Oil and gas exploration is a complex field, involving producers, intent on discovering and extracting, and service providers, who develop new and innovative technologies to facilitate this extraction of untapped and increasingly unconventional reserves. But what both have in common is a wealth of intellectual property which needs to be protected but which is also increasingly vulnerable to attack.
Officially, O&G producers rely on registering their IP as trade secrets while service companies file patents to protect techniques, technologies and novel techniques. In the UK alone the number of patents issued in the O&G sector doubled between 2005-2010. But what about unofficially? In the cut and thrust of oil and gas exploration, where the development of new frontiers such as deepwater and shale oil, and conflict over Arctic assets already run high, how do you prevent competitors and even nation states from accessing IP?
Protecting IP data has never been more problematic. There’s increasing pressure through the lowering cost per barrel in oil, intensifying competition for discovery and extraction; there’s geopolitical influences such as trade embargoes on Russia and instability in the middle east; there’s environmentalists and hacktivists; and added to this are changes in working practices.
The latter may sound inconsequential but the mobility of data, enabling use in the field, and the advent of the Internet of Things (IoT) which will see sensors used to monitor and control the physical process of extraction itself, all of which will increase the attack surface for the business exponentially.
But where is the evidence for this threat? According to ‘The Global State of Information Security Survey 2016’ produced by PWC, the oil and gas sector reported more cybersecurity incidents, on average, than any other industry, with a 93 percent increase in information security compromise during 2015. The same survey found that theft of hard IP was up 60 percent during the same period. Oil and Gas producers are taking steps to address this, with 90 percent adopting a risk based security framework such as ISO 27001 and the NIST Cyber Security Framework.
However, only just over half (62 percent) were actively monitoring and analysing security intelligence. What is the quality of that threat intelligence? If we look at a piece of research from Ernst and Young conducted in 2015, we find that 61 percent of O&G organisations believe it’s unlikely or highly unlikely that they would be able to detect a sophisticated attack. Nearly a third 29 percent had no real-time insight on cyber threats. Only 13 percent believe that their information security function is fully meeting needs.
This research suggests that while some O&G organisations are carrying out intelligence gathering very few have access to real-time feeds or any real faith in this monitoring to be able to detect an imminent attack. Why? Because this is a passive rather than a proactive form of threat intelligence. The emphasis is still very much on defence rather than threat hunting. For example, is the producer monitoring unconventional networks for evidence of organised criminal attacks? Is it monitoring social media, forums and the dark web not only for company references but also company passwords? Is it cross referencing data being trawled with geopolitical influences or competitor activity?
This type of monitoring of both owned networks and resources and external dynamic web sources is possible using a next generation Security Operations Center (SOC). The SOC can use a variety of algorithms to search plain view and hidden web sources and, using specific criteria, looks to detect possible instances of data leakage or evidence of an impending attack. It looks for patterns which indicate anomalous behaviour and, using machine learning, can learn over time to further improve detection. This means the SOC effectively evolves in line with threats themselves as it looks at numerous variables, web chatter and variations enabling it to spot mutations of previous malware, for example, or to predict the potential for a DDoS attack.
Protecting IP has always been important in the O&G sector but the stakes are now considerably higher. With a multiplicity of motivated attackers seeking to conduct corporate espionage, disrupt activities or destabilise regions, the proliferation of access points created by in-the-field access, and the roll-out of automated machine-to-machine sensors and nodes associated with IoT, means the need to invest in real-time threat intelligence has never been more compelling.
James Parry is a technical director for Auriga.