Cybersecurity Comprehensive Data Protection Management Services for the Oil and Natural Gas Sector
Overview
Cybersecurity can be overwhelming for critical infrastructure owners. Without a tiered, affordable approach to
confronting the risk and threats that are faced, security plans become too resource intensive, expensive or exhausting to
implement.
At its core, a common framework complements an organization’s risk management process. The five core functions
(Identify, Protect, Detect, Respond, Recover) simplify the process of an in depth approach to cybersecurity.
Subcategories that further divide technical or management activities help prioritize your cybersecurity plans. By
subscribing to a program that implements security tools, techniques and services that follow a framework that starts with
being more risk informed and grows to repeatable and adaptable processes, critical infrastructure owners will likely be
more encouraged to subscribe to a secure managed security service.
The Energy Sector is one of the 18 critical infrastructure sectors and key resources established by Homeland Security
Presidential Directive-7 (“National Infrastructure Protection Plan,” 1). It consists of three segments: electricity,
petroleum, and natural gas. Presidential Policy Directive (PPD)-21, “Critical Infrastructure Security and Resilience,” has
identified the Energy Sector as being “uniquely critical due to the enabling functions it provides across all critical
infrastructure sectors” (PPD-21, 2013). This white paper focuses on cybersecurity and information privacy protection as it
applies to the petroleum (hereafter referred to as “oil” and natural gas segments).
Oil and Natural Gas: A Summary Oil
The oil segment consists of the exploration, production, storage, transport and refinement of crude oil and it consists of
over 525,000 crude producing wells, 30,000 miles of gathering pipelines, and 51,000 miles of crude oil pipeline (“Natural
Infrastructure Protection Plan,” 2013). It also consists of 150 operable petroleum refineries, 116,000 miles of product
pipeline and 1,400 petroleum terminals (“Natural Infrastructure Protection Plan,” 2). This segment is heavily dependent
on industrial control and other information technology systems to manage its production and distribution processes
Natural Gas: The natural gas segment consists of the production, piping, storage and distribution of liquefied natural gas
(LNG) in the US. There are more 478,562 natural gas production and condensate wells and 20,215 miles of gathering
pipelines (“Natural Infrastructure Protection Plan,” 2). There are over 500 operable natural gas processing plants, 319,208
miles of interstate and intrastate natural gas transmission pipelines (“Natural Infrastructure Protection Plan,” 2). There are
over 401 underground natural gas storage fields and another 109 LNG peaking facilities. The US natural gas segment
uses over 1,200,000 miles of distribution pipelines that distribute natural gas to business and homes in the US.
Oil and Natural Gas: A Significant Cyber Target
Nation-states, non-state actors, and other cyber adversaries view the oil and natural gas segments as lucrative targets for
numerous reasons. Cyberadversaries are specifically targeting this sector because of its sensitive personal data like clients’
and employees’ personal details, email addresses, billing and shipping addresses, phone numbers, passwords and bank
details on their computer networks”(Nick Gibbons, 2013). They pose significant threats to the oil and natural gas sector,
as well as to the US’s economic security and national security interests (Clayton & Segal, 2013). Of note, the increasing
primary cyber threats to the entire energy sector remains trade secrets thefts, research and development data, and
confidential information (Nick Gibbons, 2013).
The increasing sophistication and destructiveness of cyber-attacks against the oil and natural gas sector have made it
extremely difficult for cybersecurity and sector experts to detect, deter, prevent, and protect their critical assets from
compromise and exploitation. Cyber adversaries targeted the energy sector, including oil and gas producers, with more
targeted malware attacks in 2012 than any other sector (Clayton & Segal, 2013). Energy companies targeted in 41 percent
of the malware attack cases reported to the DHS Industrial Control System Team in 2012 (Clayton & Segal, 2013).
Cyber-attacks against third-party vendors and business partners place oil and natural gas sector companies with additional
threats to their critical assets and core operational processes. They should conduct assessments and review their contracts
to ensure their third-party vendors and partners have adequate cybersecurity processes in place (Bender, 2014).
Companies to develop customized comprehensive cyber risk management approaches that protect companies from cyberattacks while operating abroad (Bender, 2014). Finally, oil and natural gas companies should realize that their use of
cloud services technology will place them at greater risks from cyber-attacks attempting to exploit critical research and
development data and intellectual property (Bender, 2014).
