The document discusses cybersecurity vulnerabilities in the oil and gas industry and frameworks to address them. It notes recent cyber attacks on energy infrastructure and outlines factors that make the industry vulnerable, such as lack of training, remote work practices, outdated systems, and insufficient network separation. It then introduces several cybersecurity standards and frameworks that can help organizations in the industry implement effective security practices, including ISO 27001, NIST Framework, CIS Controls, and IEC 62443. The presentation emphasizes that information security requires an ongoing process rather than just technology solutions.

1. Presentation to WVONGA
Cybersecurity Vulnerabilities and Process
Frameworks for Oil and Gas
Jack L. Shaffer, Jr.
Business Transformation Director
vCIO / vCISO

2. Ransomware
Wanacry, NotPetya, and Bad Rabbit.
Verizon – Security lapse exposes 14 Million
customers data
Uber – 57 Million customers data exposed
Equifax –145 Million Americans impacted
Yahoo Breach expands to 3 Billion users
2017 Cybersecurity in the news

3.  Cyberattack Shows Vulnerability of Gas
Pipeline Network - 4/4/2018 – New York
Times
 Compromise and service interruption of Latitude
Technologies
 Nomination / EDI system
 Hackers halt plant operations in watershed cyber
attack - 12/14/2017- Reuters
 Hackers likely working for a nation-state recently
invaded the Triconex safety system – widely used
in the energy industry, including nuclear and oil
and gas plants.
Energy industry under attack

4.  Lack of Awareness and Training
 Employees with a lack of training are likelier to commit errors that leave the system open to attack.
Especially true for field personnel as the internet of things (IoT) proliferates.
 Remote Work
 Although this technology places people away from harmful locations and tasks, the exchange is
more vulnerabilities in cybersecurity. Enables a hacker to gain access and perform tasks an
employee can, without detection.
 Using IT Products with Known Weaknesses
 Opting to use IT products with known weaknesses because of economics or vendor in-
attentiveness to patching or updating systems. Old systems are more vulnerable as the
vulnerabilities have been more widely distributed.
 Cybersecurity Culture Is Limited
 Even in a very technological culture, cybersecurity remains a niche sector. In field operations even
more so.
What makes the Oil and Gas Industry vulnerable to
cyber attacks?

5.  Data Network Separation Is Insufficient
 An insufficient separation of data networks provides more avenues for cybersecurity attacks. I.E. SCADA
or EM systems on the same computer network as accounting systems.
 Lack of complete asset inventory
 Not know what your assets are, what technology platforms, software versions, etc. is an opening for
attackers. You can’t protect what you don’t know about.
 Software Weaknesses
 When choosing software to aid with cybersecurity, the oil and gas industry should be wary of the
lowest bidder. Not all software is the same when it comes to security.
 Outdated and Aging Control Systems
 Cybersecurity threats constantly evolve, with hackers working to exploit systems old and new. Whereas
at least the new systems have recent threats in mind during their development, outdated systems may
not be equipped to handle newer issues. Technology continues to develop at a rapid pace, and hackers
are adapting. The oil and gas industry needs to adapt as well, requiring frequent updates of its control
system software and infrastructure. (I.E. Patches/update)
What makes the Oil and Gas Industry vulnerable to cyber
attacks?

6. So what should we do?

7.  ISO 9000 -
 ISO 9000 is a set of international standards on quality management and quality assurance developed to help
companies effectively document the quality system elements to be implemented to maintain an efficient
quality system. They are not specific to any one industry and can be applied to organizations of any size.
 ISO 9000 can help a company satisfy its customers, meet regulatory requirements, and achieve continual
improvement. However, it should be considered to be a first step, the base level of a quality system, not a
complete guarantee of quality.
 ISO 14001 -
 ISO 14001 is the international standard that specifies requirements for an effective environmental management
system (EMS). It provides a framework that an organization can follow, rather than establishing environmental
performance requirements.
 Part of the ISO 14000 family of standards on environmental management, ISO 14001 is a voluntary standard
that organizations can certify to. Integrating it with other management systems standards, most commonly
ISO 9001, can further assist in accomplishing organizational goals.
Natural Gas Standards / Frameworks

8.  ISO/IEC 27000 Family (27001/27002)
 The ISO/IEC 27000 family of standards helps organizations keep information assets
secure. Using this family of standards will help your organization manage the
security of assets such as financial information, intellectual property, employee
details or information entrusted to you by third parties.
 https://www.iso.org/isoiec-27001-information-security.html
 Center for Internet Security (CIS) Critical Security Controls
 CIS Controls Version 7 - https://www.cisecurity.org/controls/
 National Institute of Standards and Technology (NIST) Framework for
Improving Critical Infrastructure Security
 Framework for Improving Critical Infrastructure Cybersecurity Ver 1.1 Draft 2 – Dec.
2017 - https://www.nist.gov/cyberframework
 Payment Card Industry (PCI)
 PCI Data Security Standard (DSS) – Ver 3.2 – Apr. 2016 -
https://www.pcisecuritystandards.org/document_library?category=pcidss&docume
nt=pci_dss
 Energy Industry developed:
 Cyber security in the oil and gas industry based on IEC 62443
 DNVGL-RP-G108 - https://www.dnvgl.com/oilgas/download/dnvgl-rp-g108-cyber-
security-in-the-oil-and-gas-industry-based-on-IEC-62443.html
Cybersecurity also has frameworks

9. Information Security is a PROCESS not just a
firewall!
Annual Risk
Assessment
Security Awareness
TrainingPolicies and
Procedures
Threat Management
Security Event
Monitoring
Change and Configuration
Management
Access
Control

10.  Work with your IT department during all phases of a project, not
just implementation
 The reality is that most devices have internet connectivity today. (Internet of Things IoT)
 Train your field personnel on cybersecurity awareness
 Conduct a true security risk assessment
 Implement a security information and event management (SIEM)
system to monitor all network activity
 Asset inventory with technical details
Action Items -

11. Push current vendors to acquire and evaluate
new vendors that have Security Related
CyberSecurity Certifications and Frameworks,
like NIST
Work with your IT department to implement
and merge ISO / NIST standards for field
operations and cybersecurity
 Provides a complete best practice set of frameworks
Action Items -

12. Questions

14. advantage.tech/expert