Cybersecurity Comprehensive Data Protection Management Services for the Oil and Natural Gas Sector Overview Cybersecurity can be overwhelming for critical infrastructure owners. Without a tiered, affordable approach to confronting the risk and threats that are faced, security plans become too resource intensive, expensive or exhausting to implement. At its core, a common framework complements an organization’s risk management process. The five core functions (Identify, Protect, Detect, Respond, Recover) simplify the process of an in depth approach to cybersecurity. Subcategories that further divide technical or management activities help prioritize your cybersecurity plans. By subscribing to a program that implements security tools, techniques and services that follow a framework that starts with being more risk informed and grows to repeatable and adaptable processes, critical infrastructure owners will likely be more encouraged to subscribe to a secure managed security service. The Energy Sector is one of the 18 critical infrastructure sectors and key resources established by Homeland Security Presidential Directive-7 (“National Infrastructure Protection Plan,” 1). It consists of three segments: electricity, petroleum, and natural gas. Presidential Policy Directive (PPD)-21, “Critical Infrastructure Security and Resilience,” has identified the Energy Sector as being “uniquely critical due to the enabling functions it provides across all critical infrastructure sectors” (PPD-21, 2013). This white paper focuses on cybersecurity and information privacy protection as it applies to the petroleum (hereafter referred to as “oil” and natural gas segments). Oil and Natural Gas: A Summary Oil The oil segment consists of the exploration, production, storage, transport and refinement of crude oil and it consists of over 525,000 crude producing wells, 30,000 miles of gathering pipelines, and 51,000 miles of crude oil pipeline (“Natural Infrastructure Protection Plan,” 2013). It also consists of 150 operable petroleum refineries, 116,000 miles of product pipeline and 1,400 petroleum terminals (“Natural Infrastructure Protection Plan,” 2). This segment is heavily dependent on industrial control and other information technology systems to manage its production and distribution processes Natural Gas: The natural gas segment consists of the production, piping, storage and distribution of liquefied natural gas (LNG) in the US. There are more 478,562 natural gas production and condensate wells and 20,215 miles of gathering pipelines (“Natural Infrastructure Protection Plan,” 2). There are over 500 operable natural gas processing plants, 319,208 miles of interstate and intrastate natural gas transmission pipelines (“Natural Infrastructure Protection Plan,” 2). There are over 401 underground natural gas storage fields and another 109 LNG peaking facilities. The US natural gas segment uses over 1,200,000 miles of distribution pipelines that distribute natural gas to business and homes in the US. Oil and Natural Gas: A Significant Cyber Target Nation-states, non-state actors, and other cyber adversaries view the oil and natural gas segments as lucrative targets for numerous reasons. Cyberadversaries are specifically targeting this sector because of its sensitive personal data like clients’ and employees’ personal details, email addresses, billing and shipping addresses, phone numbers, passwords and bank details on their computer networks”(Nick Gibbons, 2013). They pose significant threats to the oil and natural gas sector, as well as to the US’s economic security and national security interests (Clayton & Segal, 2013). Of note, the increasing primary cyber threats to the entire energy sector remains trade secrets thefts, research and development data, and confidential information (Nick Gibbons, 2013). The increasing sophistication and destructiveness of cyber-attacks against the oil and natural gas sector have made it extremely difficult for cybersecurity and sector experts to detect, deter, prevent, and protect their critical assets from compromise and exploitation. Cyber adversaries targeted the energy sector, including oil and gas producers, with more targeted malware attacks in 2012 than any other sector (Clayton & Segal, 2013). Energy companies targeted in 41 percent of the malware attack cases reported to the DHS Industrial Control System Team in 2012 (Clayton & Segal, 2013). Cyber-attacks against third-party vendors and business partners place oil and natural gas sector companies with additional threats to their critical assets and core operational processes. They should conduct assessments and review their contracts to ensure their third-party vendors and partners have adequate cybersecurity processes in place (Bender, 2014). Companies to develop customized comprehensive cyber risk management approaches that protect companies from cyberattacks while operating abroad (Bender, 2014). Finally, oil and natural gas companies should realize that their use of cloud services technology will place them at greater risks from cyber-attacks attempting to exploit critical research and development data and intellectual property (Bender, 2014). The Baker Institute (2013) categorized the primary cyber threats to the oil and natural gas sector into three groups. The first group consists of threats of core intellectual property (Bronk and Pridgen, 2013). The second group consists of the distribution or destruction of a physical plant and other points of capital investment (Bronk and Pridgen, 2013). The third group consists of the compromise of communications by executive decision-makers regarding key business