Let’s use caution in enacting cybersecurity rules
After failing to pass a piece of comprehensive cybersecurity legislation in theU. S. Congress this summer, theObama administration is considering an executive order to provide powers for greater government intervention. Significant intervention will likely be directed at the oil and gas, electricity and petrochemical industries, as they are both providers of critical infrastructure needed for the operation of our economy and society. While there has been significant alarmism in consideration of cyber issues in the past, new developments illustrate howmuch more possible a catastrophic cyber attack against theU. S. is becoming. For operators of chemical plants the concern has shifted to the possibility of compromised industrial computing leading to environmental disaster, “the cyber Bhopal.” Undoubtedly, the risk of these catastrophic scenarios is real and the Obama administration and lawmakers’ efforts are critical andwellintentioned, but an executive order should not run the risk of overregulating the energy industry’s ever- changing, highly- computerized technology infrastructure.
Recent developments have shown that those wishing to purloin the energy industry’s proprietary information resources nowregularly target the industry. These attempts include efforts to disrupt entire enterprise computer systems. This is what happened inAugust to Saudi Aramco. The company stated publicly it had “isolated all its electronic systems from outside access as an early precautionary measure thatwas taken following a sudden disruption that affected some of the sectors of its electronic network.” In the days that followed, news reports speculated that perhaps as many as 30,000 computers on the company’s network were compromised by a malicious piece of software, or “malware,” possibly the one labeled Shamoon by the computer malware analysis community. Shortly after announcement of the disruption, an ostensibly Middle Eastern group labeling itself the Cutting Sword of Justice declared responsibility for the Aramco disruption and that itwould redouble its efforts against the company. Incidentally, I believe Aramco acted wisely in admitting to the problem, much like Google did after actors operating inside China compromised its systems several years ago.
Today, there are likely twomajor cyberthreats to the energy industry: ( 1) the vulnerability of its operations systems — computers that route electricity, open valves and operate motors; and ( 2) the problem of controlling access to proprietary corporate information and data, from internal email communications to longterm development plans and newtechnologies often carrying investments in the billions of dollars. These are not fantasy scenarios, but rather a consistent and rising set of data breaches and disruptions that have grown from a nuisance to a serious impediment to global business operations.
Though most cyber incidents involve only purloined or corrupted data, at least one case, Stuxnet, apparently damaged physical machinery in the Iranian nuclear enrichment program aswell. Repeated compromises of energy company networks indicate they are exposed to a significant set of cyber threats, many produced by foreign countries, but others by more loosely connected activists. A warning sent out last month by the Canadian government to oil and gas firms involved in developing Alberta’s oil sands regarding their targeting by hacker organization Anonymous indicates that the set of actors willing to steal information or disrupt operations continues to grow. This represents a potentially serious crisis and one that technology alone, despite advances in anti- virus and intrusion detection systems, has been unable to solve. Due to this failure, Congress has proposed legislation aimed at increasing cyber security in a number of business sectors falling under the heading of critical infrastructure.
Butwhatmay public policy in the form of legislation achieve in mitigating the vulnerabilities of the highly computerized and networked companies that produce and deliver energy to theU. S. consumer? Unfortunately, lawalone will likely not have the desired results, despite the best intentions of lawmakers.
The nation needs a cyber security framework inwhich parties opt- in toworking with one another without fear of negative repercussion from investors or government. Ideally, the energy industry will choose to pool its resources to solve the major problems that face it, from the construction of countermeasures to spear phishing espionage emails to the development of process control system security best practices and standards, in some form of consortium. Producing such a structure, which incorporates expertise in the measurement of technological, economic and geopolitical risk, may be a preferable alternative to regulation that is unable to adapt as quickly as thosewho threaten us will certainly continue to do.