Funding, Preparation and Culture Keys to Securing Critical Infrastructure and Systems
In Washington, D.C., the Trump administration’s focus on infrastructure investment has gained growing attention in the energy sector and intensified dialogue about how these assets are protected from both cyber and physical attack. To get a better sense of the risk environment, the administration issued an executive order in May mandating an assessment of the country’s resilience against cyber attacks.
In August, the National Infrastructure Advisory Council (NIAC) also released a report on urgent cyber threats to high-risk assets in the public and private sectors. The report found that cybersecurity was “the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure.” Despite these findings and recent high-profile events like the Equifax data breach, only a minority of natural gas industry organizations seem to be evaluating their cyber risk exposure and identifying where vulnerabilities exist within their systems.
Survey responses from the 2017 Strategic Directions: Natural Gas Industry Report suggest that a root cause of inadequate preparedness for risks may be insufficient funding for physical and cybersecurity initiatives. In fact, results reveal that approximately 65 percent of respondents either don’t know how much money is being earmarked or are allocating less than $1 million annually to fund security programs.
The fact that more than one-third of survey respondents indicated they don’t know how much financial investment is dedicated to security programs suggests that, in general, natural gas professionals may not see security as a priority.
A new report from Deloitte found that the oil and gas sector was the second-most targeted industry for cyber attacks, with nearly three-quarters of U.S. companies subjected to at least one incident in the past year alone. To more fully grasp the risk to assets and systems, risk and vulnerability assessments should be conducted regularly to identify which system areas are more susceptible to intrusion. These assessments could help natural gas providers see the impact of a security-related incident on their systems and make the business case for implementing a comprehensive security risk framework.
These frameworks also enable natural gas industry organizations to meet and maintain compliance with evolving regulatory requirements such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, recommended by NIAC as a standard requirement.
Creating a Risk-Aware Workplace Culture
Regardless of funding or regulatory requirements, the lack of a workplace culture focused on preventing cyber incidents may be another reason why the natural gas sector appears to be lagging behind similar efforts being applied in the power and water industries, among others. Challenges such as executive engagement, organizational resistance or hefty time requirements for training also could be barriers to implementing comprehensive programs. To create a more risk-aware culture, executive leadership should not only consider increasing security investment but also infuse security-related initiatives with culture-changing activities.
Exercises to simulate environmental, cyber or physical attacks can help professionals better understand the ramifications of an incident. Survey results show that in the last year only one-third of respondents participated in an exercise that simulated an environmental, cyber attack or physical attack. Further, of the respondents who participated in a security exercise, more than half disclosed the level of simulation was primarily tabletop and not a real-world business continuity and disaster recovery incident.
While it is promising to see a growing number of natural gas professionals participating in some form of simulation, it would be a significantly more impactful and interactive learning experience to conduct real-world simulations better depicting the gravity of an event and appropriate measures professionals should take in real time.
An important consideration for these exercises is addressing how technology is handled by different employee demographic groups. While today’s younger professionals tend to be more proficient using technology, the same may not be true for those nearing retirement. These differences should be taken into account when planning training programs. Overall, engaging employees in varying roles and levels of experience in collaborative activities helps reinforce a risk-averse culture.
More Data, More Problems
The increasing frequency of cyber attacks signals that deploying robust security programs is becoming vital to the prevention of service disruptions and negative network impacts. Natural gas professionals must increase their efforts to protect critical infrastructure, operating systems and customer data.
While many of this year’s industry respondents may be undervaluing and underfunding physical security and cybersecurity programs, proactive planning and establishing a risk-averse corporate culture can help organizations effectively manage threats and secure buy-in for future security program funding. The current administration’s commitment to bolstering critical infrastructure does not seem to be abating any time soon, furthering the need for more comprehensive security systems that protect consumers and natural gas industry assets, data and operations.