OilPro recently published an article entitled, "Why the Oil and Gas Industry is Prone to Cyberattacks". The increase in industrial cyber attacks highlights the importance of cyber security among critical infrastructures.
"Energy industry clients of Alert Logic faced nearly 9,000 cyber security threats from January 1 to May 23. Nearly half of those attacks were the result of malware, and roughly 31 percent were brute force attacks." - Nathan Randazoo, Oil Pro
As reported in a TRP Corp blog:
"To counteract the increasing threat on critical technology infrastructure, DHS has developed CSET, Cyber Security Evaluation Tool. “CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.” After a thorough evaluation, CSET then produces a prioritized list of recommendations for improving the cybersecurity and industrial control cyber systems. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls."
As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks. A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records.
Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology related critical business processes. The Department of Homeland Security’s Cyber Exercise Program (CEP) can assist companies in developing protocols to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities.
Companies should address the following DHS cyber security points to ensure business continuity:
- Is cyber preparedness integrated with your current all hazards preparedness efforts?
- Who are your cyber preparedness stakeholders (public, private, non-profit, other)?
- Are cyber security risk-based policies established in your organization?
- Does your organization ensure that service providers and vendors that have access to your systems are following appropriate personnel security procedures and/or practices?
- Does your organization integrate cyber security into the life cycle system (i.e., design, procurement, installation, operation and disposal)?
- Are audits conducted on cyber security systems?
- Are cyber-security plan requirement in place and are they being adhered to?
- Are all systems compliant to company and/or cyber-security plan requirements?
- Does your organization have an asset inventory of all critical IT systems and a cohesive set of network/system architecture diagrams or other documentation (e.g. nodes, interfaces, and information flows)?
- Upon being notified of a compromise/breach of security regarding an employee:Who is notified?
- What steps are followed to ensure this individual’s access to facility and/or equipment has been terminated?
- What steps are followed?
- Should legal representation be sought and at what point?
- Who determines if the employee should be held criminally responsible?
- Are there policies (formal and informal) pertaining to removable storage devices?
- What is the priority of cyber preparedness, including cyber security, in your organization?
- What level of funding and/or resources is devoted to cyber preparedness?
- What are your estimated losses if a cyber attack were to terminate system functionality?
- What are your critical business unit software requirements?
- What are the procedures for backing up and restoring data?
- How often are security patches updated?
Cyber exercises are an essential tool for organizations to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities. The exercise environment allows stakeholders to simulate real-world situations, to improve communications and coordination, and to increase the effectiveness of broad-based critical infrastructure protection capabilities without the consequences of real cyber event. These types of exercises can also be used to educate employees on technological policies and procedures used to offset cyber attack strategies. DHS identifies two types of exercises that can aid in the advancement of cyber security.
Discussion based exercises:
- Familiarize participants with current agreements and procedures or assist in the development of new plans, agreements, and procedures
- An effective method for bringing together key response team leaders common in mid- to large-scale cyber events
- Easier to conduct, especially when multiple response team leaders participate using a variety of collaboration and video teleconferencing technologies
Operations based exercises:
- Validate agreements and procedures, clarify roles and responsibilities, and identify resource gaps in an operational environment
- May include the use of simulated network environments, “live-fire” events, and active adversary forces to produce realistic scenario inputs and effects
- Generally involve mobilization and response as opposed to policies and procedures
By exercising key areas of conjunction between IT and other corporate response elements, company cyber security and incident response operations gaps and shortfalls can be identified. In order for business continuity, there must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, and response measure during events caused by cyber disruption.