The oil and gas industry trails others when it comes to cybersecurity, leaving it vulnerable to a coordinated attack that could collapse the energy sector and the economy, an information technology expert said Wednesday.
"Cybersecurity is being weaponized in a way that is now state-of-the-market," said Javier Gonzalez, cybersecurity chief technology officer for North America at Atos. "So we see this as a very big threat, increasingly in oil and gas."
Gonzalez and Siv Hilde Houmb, chairwoman of the International Association of Drilling Contractors' cybersecurity subcommittee and founder of Secure-NOK, were part of a cybersecurity panel at Siemens Oil and Gas Summit and Technology Tailgate. The event took place at Siemens' new Dresser-Rand service center in Geismar. The center's services include repairing and rebuilding compressors, steam turbines, pumps and rotary compressors for the energy industry.
Houmb noted that about 75 percent of all breaches are caused by "insiders." The source can be an engineer doing some maintenance work who unknowingly opens a company's network via a virus-compromised computer.
A lot of Houmb's work involves training employees on risks, she said.
She recommends that oil and gas companies streamline the amount of data an employee needs to do his job. Ideally, if the system is not performing normally, it should help the worker determine whether there's a software problem, a hardware problem or an attack, Houmb said.
Gonzalez said there's so much information in an oil and gas operations that it can be overwhelming — for example, sensors at every level of the process can capture data.
"We need to start reducing it in density and looking at the patterns that are really, really important that we need to start paying attention to," he said.
Once a company has done that it can start pinpointing problems, he said. Right now, Gonzalez said he's often trying to help clients get to the point where they can do some forensic work to figure out what happened months after an issue developed.
Houmb said companies that haven't established a cybersecurity program should start by making a Top 10 list of things to do, starting with a risk assessment.