To broaden our understanding of the current cybersecurity landscape, we recently spoke with Risto Siilasmaa, the chairman, founder, and former CEO of F-Secure, an Internet and cybersecurity software company based in Helsinki, Finland. He was joined by Jens Thonke, executive vice president of cybersecurity services at F-Secure.
Risto and Jens shared insights on a range of related issues. Edited excerpts follow.
The Role of Senior Management
Change starts at the top, meaning with the CEO and board. There is not much knowledge about the technical details of cybersecurity at that level currently. But senior management needs to understand the basics and, even more important, the risks cyberthreats pose to their company.
Gauging the Company’s General State of Preparedness
Here’s a simple exercise: name the company’s three highest-value information assets. These might be the process automation and control system for your production facilities, including Emergency Shut Down systems (ESD) and the oil and gas pipeline solutions; the information system for interacting with suppliers; and the database of customer information, for example. If you can’t name the top three, you certainly aren’t protecting them sufficiently.
The Necessary Components of a Comprehensive Cybersecurity Program
In our view, there should be four components to a cybersecurity program: intelligence, prevention strategies, detection and recovery, and analysis and learning. Intelligence refers to the overall process of staying abreast of relevant information, including vulnerabilities, exploits of attackers, new versions of software, and attacker types and groups. Every company needs to understand how and by whom it is viewed as a target, as well as which of its information assets its potential attackers are after. Oil and gas companies, like other businesses, are attractive to many attackers. These include online criminals who want to cause financial damage and, perhaps, blackmail the company; anonymous attackers who support or claim to support an ideological cause; terrorists who want to cause widespread physical damage (for example, by causing a fire or an explosion); and disgruntled employees, of which—due to industry downsizing—there may now be growing numbers in the oil and gas industry. If you understand who the attackers are and their motivation, you understand what kind of attacks they would likely launch and which of your information assets are most vulnerable.
The second component is prevention strategies. Every company has to have its own arsenal of customized approaches to match the variety of potential attacks. The potential damage from an attack can amount to millions, if not billions, of dollars and cost the CEO and other executives their jobs. In a nutshell, it is worth going for best solutions here, not mediocre. The critical goal is to design a holistic and location-independent approach.
The third component is detection and recovery. Companies need to be able to determine when they are under attack and clean up and restore operational capability quickly. They should plan for the inevitable successful attack: given enough time and resources, an attacker will almost always be successful. The sooner a company realizes it is under attack, the sooner it can recover. Recovery is something that companies need to practice, practice, and practice. In terms of types of attack—apart from a physical ruse, such as tailgating or cloning access control cards to trespass in administration offices or command or control rooms—the most common type is a combination of social engineering and customized malware. Systems controls and employees need to learn to be suspicious and recognize such attacks as they are happening. Management should ask basic questions to get a sense of the company’s vulnerability. Can anyone gain unauthorized physical access to the company’s office or to the executives’ e-mail or pretend to be sending messages from their e-mail accounts? Retrieve and modify the source code that runs the company’s key products? Access the company’s data center?
The final component is analysis and learning. Following an attack, the company must work to determine exactly how the attack was carried out; which vulnerabilities in processes, tools, and competencies the attackers exploited; how the company responded to the attack; and how long it took to restore operational capability. The company should then define appropriate countermeasures for warding off future attacks and improving outcomes.
The Challenges That Old or Customized Systems Pose to the Oil and Gas Industry
Many companies are using multiple industrial-control systems, most of which are quite old and proprietary or homemade. Many of them, designed without security precautions in mind, constitute a big risk. A single point could give an attacker an entire system of upstream production assets. For attackers, self-created, older systems are low-hanging fruit.
The Oil and Gas Industry’s General Defense Capabilities Relative to Those of Other Industries
The sector’s general level of IT security maturity is not that high compared with other industries. In our experience, many companies suffer from a lack of enforcement and control of regulations and policies.
The Emerging Internet of Things and How the Industry’s Shortage of Digital Natives Could Hurt It
The Internet of Things could bring a number of new and significant cybersecurity threats to oil and gas companies, and the effects could be compounded by the relatively low share of digital natives among the industry’s workforce. Companies with a small concentration of digital natives tend to be less suspicious of attackers’ types of activities than are, say, technology companies. Companies with relatively few digital natives also are more apt to create solutions that are not highly secure. Senior management of oil and gas companies should not underestimate the possible challenges of this situation: the backdrop will be increasingly complex as it evolves from the Internet of Things to big data and smart analytics and ultimately to a programmable world.