The Baker Institute (2013) categorized the primary cyber threats to the oil and natural gas sector into three groups. The
first group consists of threats of core intellectual property (Bronk and Pridgen, 2013). The second group consists of the
distribution or destruction of a physical plant and other points of capital investment (Bronk and Pridgen, 2013). The third
group consists of the compromise of communications by executive decision-makers regarding key business decisions. A
study conducted by Clayton and Segal (2013) identified similar cyber threat vectors against the oil and natural gas sector.
Clayton and Segal (2013) have categorized current threats to the oil and natural gas sector into two groups. The first
threat grouping consists of cyber adversaries that use cyber espionage to gain access to critical data, such as trade secrets,
long-term strategic plans, new drillage acreage tendered bids, private negotiations with foreign partners, personally
identifiable information and other data.
The second threat grouping consists of nation-state actors and other cyber adversaries that launch cyber-attacks against the
oil and natural gas sector with the goal of disruption or destroying operations (Clayton & Segal, 2013).
Since 2012, cyber adversaries have launched the following successful cyber-attacks against the oil and natural gas sector
using the aforementioned threat vectors.


Cyber adversaries accessed ExxonMobil, ConocoPhillips and Marathon Oil “bid data,” detailing location, sizes,
and values of oil deposits globally by siphoning of email passwords associated with executives who had access to
proprietary oil exploration and discovery data. Companies were unaware of the data breach’s extent until
authorities disclosed cyber adversaries had been siphoning email passwords and other critical data associated with
executives who had access to proprietary oil exploration and discovery information (Zetter, 2010).
Cyber adversaries used the Sharmoon malware to launch a data-destroying attack that erased data on more than
30,000 hard drives containing oil and natural gas critical data stored on Saudi Aramco’s internal network
Windows workstations. The insider used a USB drive to upload malware onto the network (Jackson-Higgins,
2013; Clayton & Segal, 2013; DOE, 2012).





Cyber adversaries achieved a successful data breach of Telvent’s SCADA to exploit customer project files. The
intruders broke through the company's firewall earlier this month, infiltrated portions of its network, installed
malicious software and stole data on customer projects involving a Telvent product called OASyS SCADA
(Clayton, 2013; Vijayan, 2012).
Qatar’s liquefied natural gas producer RasGas websites and email servers targeted with malware. Attack similar to
attack against Saudi Aramco 30,000 workstations (Jackson-Higgins, 2013; Clayton & Segal, 2013).
A widespread attack breached oil, energy, and petrochemical companies, harvested confidential information for
nearly four years before it was discovered (Esentire, 2013).
The hactivist group Anonymous attacked five top energy companies, accessing and publishing some 1,000 email
addresses and passwords (Esentire, 2013).
A widespread attack breached oil, energy, and petrochemical companies, harvested confidential information for
nearly four years before it was discovered (Esentire, 2013).
One of the highest profile attacks against the oil and gas sector was “Night Dragon”, during which cyber adversaries
targeted five major Western energy companies from 2008-2011. The hackers successfully acquired access to gigabytes of
highly sensitive data that included proprietary information about oil and gas field operations, financial transaction, and
bidding data (Clayton & Segal, 2013).
Security experts believe Night Dragon is only one of several similar attacks, of which oil and gas companies are either
unaware or afraid to disclose publicly for fear of displeasing investors. In 2012, 41 percent of the malicious software
attack cases reported to the Department of Homeland Security Industrial Control System were against energy companies,
including those in the oil and gas sector (Clayton & Segal, 2013).
Oil and Natural Gas Sector Cyber-attack Impacts
Cyber adversaries continue to target the oil and natural gas sector with cyber-attacks. They are increasing targeting
corporate-level executives to obtain access to their companies’ corporate data, intellectual capital, and other proprietary
information. They have successfully used phishing, spear phishing and other tactics to gain access to this information.
Their abilities to circumvent cybersecurity and information privacy management systems has enabled to achieve the
following sector impacts:







Compromise of communications by executive decision-makers regarding key business decisions.
Productivity losses
Legal losses
Intellectual property losses
Investment losses
Operational losses
Loss of personally identifiable information (PII)
Many oil and natural gas sector companies still believe they should invest solely in technological cybersecurity solutions
to protect their critical assets, namely sensitive business data and PII. These technological solutions, while somewhat
effective, lack the ability to provide the full-spectrum, comprehensive data protection management services necessary to
detect, deter, prevent, and protect their critical assets from cyber-attacks and data breaches (Essentire, 2013). Chenega
Logistics (CL) and Carpe Diem Strategic Services (CDSS) offer oil and natural gas sector companies those cybersecurity
data protection management services that include cybersecurity risk assessments, information security assessments,
privacy impact assessments, privacy risk assessments, security assessments and authorization evaluations, third-party
audits, vulnerability assessments.
