Growing technology means growing cybersecurity risks. Those risks now are so pervasive that cybersecurity should no longer stand alone as a consideration in risk management. Rather, said Nicholas Andersen, it should be included in the overall consideration of safety.
“Cybersecurity needs to be baked into the safety conversation,” he said during a presentation at the 2022 Offshore Technology Conference in Houston. Andersen is the chief operating officer of Invictus International Consulting and former federal cybersecurity lead and senior cybersecurity adviser in Washington, DC. He spoke on The Cyber War Among Us, a war he said was never declared yet involves everyone.
Technological advancements in the oil and gas and renewables sectors often move toward lessening human involvement. Automation technologies taking advantage of artificial intelligence, the Internet of Things, and cloud computing promise boosted profits but also present new dangers.
“A lot of the autonomy and the unmanned perspective that these systems provide as part of the great promise of making them profitable … presents a tremendous risk profile from a cybersecurity perspective,” Andersen said. The risk comes from the necessity for human oversight. Regardless of the level of a system’s autonomy, operators still need to be able to access it to make sure it is functioning properly. “That presents a window, presents an attack vector, that a malicious actor in cyberspace can take advantage of.”
The growing number of attack vectors presents operators with difficult choices. You’re not going to protect everything all the time,” Andersen said, suggesting a philosophy of “ruthless prioritization.” That, he said, “is about understanding what are the highest consequence events that that system supports, what are its absolute no-fails, and how do we support those.”
Not including cybersecurity as part of overall safety considerations could lead to consequences beyond cyberattacks. “There’s going to be an impact for our investors. There’s going to be an impact for our operators. There’s going to be an impact for the communities that we serve,” Andersen said. He warned that “anyone who’s not addressing cybersecurity today as a core component of their risk-management safety strategy … is going to find themselves defending that in a liability suit over the next couple of years.”
Andersen referred to “a kind of special trust” that consumers place in the energy sector, a confidence that it will meet the needs of the community. “And I don’t believe that there’s going to be a whole lot of tolerance for people who don’t bake this into their risk conversations,” he said.
Another advancement with cybersecurity consequences is cloud computing, Andersen said. While many users of the cloud assume that cybersecurity will be handled by the provider, that’s only true to a point. “Cloud computing resources are fantastic, and they do have the potential to make you more secure if you’re consuming them, but there’s a limit,” he said. “There’s a line that is drawn with cloud service providers … there’s a line they draw, and they say this is your responsibility to configure this appropriately.”
Regarding responsibility within an organization for cybersecurity, Anderson said he sees a danger in the gap between operational technology (OT) and information technology (IT). Many companies have a false sense of security with OT that they believe is segregated because it is not connected to their IT system, he said. They believe that, he said, until they find that someone has been accessing the systems remotely to run updates, for example. “There has to be someone who’s looking at risk both from the IT and the OT side together,” he said. “They can’t just be silos that happen to coexist within the same company.”
The discussion about cybersecurity needs to bridge the gap between IT and OT, he said, because “consequence prioritization can’t be done on the IT side. IT is a business function. … There has to be a risk owner who’s going to be accountable for that, that can really drive change and visibility of both the IT and OT side.”
During the questioning portion of Andersen’s presentation, Alton Payne, the chief of standards development section at the Bureau of Safety and Environmental Enforcement, pointed out a fundamental problem with handling both safety and cybersecurity. “We have a metrics problem,” he said. “We measure safety and cybersecurity in a negative way. We think it’s safer if we have fewer events. … I don’t think so. I think it’s how you handle the events you get which is more important than how many events you get.”
Andersen agreed. “I think it’s a larger resilience conversation that we need to have,” he said. “It can’t be zero fail; it can’t be zero incident. There needs to be a larger conversation about resilience and what happens after the fact.”