Cyber-risks have become a part of life in American business, and the energy sector is certainly not exempt from these dangers. Indeed, the sector’s critical infrastructure has been identified as a global target, and several countries are highlighting its protection as a legislative priority. All this means that companies operating in the energy sector should carefully consider the vulnerabilities of their data and proprietary systems. The nation’s energy sector is vulnerable to cyberattacks and breaches in the same way as other industries are – and the interdependencies of the energy sector with other critical infrastructure sectors (such as communications and IT), as well as the crucial importance of energy to national security, makes it all the more important for this sector to be aware of cybersecurity issues and to take positive, proactive steps to deal with these looming dangers.
According to a current survey , top corporate general counsel in the United States regard cybersecurity as the leading risk facing their companies. Of those counsel surveyed, 52 percent said cybersecurity poses a major risk; 50 percent listed data privacy, which is closely related. Only 29 percent of the respondents said their organization was prepared to handle the legal repercussions of a cybersecurity incident.
Energy and critical infrastructure vulnerability: federal involvement
The electric power subsector may be especially vulnerable. A study commissioned last summer for a major global insurer estimated that a major cyberattack on the US electric grid could cause more than $1 trillion in economic impact and bring the US economy to its knees for several weeks. The study envisioned a scenario in which 15 states and Washington, DC suffer a blackout as a result of a cyberattack on the power grid.
Cyberattacks may include not only malicious attacks by outside terrorists but also assaults from within the grid system itself, by untrained or disgruntled employees, for example. The possible impact of such an attack could be magnified by the fact that the deployment of network connected industrial control systems (which replaced the older analog equipment that had run the nation’s electric generation, transmission and distribution systems for decades) has created new vulnerable points of entry into these systems.
Energy industry groups such as the Smart Grid Interoperability Panel (SGIP), a nonprofit industry group, are tackling the growing risk of cyberattack. Here is a bit of background to their activity. In February 2013, President Barak Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The Order directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber-risks to critical infrastructure. A public and private partnership effort led to the drafting of NIST’s Cybersecurity Framework. Since then, sector specific industry organizations have taken the Framework and adapted it to their sector specific needs. SGIP elicited responses from within the electricity subsector, including cybersecurity professionals, in its “Views on the Framework for Improving Critical Infrastructure Cybersecurity.”
Since then, information sharing among utilities and other industry participants has been prioritized as a powerful tool against cyberthreats. The CIP (critical infrastructure protection) requirements set forth by the NERC (North American Electric Reliability Corporation)already set out standards designed to protect and secure the electrical grid. NERC CIP consists of nine standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyberassets as well as personnel issues and training, security management and disaster recovery planning.
Energy companies should evaluate and participate in cybersecurity information sharing, both among private sector entities and between the private sector and the government. The Cybersecurity Act of 2015, addressed industry concerns over liability for cybersecurity information sharing. The law applies to all critical infrastructure sectors, including the energy sector, and provides liability protection for entities that voluntarily share and receive cyberthreat indicators and defensive measures with other private entities or the government. Under this law, enacted in December 2015, the Director of National Intelligence and the Departments of Homeland Security, Defense, and Justice developed procedures for the federal government to share cybersecurity threat information with private entities, nonfederal government agencies, and state, tribal, and local governments, and vice-versa, a process now well under way.
Analysis of the Cybersecurity Act reveals that its provisions enable a reliable framework for sharing information that will help secure the electric grid while striking a proper balance between liability and privacy protections. Further, the Act intends to facilitate the completion of two information-sharing programs that are unique to the electric power industry: CES-21 and CRISP.
CES-21 is a cybersecurity information-sharing program funded by the California Public Utilities Commission in the electric sector to implement methods for cyberthreat sharing. CRISP, the Cybersecurity Risk Information Sharing Program, is a public-private partnership, co-funded by the US Department of Energy and by industry. Its purpose is to collaborate with energy sector partners to facilitate the timely sharing of threat information and develop situational awareness tools to enhance the sector's ability to identify, prioritize, and coordinate the protection of its critical infrastructure and key resources.
