A survey conducted last November of more than 150 information technology (IT) professionals in the oil and gas industry found that 82% had seen an increase in successful cyberattacks in the preceding 12 months.
According to Tripwire Inc., a cybersecurity firm based in Portland, OR, 2% of respondents also said the number of cyberattacks they witnessed had more than doubled in the preceding month, while 53% said there was a 50-100% increase in attacks. Another 20% had noticed a 20-50% increase in attacks in the preceding month, while 13% said there was a 10-20% increase, and 11% said the increase was less than 10%.
"The increase in successful attacks should be deeply concerning," Tripwire’s Tim Erlin, director of IT security and risk strategy, said Thursday. "Successful attacks could mean that attackers are able to breach a specific security control or that they have been able to get closer to sensitive data using phishing or malware scams that have been detected. It could also mean that attackers are launching more persistent, targeted attacks."
The survey, which was conducted by Dimensional Research, also found that 69% of respondents were not confident that their organization detects all cyberattacks. It also found that at 72% of oil and gas companies, a single executive is responsible for securing both IT and operational technology (OT) environments. Meanwhile, at 19% of the companies, the responsibility for managing IT and OT systems are split. Another 8% of respondents said a single individual handles both IT and OT, but they are not an executive.
The survey found that in 1% of companies, no one is dedicated to IT.
"In combination with the lack of confidence in detection capabilities these findings demonstrate that the oil and gas industry needs to increase investment in basic best practices to materially reduce risk," Erlin said. "Unfortunately, these results indicate that things will probably get worse before they get better."
Last July, American Gas Association CEO Dave McCurdy said the natural gas industry is taking cybersecurity threats very seriously and has devoted increasing resources to fighting them since 2001 (see Daily GPI,July 27, 2015). Federal Energy Regulatory Commission Chairman Norman Bay has also urged the industry to take cybersecurity threats seriously, and pledged that the Commission would work with the Oil and Natural Gas Information Sharing and Analysis Center and the Oil & Natural Gas Sector Coordinating Council to share its technical expertise (see Daily GPI, July 21, 2015).
In Congress, the Cyber Intelligence Sharing and Protection Act (CISPA), which would help the U.S. government investigate cyber threats and help ensure network safety from cyberattacks, passed the House in 2012, but failed to pass the Senate during the same session. It was reintroduced in the House and passed again in 2013. The bill, HR 234, is currently under consideration by the House Subcommittee on the Constitution and Civil Justice.
Meanwhile, a second, lengthy bill -- S 754, the Cybersecurity Information Sharing Act (CISA) -- passed the Senate last October but is currently being held at the desk.
CISPA would, among other things, direct the federal government to share real-time cyber threat information between all designated federal cyber operations centers, and the president would be required to designate two civilian federal entities -- one within the Department of Homeland Security (DHS) to receive cyber threat information, and another at the Department of Justice (DOJ) -- to receive cybersecurity crime information.
CISA would require DHS, DOJ, the director of National Intelligence and the Department of Defense to, among things, "develop and promulgate procedures to promote...the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments..." The law would also permit "private entities to monitor, and operate defensive measures to detect, prevent or mitigate cybersecurity threats or security vulnerabilities..."