Oil and gas industry scrutinized for weak cyber defenses

As US industries brace for possible Russian cyberattacks amid war in Ukraine, experts say oil and gas industry is particularly vulnerable as it is not subject to cybersecurity standards and investments imposed by the government.

Unlike the electricity sector, which has developed sophisticated cyber defenses over the years and is heavily regulated by government, the oil and gas industry is lagging behind in part because industry lobbyists have pushed back on regulations. more stringent,” said Peter Lund, cyber expert and chief technical officer at Industrial Defender.

“Oil and gas has always been a little behind, mostly because they’re not as regulatory friendly,” Lund said, adding that while the industry has invested in cybersecurity, it’s not. is not at the level where it should be compared to others. regulated energy sectors.

On the other hand, Lund said the power industry has very prescriptive guidelines that require it to know its assets, understand its network, and evolve as technology advances. “It has a very strong set of security and compliance standards,” he said.

Lund said the Colonial Pipeline ransomware attack was a wake-up call for the oil and gas industry to invest more in cybersecurity and strengthen its cyber defenses.

The attack, which happened last year, forced the company to shut down operations for nearly a week. He was forced to pay a ransom of $4.4 million in bitcoins. The incident also caused gas shortages in several states as fuel prices soared.

US regulators, and even lawmakers, have pushed the oil and gas industry to adopt tougher cybersecurity standards administered by the Federal Energy Regulatory Commission (FERC). representing Bobby RushBobby Lee RushPhotos of the Week: Ukraine, Holi and Carole King Senate sends bill to make lynching a federal hate crime Biden House passes bill making lynching a federal hate crime MORE (D-Ill.), chairman of the House Energy Subcommittee, introduced a bill in December that would direct FERC to create “essential” mandatory cybersecurity standards for the oil and gas industry. .

“Putin’s war in Ukraine has brought the issue of energy security back to the fore. It is crucial that we have energy and cybersecurity experts behind the wheel to set the cybersecurity standards for energy infrastructure,” Rep. Rush said in a statement to The Hill.

“My bill, the Energy Product Reliability Act, would do that by creating a reliability organization that would be empowered by FERC to set much-needed mandatory cybersecurity standards for US pipelines.”

Lund explained that industries like oil and gas would rather be profitable than invest in cybersecurity, especially knowing that there is always the possibility of a cyber attack on its networks.

“[Cybersecurity] is something you have to spend a lot of money on knowing that there is no 100% guarantee” to avoid an attack, Lund said, adding that there is no doubt that the frequency of cyberattacks will continue. to increase.

Industry leaders, however, have pushed back against these claims, arguing that just because an industry isn’t federally regulated doesn’t mean it isn’t investing in cybersecurity and tracking. not government cybersecurity guidelines.

“You don’t need regulations to have a robust cybersecurity program,” said Suzanne Lemieux, director of operations security and emergency response at American Petroleum Industry.

Lemieux said API members coordinate closely with government agencies and the private sector to ensure they receive up-to-date information on cyber threats. She added that private cybersecurity firms have also helped members secure and upgrade their networks.

“You can’t stay in business these days if you don’t have a robust cybersecurity program,” she said.

Lemieux added that while there are no specific or credible threats at this time, their members have increased their level of vigilance and resilience as they continue to monitor the current situation in Ukraine.

“Our companies are trying to work with as many players as possible to ensure that as an industry we are resilient and that we can prevent and mitigate as much as possible with these partnerships, including with the federal government and the industry. private,” Lemieux said.

“It’s in everyone’s interest to make sure we’re as safe as possible,” she said.

A spokesperson for the Interstate Natural Gas Association of America (INGAA), echoed Lemieux’s point, saying the oil and gas industry is no more vulnerable to cyberattacks than other industries, which is in largely “because of its connectivity to global markets”.

The INGAA spokesperson also said its members have adopted the “Shields Up” guidelines implemented by the Cybersecurity & Infrastructure Security Agency (CISA), as well as other recommendations introduced by the FBI and TSA.

The spokesperson added that although the latest cyber threats have primarily focused on Russia, the Office of the Director of National Intelligence has repeatedly cited China as the “most widespread, active and persistent” cyber threat. for US private sector networks.

“While INGAA members are in a heightened security posture due to the crisis in Ukraine and potential counterattacks against US critical infrastructure, we are not forgetting other actors who may seek to disrupt our networks,” the spokesperson said.

Source link

Comments are closed.