It has become apparent that
securing the industry against cyber criminality is a priority, to mitigate the existential
threat to business functionality. There are a multitude of actions that
operators can take to achieve battle-readiness in this era of unprecedented instability.
WILLIAM HUTCHISON and LEE ROSSEY, SimSpace
From an often-ignored IT
technicality, to a boardroom priority, the role of cybersecurity has shifted dramatically
for energy companies in the last decade. For years, cybercrime targeting the
oil industry has robbed CISOs and their security teams of business-critical
resources, holding multinational corporations hostage as hackers demand
millions of dollars in ransom.
The Stuxnet incident of
2012 famously hit major U.S. oil
companies, such as
Chevron, ExxonMobil and Shell, as hackers targeted bid data, project plans and
financial information. The Colonial Pipeline ransomware attack of May 2021 also
saw an East Coast gas vector pay roughly $5 million to extortionists to recover
its stolen data and allow its fuel to flow again.
The O&G sector is not
new to the idea of cyber-attacks. However, million-dollar pay-outs to hacker
groups are only a fraction of the consequences of such an event. The
reputational damage to a brand and the fallout of system downtime can put
top-line growth at risk, denting share prices.
tensions have resulted in a 57%
in attacks against the U.S.. Hacker groups are now using the same tactics
against businesses in the U.S. and around the world, and with the exploration
and production of oil growing to $4.3tr in size, protecting its assets is
vital in a functioning society.
Protecting the upstream industry. The upstream oil industry is
making its way to the next level of digital evolution. Implementing the
Internet of Things (IoT) and automation processes into its operational
environment has ushered in time and cost savings, but similarly exposes
infrastructure to a multitude of risks attached to oil exploration.
Upstream oil companies use
software programs to increase the efficiency of processes, such as accounting,
land management and production operation. Sensitive assets, such as geospatial
data, are stored on these programs, and if extorted, would be valuable
information to sell to competitors. Alternatively, the hacking of IoT devices,
such as sensors for valve monitoring, could be corrupted, causing potential
safety concerns or delays in drilling.
42% of offshore facilities worldwide have been operational for over 15 years,
with less than half of oil and gas companies using monitoring tools on their
networks, Fig. 1. Of those companies, just 14% have fully operational
security centers. A substantial proportion of O&G firms using legacy
systems are not thoroughly testing their cybersecurity infrastructures in
high-fidelity environments. This presents a fundamental risk to their business
and a lack of preparation that is exposing the sector to malicious attacks.
The World Economic Forum
recently listed cyberattacks as one of their top 10 risks over the next 10
years, alongside climate change, biodiversity loss and the cost-of-living
crisis. This highlights critical infrastructure in the oil and gas industries
as a primary safety concern. To counteract a threat landscape that is becoming
more sophisticated each day, new cybersecurity technologies are looking to
test, train and validate systems with increasing realism to mitigate the risk
posed by cyber threats.
Assessing the threat landscape. One
of the many significant developments in the shifting geopolitical landscape
over the last year has been the increased use of cyber-attacks as a tool of
statecraft. Adversary states are now using their cyber capabilities to shift
power dynamics between hackers and organizations to achieve their strategic
objectives. Among the many reasons for state-based hackers targeting the
industry, eliciting financial benefit and inflicting reputational damage are
the main hallmarks of a seasoned hacking group.
Ransomware and malware are
the most popular ways to do this, posing existential threats to the oil
industry, whether it is because oil companies do not have sufficient data and
system backup procedures in place, or because of the agile and deadly nature of
the techniques that enable it. U.S. President Joe Biden stated last year that “critical
infrastructure owners and operators must accelerate efforts to lock their
digital doors.” Consequently, exposing vulnerabilities before they can be
exploited should be at the top of CEOs' minds when formulating a battle-ready
Operationality of cyber ranges. The MIT Lincoln Laboratory,
a research center of the U.S. Department of Defense, helped develop the first
virtual testing environments known as cyber ranges. They were developed as a
solution to maximize the realism of “red vs. blue” team training events.
By practicing incident responses against actual attacks in a safe and isolated
simulated network, permanent damage to networks can be avoided, Fig. 2.
Most other practices are commonly viewed as inadequate for large, U.S.
organizations at a heightened risk level.
shows the U.S. experiences the most data breaches of any country in the world.
The U.S. Department of Defense recognized this and determined that to be
effective at testing for network vulnerabilities against sophisticated
adversaries, a simulated network would be needed. That simulation would become
the cyber range and would act in a similar way to a live-fire rifle range.
Teams could implement attacks as they would be done in the real world without
concerns about causing permanent damage that comes with in-production testing.
Simply put, MIT Lincoln Lab
had developed systems that allowed for cyber live-fire exercises on an
industrial scale for the first time, with the potential for experimenting with
complex offensive and defensive techniques. Additionally, the high-fidelity
nature of cyber ranges and non-scripted attack scenarios, conducting three
years of cyber-attacks within a space of 24-hours meant it was possible
to rigorously test and expose human vulnerabilities.
