Like most industries, network and data breaches at oil & gas companies are on the rise. As I write this, hundreds of medical industry sites in Europe are under attack by the WannaCry ransomware program. Long expected to be prime targets, Utility Industry networks are fair game as well. But with oil prices inching back up and hackers ramping up their arsenals to attack fossil fuels industries, how are Oil & Gas companies to adequately protect their systems and networks?
More than an IT Problem
Put “cyber” at the front of any word and people immediately think IT (Information Technology.) IT is often at the forefront of cyber-attacks and generally responsible for cybersecurity within the corporation. But the problem of cybersecurity is one for the entire organization, from the CEO on down. Without the recognition of the problem and the support of board-level management to combat it, IT is left as a soldier heading into battle with a pillow as a shield and plastic spork for a weapon.
For the Oil & Gas industry, field offices can be some of the riskiest locations for cyber-attacks. Often, the personnel in these offices are ill-trained to handle computer and network issues, leaving them vulnerable. Proper training on how to recognize potential attacks, malware, ransomware, or other issues can turn these front-line employees into cyber-investigators. Spreading the word across the organization helps make cybersecurity everyone’s responsibility.
Consumer Devices Invade the Corporate Network
Long before “shadow IT” and “Bring Your Own Device (BYOD)” became common terms, consumer-grade devices were utilized by many companies for their smaller offices. Non-IT personnel would often extend their network reach with a Wi-Fi hub or repeater without considering how their actions might impact their company’s network or security infrastructure. Every one of these consumer devices can introduce risk into the corporate network. From a network device running an unpatched Linux kernel to an iPad searching the network for server vulnerabilities via the latest malware-laden app, every piece of equipment coming into contact with the corporate network should be scrutinized.
What we’re talking about is more than taking down a print server or e-mail. Those of us responsible for cybersecurity segregate our networks for a reason. If someone were to plug an unapproved piece of hardware behind your firewall, the damage can far exceed the savings from that office supply store replacement router. If you don’t believe me, calculate the cost of one hour of downtime from a malware hack taking down your drilling operation. Now that’s an expensive router.
Many Cyber-Attacks Start with Social Engineering
Social engineering is how roughly half of all intrusions begin. Sharing passwords, leaving screens unlocked, using coffee shop Wi-Fi where skimmers can pull your credentials right from the air—all can have devastating effects on your company. In 4 of 5 of the penetration tests that I have conducted, the biggest breaches came from social engineering.
Cybersecurity is Everyone’s Responsibility
Cybersecurity is everyone’s business. Training and testing on a regular basis is the only way to keep the company networks safe and secure. Nobody knows how vulnerable your company more than your own employees. Keep the lines of communication open and let your personnel help close the holes in your cybersecurity safety net.