August 20, 2018
Interviewed by: Privcap
Video Clip
Login to view full video

Protecting U.S. Oil & Gas from Cyber Attacks

The oil and gas industry is at risk for cyber attacks. RSM expert Tauseef Ghazi explains how this vital industry can protect itself with a series of best practices.

The oil and gas industry is at risk for cyber attacks. RSM expert Tauseef Ghazi explains how this vital industry can protect itself with a series of best practices.

Protecting U.S. Oil & Gas from Cyber Attacks

What threats do cyberattacks pose to U.S. national security? Do you think this threat will increase in 2018?

Tauseef Ghazi, RSM US LLP:
The threat will definitely increase in 2018. At the end of 2017, Department of Homeland Security and the FBI issued a warning that was geared towards U.S. critical infrastructure and threats to it. That, plus what we’ve seen in Europe—around power grids, manufacturing facilities being compromised, the increase in ransomware in 2017—all of that coupled together, I think, will significantly increase the threats to cyber-security in 2018.

Do you think the oil and gas industry is prepared in terms of cybersecurity?

Ghazi: If you look at the oil prices the way that they have been over the last several years, it’s put a lot of burden when it comes to cyber-security investment in middle market energy companies. That, coupled with reduction in workforce over the last several years, has really reduced the progression to achieve the majority ratings that most middle market oil and gas companies needed to have. So, I think middle market oil and gas companies are playing catch-up at this point.

Why have middle market energy companies moved sensitive information to the cloud?

Ghazi: With the oil prices as low as they have been, it’s a natural transition to move information to the cloud and use commoditized services to manage your infrastructure. Companies, however, do need to be conscious that when you move information to the cloud, you’re not moving the risk associated with that. The risk still stays with those companies. So, getting good processes around that is very, very important.

Why do middle market firms have less protective oversight?

Ghazi: It’s mostly due to lack of regulations. If you look at the oil and gas sector, there’s not any specific cyber regulations within that sector. Power and utilities is a little different where there are specific regulations, but they’re only focused on certain asset classes, criticality, high-risk critical assets, medium-risk critical assets.

In addition, middle market companies typically have not focused on building cyber programs within their management ranks, and they are now just catching up to that.

Is industrial espionage the greatest cyber threat that middle market companies face?

Ghazi: I don’t know if industrial espionage is the greatest threat, but it would definitely be the greatest impact to life and safety, if it was to exhibit itself. Industrial espionage is complex. It’s not your average hacker that can do that. It requires a lot of time, investment, research, so it would have to be somebody that’s really wanting to break into our industrial control, the environments, and really sabotage. Currently, the threats are more in terms of reconnaissance. They’re not really attacking and taking things out, but really doing reconnaissance to understand what those environments look like.

Is industrial espionage targeting intellectual property or is the goal to shut down critical infrastructure?

Ghazi: If it’s a drilling company that’s developing drilling technology or a seismic model, for example. Then yes, it is going to impact intellectual property. If the target is a power company, and the target within that power company is a power interconnect, then it can impact multiple industries. Like the financial industry, if you don’t have power, you can’t process transactions. In the healthcare industry, if you don’t have power, you can’t operate your hospitals. So, it really depends on what angle you’re looking at this from.

How would an increase in cybersecurity regulations impact oil and gas?

Ghazi: An increase in cyber-security regulations within the oil and gas industry would create a common set of controls and criteria that would allow for consistent implementation of those controls across the industry. Currently, we have a lot of standards like the IEC, the NIST standard, that companies utilize. But the implementation of those vary from company to company. By having a common framework, it would establish a baseline of controls for all oil and gas companies.

What should oil and gas companies do to prepare for these attacks?

Ghazi: A specialized skillset is required to combat cyber threats today. That skillset sometimes cannot be grown internally, and oil and gas companies should be aware that they should procure that skillset from the outside, or at least have knowledge transfer to maintain that skillset.

What recommendations from the recent National Commission on Enhancing Cybersecurity report should the administration implement?

Ghazi: It’s very hard to argue with the Commission’s recommendations. Most of those recommendations are pretty straightforward, and most companies should implement those recommendations. The good news is that this administration currently has cyber-security as a priority on their plan. The bad news is that we just haven’t seen the details of that plan as yet. With the recent shake-up of the White House cyber-security coordinator position, I think that that plan is somewhat coming into motion, and we should be seeing some of that appear very soon.

Unlock the Value of Your People and Ideas: Let Privcap Tell Your Story. Learn more at

Register now to watch this video and access all content.

It's FREE!

  • I agree to the Privcap terms of use and privacy policy
  • Already a subscriber? Sign In

  • This field is for validation purposes and should be left unchanged.