decisions. A study conducted by Clayton and Segal (2013) identified similar cyber threat vectors against the oil and natural gas sector. Clayton and Segal (2013) have categorized current threats to the oil and natural gas sector into two groups. The first threat grouping consists of cyber adversaries that use cyber espionage to gain access to critical data, such as trade secrets, long-term strategic plans, new drillage acreage tendered bids, private negotiations with foreign partners, personally identifiable information and other data. The second threat grouping consists of nation-state actors and other cyber adversaries that launch cyber-attacks against the oil and natural gas sector with the goal of disruption or destroying operations (Clayton & Segal, 2013). Since 2012, cyber adversaries have launched the following successful cyber-attacks against the oil and natural gas sector using the aforementioned threat vectors. Cyber adversaries accessed ExxonMobil, ConocoPhillips and Marathon Oil “bid data,” detailing location, sizes, and values of oil deposits globally by siphoning of email passwords associated with executives who had access to proprietary oil exploration and discovery data. Companies were unaware of the data breach’s extent until authorities disclosed cyber adversaries had been siphoning email passwords and other critical data associated with executives who had access to proprietary oil exploration and discovery information (Zetter, 2010). Cyber adversaries used the Sharmoon malware to launch a data-destroying attack that erased data on more than 30,000 hard drives containing oil and natural gas critical data stored on Saudi Aramco’s internal network Windows workstations. The insider used a USB drive to upload malware onto the network (Jackson-Higgins, 2013; Clayton & Segal, 2013; DOE, 2012). Cyber adversaries achieved a successful data breach of Telvent’s SCADA to exploit customer project files. The intruders broke through the company's firewall earlier this month, infiltrated portions of its network, installed malicious software and stole data on customer projects involving a Telvent product called OASyS SCADA (Clayton, 2013; Vijayan, 2012). Qatar’s liquefied natural gas producer RasGas websites and email servers targeted with malware. Attack similar to attack against Saudi Aramco 30,000 workstations (Jackson-Higgins, 2013; Clayton & Segal, 2013). A widespread attack breached oil, energy, and petrochemical companies, harvested confidential information for nearly four years before it was discovered (Esentire, 2013). The hactivist group Anonymous attacked five top energy companies, accessing and publishing some 1,000 email addresses and passwords (Esentire, 2013). A widespread attack breached oil, energy, and petrochemical companies, harvested confidential information for nearly four years before it was discovered (Esentire, 2013). One of the highest profile attacks against the oil and gas sector was “Night Dragon”, during which cyber adversaries targeted five major Western energy companies from 2008-2011. The hackers successfully acquired access to gigabytes of highly sensitive data that included proprietary information about oil and gas field operations, financial transaction, and bidding data (Clayton & Segal, 2013). Security experts believe Night Dragon is only one of several similar attacks, of which oil and gas companies are either unaware or afraid to disclose publicly for fear of displeasing investors. In 2012, 41 percent of the malicious software attack cases reported to the Department of Homeland Security Industrial Control System were against energy companies, including those in the oil and gas sector (Clayton & Segal, 2013). Oil and Natural Gas Sector Cyber-attack Impacts Cyber adversaries continue to target the oil and natural gas sector with cyber-attacks. They are increasing targeting corporate-level executives to obtain access to their companies’ corporate data, intellectual capital, and other proprietary information. They have successfully used phishing, spear phishing and other tactics to gain access to this information. Their abilities to circumvent cybersecurity and information privacy management systems has enabled to achieve the following sector impacts: Compromise of communications by executive decision-makers regarding key business decisions. Productivity losses Legal losses Intellectual property losses Investment losses Operational losses Loss of personally identifiable information (PII) Many oil and natural gas sector companies still believe they should invest solely in technological cybersecurity solutions to protect their critical assets, namely sensitive business data and PII. These technological solutions, while somewhat effective, lack the ability to provide the full-spectrum, comprehensive data protection management services necessary to detect, deter, prevent, and protect their critical assets from cyber-attacks and data breaches (Essentire, 2013). Chenega Logistics (CL) and Carpe Diem Strategic Services (CDSS) offer oil and natural gas sector companies those cybersecurity data protection management services that include cybersecurity risk assessments, information security assessments, privacy impact assessments, privacy risk assessments, security assessments and authorization evaluations, third-party audits, vulnerability assessments. What Can the Oil and Natural Gas Sector Do to Reverse the Trend? Effective comprehensive data protection management consists of managing data from its initial creation or collection throughout the privacy operations lifecycle, which concludes its eventual archiving or destruction. The challenge