Cybersecurity in Critical Sectors: The Petroleum Industry
About the Author
Zach Jones, Security Vulnerability Analyst with The Mako Group
The internet changed the world and that includes the workplace. The Mako Group joined the remote work revolution early in its history, but now one member of the team is taking it to the next level. Zach has been a member of The Mako Group team for two years, and is now spending year three on the road while working full time. He is joining the ranks of digital nomads and moving from city to city working across time zones and countries while pursuing his career in federal sales and penetration testing. During his travels, he is learning about local cybersecurity concerns and issues in relation to the industry as a whole and sharing thoughts from the road. We’re pleased to be able to share his findings with you through this blog. Check out the latest from his time in Stavanger, Norway.
During a recent trip to Norway, I discovered much about the Scandinavian nation. Their economy stood out to me as a particularly good example of the need for cybersecurity emphasis for critical industries. The Norwegian economy is built largely on the petroleum industry which accounts for 12% of the country’s GDP, 37% of exports and nearly 10% of the entire workforce. Couple the overwhelming economic reliance with the risk of disastrous environmental consequences and it is no surprise why the petroleum industry is considered critical. Many countries carry similar designations for members of the energy sector who, depending the source, are the victims of 25% - 40% of all cyberattacks by cybercriminals. Regardless of the exact figure, the point is clear; the petroleum industry represents an extremely critical sector. The designation of critical industry certainly carries with it increased attention and access to government resources. But is it enough?
The petroleum industry in Norway via Statoil isn’t taking the problem lightly. They have joined an industry partnership with technology providers and other oil companies to address the issue. The partnership is headed up by Oslo’s DNV GL and is focused on developing a Recommended Practice (RP) for Industrial Automation and Control Systems. This is aimed at pooling resources to strengthen the entire petroleum industry rather than leaving companies to vie for the title of “least weak” from a cybersecurity perspective.
Critical industries across the world are taking similar actions to form stronger intra-industry partnerships to bolster cybersecurity efforts in their sector. This approach is a necessary step on the road toward a more secure and stable cyber landscape with Advanced Persistent Threats, Zero Days and Nation-States representing the biggest threat to industry rather than ransomware, phishing or other common threats.
The industry will need to invest in true solutions rather than “check-box” approaches to truly solidify progress. As companies at an individual level grapple with simple challenges like patch management and regular assessments, more significant steps toward change still feel overly complex and far off like security by design and robust cybersecurity training for employees.
Governments across the world are keen to the impact cybersecurity concerns are having on their citizens and economies. The desire to label industries as critical and begin to protect them in the same manner as critical government assets is a necessary step. The only issue with this logic rests with the strategy, resources and politics of the government.
In addition to resources, strategy and politics, governments are also responsible for law enforcement in the cybersecurity realm and, in this sense, they’re falling drastically behind. The average police department has limited to no capabilities in the cyber realm which leaves Federal agencies to shoulder the burden. While Federal agencies may be the best equipped from a jurisdictional standpoint, there is a gap in both resources to address the issues and laws or policies to be enforced.
The governments of the world have a necessary role to play in the cybersecurity space, but are falling behind in the areas in which they’re needed most. Similar to the establishment of policies surrounding the use and creation of nuclear or chemical weapons, the international and academic communities alike have a responsibility to create policies, treaties and mutual understanding around cybersecurity.