyber strategy for URS and an Air Force veteran of 28 years. Fox spent his last eight years in Hawaii in charge of all cyber security against the top three regional threats, including China, Russia and nation states such as North Korea.
Mr. Fox, who spoke at a Monday afternoon briefing on cyber security, said the easiest way for hackers to gain access to a computer network, as they did with Saudi Aramco in 2012, is by spear fishing, or phishing.
It comes down to social engineering, he said. For example, if I were a hacker and I could gather all the email addresses of people at this conference, I could put together a phishing email so that hopefully youd click on it, and if your network isnt strong enough, begin to exploit it.
Ive watched social engineering things that could blow your mind, he said.
The average click rate for the energy industry on phishing emails is 30%, he said. If I sent out 100 emails, Im bound to get about 30 connections, Mr. Fox said. And I only need one.
However, if companies do phishing practice emails to their members, research shows that drives the percentage down to 7%.
That is tremendous progress, Mr. Fox said.
Steven Smith, an FBI agent based in San Antonio, joined Mr. Fox for the presentation and echoed that assessment. He said oil and gas attacks are rising every year, and the bureau is elevating the importance of cyber security in its daily workload.
Its almost on par with counter terrorism cases, Mr. Smith said. What were doing now, were bringing in top industry professionals and giving them temporary clearances to be briefed on the intrusion sets out there.
The oil and gas sector represented 14% of cyber attacks against the US in 2011, trailing only aerospace and defense (17%) among surveyed industries, according to URS data.
Within the sector, smaller companies are more likely to be targeted, Mr. Fox said.
As a hacker, I wouldnt go after the ExxonMobil or Shell types, Mr. Fox said. I might try but I wouldnt spend many resources. I would try the sub-contractors because they probably have less security protocols and those majors like Exxon share key information with them. Id target the supply chain via phishing activities.
And it can put those smaller companies that dont have money to deal with it completely out of business, Mr. Smith added.
So what is the solution? Practice is part of it. Others include capital investments, such as staffing computer incident response teams (CIRTs), conducting regular vulnerability assessments and potentially working with cyber protection companies such as URS.
However, some progress can be made through simple policy changes.
I recently went to a large nuclear decommissioning site in Europe, Mr. Fox said. I asked them how long it takes a fired employee to be taken off the site. They said about 30 minutes.
I then asked how long it takes to remove their network privileges. They said 14 days. So basically, they were escorting employees off the site but still giving them network access for two weeks.
Simply changing some policies sent them to a lower risk profile, Mr. Fox said. It wasnt expensive.
Mr. Fox also stressed the importance of connecting a companys IT department with its operational leaders.
We must foster discussions between operations and cyber technology experts, Mr. Fox said. That was the key for us in the Department of Defense (DoD) in how we have moved forward.
Mr. Fox explained that a true risk assessment must include three areas: threat, vulnerability and consequence. Most cyber experts live in the threat world, Mr. Fox said, and occasionally dabble toward vulnerability.
Meanwhile, most operational leaders deal with consequences.
If you come together under this model, you can drive down the cyber security challenges, Mr. Fox said.
Dan Strachan, director of industrial relations and programs for AFPM, moderated the briefing and said that 60% of his daily duties at AFPM involve cyber security.
Were getting very involved in advocacy and upcoming cyber legislation, he said. We do a lot of work with the DHS and DoE.
Strachan said the cyber security committee at AFPM currently has 36 members and is very busy. He stressed that the committee is open to all AFPM members and encourages industry professionals to join.
(Editor's note: This article appeared in Day 3 of the official AFPM conference newspaper, published by Hydrocarbon Processing. To read the full edition, please click here.)