for oil and natural gas executives is managing the tremendous volume of data this is created and/or collected, with the most effective information system infrastructure available. CL and CDSS can help apply a deliberate planning process to your information life cycle and tailor solution to your specific needs. Additionally, they can meet your information privacy, network and technical infrastructure needs through the entire life cycle. The CL Secure Cloud delivers the cost-efficiencies, convenience and simplicity of the virtual environment, along with the power, performance predictability and certifications of a strong enterprise. Oil and natural gas sector leaders have the ability to develop and implement strategies to lower their exposures to cybersecurity risks, threats, and vulnerabilities. They should consider implementing actions to mitigate the negative impacts of cyber-attacks against their information privacy and information security management systems: Develop and implement an effective information privacy management program minimize your exposure to unnecessary compromise, exploitation, and risk. Conduct extensive data inventories to identify where your critical data and PII exists within your networks. Classify your data to determine where to make informed investments on information security to safeguard data from compromise and exploitation. Conduct privacy assessments to ensure you are compliant with Federal, State, international privacy laws and corporate privacy policies. Develop effective remediation strategies that minimize the negative impacts of data breaches to your business’s investments, legal standing, operations, and reputation. CL and CDSS are experienced and trusted companies that are well positioned to assist their potential oil and natural gas customers accomplish the aforementioned objectives. Why CL and CDSS? CL is a sector leader in developing innovative, tailored cybersecurity solutions. CDSS is an expert in information privacy management services. They have partnered to provide the oil and natural gas sector with optimal comprehensive cyber security data protection management services. Figure 1 figure depicts their comprehensive data protection management framework: Figure 1: Comprehensive Data Protection Management Framework They possess the following backgrounds and core competencies: CL delivers the next generation of Security Intelligence & Analytics (SIA). Our core capabilities use data-science and cutting-edge technology to give our customers real-time visibility across their digital domains and our ecosystem of applications use that insight to solve a wide array of security problems. We offer a full end-to-end solution including a reconnaissance service to map network exposure, aggregate host and network data, as well as services that will provide actionable reports from the data. Our reconnaissance service provides visualization and analysis of Internet crawl data for comprehensive network discovery and defensive awareness. Centered on a global view of Internet-facing assets, the reconnaissance application provides comprehensive infrastructure analysis through an intuitive web interface, allowing analysts to target problem areas with just a few clicks. Another advanced data collection and control service, allows an operator to deploy, maintain, and task sensors through a unified web-based interface. Built around a scalable and modular model, this application visualizes and controls hundreds, or even thousands, of sensors in the field, ingesting system events, host scans, and network scans into a single faceted search interface for comprehensive visibility. By leveraging economies of scale and secure managed services in the cloud, CL offers cybersecurity services at low affordable price. A commercial service model (e.g., Managed Security Services - MSS) in which the latest tools and software are available through a hosted and shared service and is best suited to meet the Oil and Gas Cyber Security needs. The MSS suite of security products and tools can be appropriately tuned to a level of protection correlated against business risk, without imposing costly development and operational expenses. CDSS principals have over 60 years of experience as senior intelligence officers with unique experiences and skills in the acquisition, analysis, assessments, auditing, classification, dissemination, exploitation, processing, safeguarding, storage and destruction of PII. Because of their intelligence officer experiences working at some of the highest levels of the intelligence community, they understand the ramifications of the intentional and unintentional disclosure of sensitive information to entities without a legitimate need- to-know. CDSS will use these experiences and skills to develop a unique information privacy protection management philosophy that provides its customers with similar abilities to protect their corporate and customer personally identifiable information and other critical data from compromise and exploitation. CDSS’s approach to information privacy has been to arm its personnel with International Association of Privacy Professionals (IAPP) certifications, the gold standard for privacy professionals. IAPP certifications provide them with extensive and in-depth knowledge of US domestic and international laws, directives, and regulations that govern their collection, use, storage, protection, and destruction of personally identifiable information. These international certifications include: IAPP CIPM designation shows that you understand the “how” of privacy. It demonstrates an understanding of privacy program governance and