Page 8 - Cyber Warnings
P. 8
The GCC is particularly vulnerable to the type of cascading attack as it supports millions of
th
people in a desert environment, which in pre-20 century conditions could support only a
fraction of their number. A power cut would likely cause damage to any services not backed up
with auxiliary generators, potentially affecting everything from transportation links to desalination
plants.
Although energy infrastructure is perhaps the core element of critical national infrastructure
(CNI) likely to be targeted by a foreign power, this is not a counsel for despair and certainly not
for a “head in the sand” approach. CEOs and CIOs of oil and gas companies should take a
systematic approach to surveying and then mitigating cyber risk, which can help insulate them
from the worst impacts of an attack, even if total prevention remains an impossibility.
Companies need to understand their risk profile before any mitigation can begin in earnest. This
involves understanding their assets, the full range of threats they may face and the
vulnerabilities. The first is often one of the hardest for energy companies, which have dispersed
assets all the way through their business process, from extraction to refining through to
distribution.
Threat assessment is often best done by a third party, be that a national CERT team, or a
private sector security consulting firm; these are likely to have a much clearer notion of the
national threat picture. Vulnerabilities may arise from a number of different areas including
technology, processes and people.
The latter should never be overlooked as a threat, for companies which employ thousands of
people, vetting and control systems are vital to prevent either malicious action or incompetence.
Once the cyber security function of the company has a firm handle on their risk profile they can
then move to take appropriate mitigation measures.
Mitigating the cyber risks can be looked at across three broad areas Visibility, Intelligence and
Integration.
Visibility means truly understanding what is on your environment, who is on your environment
and how is your environment configuration. Knowing these things and continually monitoring
them for vulnerabilities and insecurities allows companies to continuously remediate and
mitigate cyber risks. Large companies in particular, often maintain networks patched together
over decades, running different generations of hardware and software. It’s a simple truth that
you can’t protect what you don’t understand; a thorough audit is vital at the start of any
mitigation process. Developing and maintaining the capability to performing this auditing on a
continuous basis will increase your security posture and allow for the window of vulnerability to
shrink in duration.
Intelligence relates your understanding of the ever changing threat landscape and the constant
discovery of vulnerabilities within ICT systems. There is no single source of cyber threat
intelligence or vulnerability information so a program needs to be established to identify and
capture the most appropriate sources for your organisation. This could include open sources,
academic and research institutes, government agencies, commercial feeds, and industry
8 Cyber Warnings E-Magazine – March 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