These efforts were
fruitful, as the lab was able to deploy its cyber range capabilities to nearly
100 laboratories, primarily supporting classified development projects for
military and intelligence agencies. In addition to providing a safe and secure
environment for testing and training, these cyber ranges also allowed the U.S.
government to gain a preview into the latest cyber warfare capabilities being
developed by the U.S., giving them a significant advantage against attackers.
Defensive overhaul. The development of cyber
ranges at MIT Lincoln Laboratory has been an important part of the U.S.
government's efforts to stay ahead of emerging cyber threats while seeking to
maintain its leadership status in the field of cyber warfare.
Today, these same
capabilities are now being made available to private infrastructure like oil
and gas conglomerates, attractive to hackers due to the lucrative nature of the
industry. Expanding the availability of high-fidelity cyber ranges to the
private sector is predominantly a response to current threats, given the close
relationship between the cybersecurity preparedness of the upstream oil sector
and greater national security.
As cyber threats transcend
geographical borders, companies around the world are embracing simulated
environments as a means to appropriately safeguard against the sophisticated
threats of the future. Across the U.S. and around the world, government
departments and critical infrastructure organizations have been testing their
cybersecurity infrastructure in light of a cyber threat that has reached
critical mass, with the UK Army recently
conducting the largest military-led, live-fire cyber exercise in
Benefit to businesses. There are several reasons
why critical infrastructure organizations are implementing mil-spec cyber
ranges. Because of the guaranteed-safe nature of its environment, companies can
safely practice responding to cyber threats without the risk of damaging their
actual systems or data. Additionally, cyber ranges are able to reduce adversary
‘stay time’ as they dwell dormant on a system. Hackers successful at this have
the ability to move laterally throughout a network, potentially moving
throughout the oil and gas value chain.
In upstream oil activity,
the only constant is change, which means the customization of a cybersecurity
platform is required to meet the specific needs of an organization. For
example, a company may want to simulate a cyber-attack that targets a
particular part of a network, or one that uses a specific exfiltration
technique targeted at exposing data. Military-grade cyber ranges can be configured
to mimic the threat, allowing companies to test their defenses and identify any
weaknesses that need to be addressed.
Consequently, what is
particularly attractive to companies about cyber ranges is the ability to
safely practice and improve their cyber defense skills, customize training and
testing to meet their specific needs, and stay ahead of emerging cyber threats.
All the while, the range can be continually run to reveal and remove all
Not only will cyber
defenses that are tested and validated provide peace of mind to CEOs and their
boards, but this proves to stakeholders and investors that their organization
is prepared to operate under emergency conditions, should they arise. Best practice
cybersecurity in 2023 can be reduced to four effective steps:
Upgrades required. To gain the cyber
preparedness needed to safeguard these growth factors, enlisting the technology
of simulation spaces like cyber ranges can allow large companies to build
scalable, flexible cyber environments to answer questions like, how might the
latest attacks affect the security of my value chain? Although many systems
still rely on anti-viral software and tabletop exercises, high-fidelity
simulated networks make it possible to model a greater number of sophisticated
attacks, creating network resilience in 2023. WO
HUTCHISON is the CEO and co-Founder
of SimSpace. He has extensive experience gained from working in the National Security
Agency (NSA) as a senior officer with U.S. Cyber command. The U.S. Cyber
command and the NSA are the premier organizations of the U.S. Department of
Defense and Intelligence Community, responsible for conducting military and
intelligence operations in the cyber domain. Mr. Hutchison was appointed
through presidential order to create a team focused on defending U.S. national
infrastructure against state cyberthreats. In 2015, he started the cyber
readiness platform to deliver military-grade cybersecurity protection against
advanced cyber threats for governments and organizations worldwide. At
SimSpace, he spearheaded multiple deployments in financial and other commercial
sectors. He holds a bachelor’s degree from Duke University, a master’s degree
in aerospace engineering from University of Texas at Austin, and a master’s
degree from the MIT Sloan School of Management.
LEE ROSSEY is CTO of SimSpace. He is a highly experienced
cybersecurity expert and a leading developer for the high fidelity cyber ranges
used by the U.S. Intelligence Community. Mr. Rossey co-founded SimSpace in 2015
and continues to leverage his experience for government and private clients around
the world. His expertise helps SimSpace develop the capabilities to rapidly create and
host realistic network environments and network clones, model sophisticated
nation-state adversaries, and develop data collection and analysis
capabilities. He is also capable of providing expertise in how NATO governments
can enhance their own cybersecurity. Mr. Rossey holds a degree in computer science
from the University of Pennsylvania, an MS in electrical and computer engineering
from the University of Florida and a BA and BS from the University of Buffalo.