The implementation of the Act will not only speed up the completion of the CES-21 and CRISP programs but will also permit the development of a framework that all US utilities can use, thus helping to secure the nation’s electric grid. Although only time will tell, it appears that significant progress is being made.
In another development, the US Federal Energy Regulatory Commission in late January issued updated cybersecurity standards for the nation’s electric utilities. According to FERC, the updated standards “are designed to mitigate the cybersecurity risks to bulk electric system facilities systems and equipment, which, if destroyed, degraded or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation” of the US power grid.
FERC’s updated critical infrastructure protection (CIP) reliability standards require large electric utilities to conduct cybersecurity training at least once a quarter and, in most cases, to deploy two or more physical access controls outside their security perimeters. In addition, the updated standards require most utilities to close unneeded networking ports and to adopt procedures for the storage of information and the wiping of systems before they’re reused.
Oil and gas: the coming wave of mergers may create vulnerabilities
Unlike the electric industry, the oil and gas sector is not highly networked. This is one reason why cyber concerns for oil and gas are quite different. Another reason arises from the continuing decline of oil prices, which is causing a shakeout in the subsector, as some companies fall by the wayside due to the burden of debt and insufficient income to meet cash-flow projections.
CNN Money reported earlier this year that as crude oil prices declined from $100 a barrel in mid-2014 to $27 a barrel in February 2016, the number of bankruptcies of oil-patch companies increased dramatically –2015 saw an increase of 379 percent in industry participants that sought bankruptcy protection. At this writing, research by Deloitte suggests that, worldwide, about a third of all oil and gas exploration and production companies are at substantive risk of restructuring – some 175 companies owing $150 billion of debt.
Another inevitable result of the decline in crude prices will be a wave of mergers, some of them put together hastily and at fire-sale prices. The Houston Chronicle reported at the beginning of 2016 that three out of every four oil company finance executives, according to a survey by a global consulting firm, expect a wave of consolidations in the industries to occur by year end.
That same month, another industry consulting firm wrote that “after concentrating on short-term responses to the steep plunge in oil prices which commenced in the fourth quarter of 2014, the more financially stable firms [in energy industries] are now considering longer term strategic moves, including the opportunity to acquire attractive assets from distressed sellers.”
These mergers run a significant risk of paving the way for serious cybersecurity problems in the absence of thorough due diligence. Legacy liability of acquired assets is a huge opportunity for an information compromise to take place. Questions not often enough considered in such transactions include: which party is responsible for archived data that may be stored in the cloud or offsite? and how is that data being handled, transitioned, processed or disposed in the course of a change in ownership? When a company seeks to acquire attractive assets from a distressed seller, the available time can be short because of the need to preserve the value of the assets in a declining market. As a result, the acquiring company may fail to perform the necessary due diligence on the cybersecurity of the target company. In the absence of due diligence, the acquiring company can become aware of the security flaws after closing – or worse, after a cyberattack.
In an alternative scenario, the two companies complete a transaction but, again because of the exigencies of time, fail to adequately integrate the acquired company into its cybersecurity systems, leaving a hole in security that can be exploited by a cyber-criminal.
This nightmare scenario actually occurred recently in another industry. In April 2015 an Australian telecom giant completed an acquisition of Asia’s largest provider of submarine communication cables for $697 million. But just before the deal closed, the target company was the victim of a cyberattack that exposed its customers, including the Australian Federal Police and other government agencies, to possible theft of their data. The company was unaware of the breach until after the deal closed.
Accordingly, especially in view of the often brief time period available to evaluate an acquisition in the oil and gas industries, or any industry sector for that matter, companies are well advised to include cybersecurity concerns in the due diligence they are performing. This may help them to avoid a cybersecurity breach hand in hand with their acquisition.
The energy sector faces cyber-risks from many fronts, but there are resources available to mitigate those risks. Prudent organizations, by sharing information and diligently managing risks, can position themselves to resist incursions and attacks.
Learn more about the implications of cyber-risks by contacting either of the authors.