the skills necessary to establish, maintain and manage a privacy program across all stages of its operational life cycle. Launched in 2013, the CIPM demonstrates an evolution in the privacy sector. It is the first and only certification in privacy program management, developed in response to overwhelming demand to collect and collate common practices for managing privacy operations. IAPP CIPP US Private Sector demonstrates a strong foundation in U.S. privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. IAPP CIPP US Government (G) is the first publicly available privacy certification designed for employees of U.S. federal, state, county and local government agencies. It also is available to vendors, suppliers and consultants who serve government clients. The CIPP/G addresses U.S. government privacy laws, regulations and policies specific to government practice as well as those more broadly applicable to the public and private sectors in the U.S. It also covers U.S. government-standard practices for privacy program development and management, privacy compliance and auditing, records management and agency reporting obligations for privacy. IAPP CIPP Information Technology (IT) - The CIPT is the first global privacy certification for IT practitioners. It assesses understanding of privacy and data protection practices in the development, engineering, deployment and auditing of IT products and services. The CIPT certifies individuals in their knowledge of privacy-related issues and practices in the context of the design and implementation of information and communication technologies. CL and CDSS provide their potential oil and natural gas sector customers with the following services: CL offers: By utilizing our managed security model, techniques and tools that large organizations use, Critical Infrastructure owners can take advantage of sophisticated defense mechanisms that would not normally be feasible due to resource constraints. This would include solutions such as continuous diagnostics and mitigation, intrusion detection and prevention, as well as monitoring and alerting. For example, a small business that relies on an e-commerce website for financial transactions could be vulnerable to a denial of service attack from any number of threat actors. With a cloud based firewall, monitoring and filtering service, the Critical Infrastructure owners could subscribe to services that routinely prevent these type of attacks, effectively sitting behind a highly available shield that filters out inappropriate traffic, monitors the health and status of the site and discourages or prevents malicious activity. When more and more critical infrastructure owners sign up for this service, economies of scale are leveraged to provide it at an extremely low cost per customer and achieving highly effective results. CDSS provides information privacy consulting to businesses who collect, use, share, store, destroy and/or retain PII and CI and who require dedicated and expert information privacy management products and services. It also provides the following additional services: Inventory: Properly identifying & classifying the personal & sensitive information your organization handles. Processes: Define privacy processes & program guidelines to determine the appropriate level of network and data protection. Compliance: We provide privacy assessments, audits, & privacy impact assessments to ensure your compliance with laws. Strategy Development: Develop information privacy management strategies to reduce your exposure to unnecessary risk. Remediation: We develop effective remediation strategies to minimize the negative impacts on your business’s bottom line. Cybersecurity Liability Insurance Privacy Risk Assessments: Conduct privacy risks assessments as part of the cybersecurity liability insurance underwriting process. Managed Services: Provide privacy officer services offering cost- effective, on-demand program expertise and experience. CL-CDSS “Cybersecurity Comprehensive Data Protection Management Model” CL and CDSS have developed a comprehensive data protection management model to support critical infrastructures and key resources customers, particularly in the oil and natural gas sector. This six-step process assists customers in applying cybersecurity to provide sophisticated and cutting edge cyber security solutions and employ incredibly advanced security engineers to implement and affordable and compliant cybersecurity framework managed services. These services focus on Identification, Protection and Detection. To address possible advanced persistent threat, insider-threat, and highlymotivated adversary scenarios, our capabilities expand beyond reactive, rule-based alerts, to instead focus on comprehensive awareness of current activity, and the ability to observe, analyze, and identify deviations from the baseline, for both individual entities and groups. Our services will create a comprehensive operating picture of the health and activity of users, devices, and services. Data models create baselines of normal behavior that can identify and quantify anomalous behavior, learning over time to better segregate suspicious activity. We also uses a modified privacy operational lifecycle to continuously monitor and improve the comprehensive data protection model’s ability to perform the following functions: Inventory and categorize, evaluate, assess risk, design solutions, educate and train, and audit and monitor. Figure 2 depicts the CL-CDSS “Comprehensive Data Protection Management Model’s” functions and subfunctions. Figure 2: Cybersecurity Comprehensive Data Protection Management Model