OK, OK, I promise to move on after writing far too much lately concerning the waves of cyberattacks that are ostensibly coming from China. But I cannot resist writing just once more about this subject because of the huge implications for information security that the attacks that have now targeted the petroleum industry have. You probably are aware of the several day old news that ExxonMobil, Marathon and ConocoPhillips experienced attacks in which the perpetrators penetrated far into their networks where some of the most business-critical information was stored.
Over the years, I’ve done some kind of consulting work for every major petroleum company, and I’ve had a long-term relationship with some of these companies. Additionally, my father spent over 40 years of his career in the petroleum industry. I thus have learned quite a bit about the way this industry perceives and deals with information security risk. Several types of data were compromised in the recently reported attacks, but the most valuable type of compromised data are widely known as “basin seriatim” data. These are (please forgive my gross oversimplification) data that indicate where to drill for oil deposits as the result of using methods such as echo soundings. A petroleum company’s profitability depends to a large degree on ability to find sites that produce high yields of crude oil or shale. Each company performs soundings and other tests and then determines which sites appear to be most promising. Each company next submits a “lease bid” to obtain the right to explore for and produce oil from each chosen site. Because competition for certain geographical areas among oil companies can be extremely competitive, closely safeguarding basin seriatim data against unauthorized disclosure is highly critical from a business perspective. Strong controls against unauthorized access to these data are almost without exception in place on servers that store such data throughout the petroleum industry. Unauthorized destruction or alteration of these data could also be ruinous to a petroleum company, so strong controls to counter these risks are also commonly implemented throughout the industry.
I would rate the petroleum industry as *much* better than average in their practice of information security. Executive management within this industry for the most part understands the nature and magnitude of security risks much better than in most other commercial sectors. Furthermore, defense-in-depth strategies that include multiple layers of technical, physical and administrative controls for safeguarding valuable data and critical business processes are typically used. It is for this reason that the revelation that big petroleum companies have experienced massive breakins and information compromises (including compromises of basin seriatim data) shocks me so much.
What is perhaps even worse is that just like companies such as Lowe’s, TJX, and Heartland Payment Systems, the petroleum industry was unable to discover the waves of intrusions that started in 2008. Instead, U.S. law enforcement broke the news of the breakins to the petroleum companies in 2009. This strongly suggests that although the petroleum industry is using mainstream intrusion detection and intrusion prevention technology, this technology is simply not delivering what is needed from it. This should come as no surprise, as this kind of thing has been happening virtually everywhere for years. The nature of attacks has changed substantially within the last few years, but current “state’of’the’art” intrusion detection and intrusion prevention systems have the same basic detection mechanisms that they have had for years.
Security Information Event Management (SIEM) technology with strong event correlation functionality could and would have been highly useful in finding the attacks. Curiously, when I was in the SIEM industry a few years ago I approached the person in charge of intrusion detection in one petroleum company about the possibility of trying SIEM technology. I got absolutely nowhere—the person with whom I interacted was confident that the mainstream intrusion detection tools he was using were more than sufficient for his company’s purposes.
The message to organizations throughout the world is clear. If the petroleum industry has suffered a rash of such serious security incidents, and if this sector has exemplary security practices (which it for the most part does), no industry sector is safe. The real question now is which sector will be targeted next.