What Can the Oil and Natural Gas Sector Do to Reverse the Trend?
Effective comprehensive data protection management consists of managing data from its initial creation or collection
throughout the privacy operations lifecycle, which concludes its eventual archiving or destruction. The challenge for oil
and natural gas executives is managing the tremendous volume of data this is created and/or collected, with the most
effective information system infrastructure available. CL and CDSS can help apply a deliberate planning process to your
information life cycle and tailor solution to your specific needs. Additionally, they can meet your information privacy,
network and technical infrastructure needs through the entire life cycle.
The CL Secure Cloud delivers the cost-efficiencies, convenience and simplicity of the virtual environment, along with the
power, performance predictability and certifications of a strong enterprise.
Oil and natural gas sector leaders have the ability to develop and implement strategies to lower their exposures to
cybersecurity risks, threats, and vulnerabilities. They should consider implementing actions to mitigate the negative
impacts of cyber-attacks against their information privacy and information security management systems:





Develop and implement an effective information privacy management program minimize your exposure to
unnecessary compromise, exploitation, and risk.
Conduct extensive data inventories to identify where your critical data and PII exists within your networks.
Classify your data to determine where to make informed investments on information security to safeguard data
from compromise and exploitation.
Conduct privacy assessments to ensure you are compliant with Federal, State, international privacy laws and
corporate privacy policies.
Develop effective remediation strategies that minimize the negative impacts of data breaches to your business’s
investments, legal standing, operations, and reputation. CL and CDSS are experienced and trusted companies that
are well positioned to assist their potential oil and natural gas customers accomplish the aforementioned
objectives.
Why CL and CDSS?
CL is a sector leader in developing innovative, tailored cybersecurity solutions. CDSS is an expert in information privacy
management services. They have partnered to provide the oil and natural gas sector with optimal comprehensive cyber
security data protection management services.
Figure 1 figure depicts their comprehensive data protection management framework:
Figure 1: Comprehensive Data Protection Management Framework
They possess the following backgrounds and core competencies:
CL delivers the next generation of Security Intelligence & Analytics (SIA). Our core capabilities use data-science and
cutting-edge technology to give our customers real-time visibility across their digital domains and our ecosystem of
applications use that insight to solve a wide array of security problems.
We offer a full end-to-end solution including a reconnaissance service to map network exposure, aggregate host and
network data, as well as services that will provide actionable reports from the data. Our reconnaissance service provides
visualization and analysis of Internet crawl data for comprehensive network discovery and defensive awareness. Centered
on a global view of Internet-facing assets, the reconnaissance application provides comprehensive infrastructure analysis
through an intuitive web interface, allowing analysts to target problem areas with just a few clicks.
Another advanced data collection and control service, allows an operator to deploy, maintain, and task sensors through a
unified web-based interface. Built around a scalable and modular model, this application visualizes and controls hundreds,
or even thousands, of sensors in the field, ingesting system events, host scans, and network scans into a single faceted
search interface for comprehensive visibility.
By leveraging economies of scale and secure managed services in the cloud, CL offers cybersecurity services at low
affordable price. A commercial service model (e.g., Managed Security Services - MSS) in which the latest tools and
software are available through a hosted and shared service and is best suited to meet the Oil and Gas Cyber Security
needs. The MSS suite of security products and tools can be appropriately tuned to a level of protection correlated against
business risk, without imposing costly development and operational expenses.
CDSS principals have over 60 years of experience as senior intelligence officers with unique experiences and skills in the
acquisition, analysis, assessments, auditing, classification, dissemination, exploitation, processing, safeguarding, storage
and destruction of PII. Because of their intelligence officer experiences working at some of the highest levels of the
intelligence community, they understand the ramifications of the intentional and unintentional disclosure of sensitive
information to entities without a legitimate need- to-know.
CDSS will use these experiences and skills to develop a unique information privacy protection management philosophy
that provides its customers with similar abilities to protect their corporate and customer personally identifiable
information and other critical data from compromise and exploitation. CDSS’s approach to information privacy has been
to arm its personnel with International Association of Privacy Professionals (IAPP) certifications, the gold standard for
privacy professionals. IAPP certifications provide them with extensive and in-depth knowledge of US domestic and
international laws, directives, and regulations that govern their collection, use, storage, protection, and destruction of
personally identifiable information. These international certifications include:




IAPP CIPM designation shows that you understand the “how” of privacy. It demonstrates an understanding of
privacy program governance and the skills necessary to establish, maintain and manage a privacy program across
all stages of its operational life cycle. Launched in 2013, the CIPM demonstrates an evolution in the privacy
sector. It is the first and only certification in privacy program management, developed in response to
overwhelming demand to collect and collate common practices for managing privacy operations.
