Cybercrime – A Major Threat to the Energy Sector

By Kellie Murphy

Copyright 2017, Knighthouse Publishing. Reprinted with permission.

I’m not ashamed to admit that my life, like many of yours, has been made easier because of my iPhone.  I use it for everything, and it does pretty much everything I need.

Today alone, I emailed a company’s CFO, set my fantasy baseball lineup, opened a door, and wrote part of this paragraph, all on my iPhone.  I’m sure many of you probably did very similar things, whether through your phone, tablet, or some other form of handheld technology.  It’s the new normal.   In order to remain competitive with the market, we need to adopt and continue to cultivate technology.

It’s how we do business – more devices, more access, more flexibility.  However, as we continue to utilize technological tools in this fashion, we need to reflect on our preparedness to combat the threat of cybercrime.

It is no secret that the energy sector is a prime target for cyberattacks.  Energy companies have everything that attackers are looking for: personnel files, bank accounts, billing addresses, the ability to shut down operations, and worse.  So what are energy companies to do?  Stop using technology?  Absolutely not! But it is important for management to take security seriously and develop best practices to address it.

The first step is for a company to be proactive rather than reactive by performing a self-assessment of cyber and physical security throughout their infrastructure and assets.  Defining the maturity level of your cyber program will help develop a strategy that will both address the threat profile and enhance your operating environment.

Assessment questions should include:

  1. Do we have a cybersecurity program that defines objectives for the organization’s cyber activities?
  2. Is the program documented and does it match the objectives of the program with the company’s risk profile and infrastructure?
  3. Is cybersecurity governance identified, documented, and promoted?
  4. Does the program have the buy-in of senior management?
  5. What programs and processes could potentially be under threat (asset and change management, logical access, and communication infrastructure)?
  6. Do we have a dynamic operating environment?
  7. How are incidents detected and responded to?
  8. What are our dependency risks (external parties)?
  9. How do we mitigate user risk?

The answers to those questions will allow you to identify gaps in your cybersecurity program.

Assessment results should be analyzed by individuals that have the specific skill set to perform the implementation and assignment.  These individuals may be internal, but can also be external resources. It is important to note, that companies should consider consultation with a fiduciary for referrals and guidance, as such resources will be shaping your business objectives around cybersecurity.

Management must buy into the process, as building effective cybersecurity is both costly and time consuming, both when fixing existing problems and when implementing new controls.  Appropriate resources must also be assigned in order to address risk detection, mitigation, and any gaps.  This may require resource availability for weeks, months, or years.

Once management has bought in and you have found your internal or external resources, the next step is making a plan.  This will be the foundation supporting the program.  To develop a mature program requires dedication and, potentially, a change in the way a company views the importance of cybersecurity.  Once finalized, the plan should be implemented, tracked, and reevaluations performed in response to major changes in business and technology, through periodic review to ensure continuing compliance with company policy.

The last step is adaptation and continued enhancement.  This requires dedication and the understanding that as cell phones and technology change, and your business and people become more autonomous, so does your enemy.  It is important that you stay one step ahead.  Cybersecurity risk must be part of enterprise risk management strategy.  While the risk can’t be completely eliminated, by following the suggested procedures above, it can be monitored and mitigated through an informed decision-making process.