IAPP CIPP US Private Sector demonstrates a strong foundation in U.S. privacy laws and regulations and
understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the United
States, the European Union and other jurisdictions.
IAPP CIPP US Government (G) is the first publicly available privacy certification designed for employees of U.S.
federal, state, county and local government agencies. It also is available to vendors, suppliers and consultants who
serve government clients. The CIPP/G addresses U.S. government privacy laws, regulations and policies specific
to government practice as well as those more broadly applicable to the public and private sectors in the U.S. It
also covers U.S. government-standard practices for privacy program development and management, privacy
compliance and auditing, records management and agency reporting obligations for privacy.
IAPP CIPP Information Technology (IT) - The CIPT is the first global privacy certification for IT practitioners. It
assesses understanding of privacy and data protection practices in the development, engineering, deployment and
auditing of IT products and services. The CIPT certifies individuals in their knowledge of privacy-related issues
and practices in the context of the design and implementation of information and communication technologies.
CL and CDSS provide their potential oil and natural gas sector customers with the following services:
CL offers: By utilizing our managed security model, techniques and tools that large organizations use, Critical
Infrastructure owners can take advantage of sophisticated defense mechanisms that would not normally be feasible due to
resource constraints. This would include solutions such as continuous diagnostics and mitigation, intrusion detection and
prevention, as well as monitoring and alerting. For example, a small business that relies on an e-commerce website for
financial transactions could be vulnerable to a denial of service attack from any number of threat actors. With a cloud
based firewall, monitoring and filtering service, the Critical Infrastructure owners could subscribe to services that
routinely prevent these type of attacks, effectively sitting behind a highly available shield that filters out inappropriate
traffic, monitors the health and status of the site and discourages or prevents malicious activity. When more and more
critical infrastructure owners sign up for this service, economies of scale are leveraged to provide it at an extremely low
cost per customer and achieving highly effective results.
CDSS provides information privacy consulting to businesses who collect, use, share, store, destroy and/or retain PII and
CI and who require dedicated and expert information privacy management products and services. It also provides the
following additional services:
 Inventory: Properly identifying & classifying the personal & sensitive information your organization handles.
 Processes: Define privacy processes & program guidelines to determine the appropriate level of network and data
protection.
 Compliance: We provide privacy assessments, audits, & privacy impact assessments to ensure your compliance
with laws.
 Strategy Development: Develop information privacy management strategies to reduce your exposure to unnecessary
risk.
 Remediation: We develop effective remediation strategies to minimize the negative impacts on your business’s
bottom line.
 Cybersecurity Liability Insurance Privacy Risk Assessments: Conduct privacy risks assessments as part of the
cybersecurity liability insurance underwriting process.
 Managed Services: Provide privacy officer services offering cost- effective, on-demand program expertise and
experience.
CL-CDSS “Cybersecurity Comprehensive Data Protection Management Model”
CL and CDSS have developed a comprehensive data protection management model to support critical infrastructures and
key resources customers, particularly in the oil and natural gas sector. This six-step process assists customers in applying
cybersecurity to provide sophisticated and cutting edge cyber security solutions and employ incredibly advanced security
engineers to implement and affordable and compliant cybersecurity framework managed services. These services focus
on Identification, Protection and Detection. To address possible advanced persistent threat, insider-threat, and highlymotivated adversary scenarios, our capabilities expand beyond reactive, rule-based alerts, to instead focus on
comprehensive awareness of current activity, and the ability to observe, analyze, and identify deviations from the
baseline, for both individual entities and groups.
Our services will create a comprehensive operating picture of the health and activity of users, devices, and services. Data
models create baselines of normal behavior that can identify and quantify anomalous behavior, learning over time to
better segregate suspicious activity.
We also uses a modified privacy operational lifecycle to continuously monitor and improve the comprehensive data
protection model’s ability to perform the following functions: Inventory and categorize, evaluate, assess risk, design
solutions, educate and train, and audit and monitor. Figure 2 depicts the CL-CDSS “Comprehensive Data Protection
Management Model’s” functions and subfunctions.
Figure 2: Cybersecurity Comprehensive Data Protection Management Model