Energy and Utilities Industry Perspectives - May 2017

Energy and Utilities
Energy and Utilities Industry Perspectives - May 2017

Cyber Vulnerabilities of Energy Companies’ Control Systems Can Be Addressed Safely and Successfully

The realization is growing across the oil and gas industry that the major cybersecurity threats to upstream, midstream and downstream data and operations are often aimed at operational technology (OT) systems and equipment – usually older, legacy models – rather than at the information technology (IT) side. Those operational technologies typically include industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and other related technologies implemented at operational facilities, such as plants, pipelines, terminals and rigs.

recent survey of more than 300 oil and gas companies found:

  • More than 60 percent of companies have suffered a security compromise in the past year, which exposed confidential information and disrupted OT systems and operations
  • Two-thirds of companies believe risks to OT systems have increased substantially in recent years, and 59 percent believe they face greater risks in OT than in IT
  • Only one-third of companies report that OT and IT are fully aligned in their organizations
  • Just 35 percent rate their readiness to address cyber threats as high
  • Close to half of all attacks on OT are going undetected

These survey findings appear shocking – but they are also consistent with Protiviti’s experience in performing cybersecurity assessments for energy and utility clients, particularly evaluating their OT systems. We often find unprotected field terminals with inadequate physical security of connection points, live ports that lack deterrents, and an absence of intrusion detection capabilities. We also commonly see flat networks that are not segmented to appropriately segregate the OT systems from the corporate network environment, making it easier for potential hackers to exploit vulnerabilities across the organization.

Obviously, OT systems with any of these shortcomings present significant cybersecurity risks for the energy and utilities industry. The threat is multiplied by the fact that energy and utilities organizations are deemed critical infrastructure, whose exploitation can have devastating effects to broad geographic regions affecting multitudes of people.

More and more ICS/SCADA technologies allow for the capability to connect (via IP) to the broader corporate network infrastructure. While this provides for certain efficiencies, it can also expose oil and gas systems to unprecedented risks that occur when the previously isolated OT systems are linked to sophisticated IT networks so data can be shared, managed and analyzed.

Despite this newfound connectivity, the industry has remained stubbornly reluctant to challenge legacy OT systems from a vulnerability perspective, for fear of creating interruptions or process errors. This reluctance often leads to a failure to adequately test or update systems to optimize security and minimize cybersecurity risks.

The concerns are legitimate, but only up to a point. In our experience, there isn’t sufficient justification to hold OT systems “off limits” for cybersecurity evaluation and upgrades, given the high potential for targeting by sophisticated opponents and the alarming numbers cited in the survey. To this end, assessments should still be performed, but they must incorporate a series of precautions designed to assure both operational continuity and a complete threat risk review. These precautions include:

  • Well-defined rules of engagement, including identification of the types of reports and system information to be compiled prior to conducting a vulnerability scan
  • Performing security evaluations in a test, rather than production, environment
  • Collaboration with both engineering and IT security personnel to define the scope of the review engagement
  • Reasonable limitations on initial tests so sensitive systems can be excluded if needed to allow for the development of workarounds
  • Establishment of clear lines of communications so any network or system irregularities are reported and evaluated during testing

Working within these parameters, the end goal of testing the security control environment of the ICS/SCADA environments should achieve the following:

  • Evaluate the key security risks prevalent in the ICS/SCADA network architecture
  • Identify the network vulnerabilities and test the connectivity to the enterprise network
  • Assist with the development of a vulnerability management program specific to the ICS/SCADA infrastructure

Ideally, what energy and utilities companies want is to ensure they have an ICS/SCADA environment that can function in a secure and effective manner, and that they can be highly efficient in detecting and responding to breaches and attacks. This requires technical expertise, collaboration between departments, appropriate planning, and leveraging vulnerability assessments to periodically test security.  Testing these systems requires more work, but it is not impossible, and it should not be considered “out of the question.” In fact, testing is an essential practice to preserving the integrity of any critical system.

Developments in the First 100 Days of the Trump Administration that Affect the Oil and Gas and Utilities Industries

In our election implications Flash Report, we suggested there were possible winners and losers across multiple sectors from a Trump presidency. Here is an update of developments during the first 100 days for oil and gas and utilities companies.

Possible Winner

Oil and Gas

What we said we expected: Strong emphasis on achieving U.S. “energy independence,” leading to elimination of subsidies to renewables, opening of new areas of the country (including federal land) to oil and gas development, and changing environmental policy and greenhouse gas performance standards that have driven closures of U.S. coal-power plants, stymied demand for the fuel, restricted the U.S. fracking industry, blocked the Keystone XL pipeline and hamstrung refineries.


Developments since inauguration: In March, President Trump signed an EO to promote energy independence and economic growth. The order rescinded six Obama administration presidential memorandums, reports and executive orders. Specifically, the EO eliminates multiple policies that built climate change considerations into federal decision-making, ends the year-old new coal mining leasing moratorium on federal lands, initiates an EPA review of rules governing oil and natural gas development (including regulations on methane emissions and fracking), ends White House guidance on incorporating climate change when reviewing energy, infrastructure and other proposed projects under the National Environmental Policy Act, and grants federal agencies 120 days to prepare recommendations to address existing policies that potentially restrict energy development.

If the above EO wasn’t enough, the Trump budget proposal cut EPA spending by almost 30 percent, which could result in the department eliminating nearly 25 percent of its staff and more than 50 EPA programs. In addition, the President signed two orders reviving the Keystone XL pipeline and Dakota Access pipeline. He also signed a related order that would expedite the environmental permitting process for infrastructure projects related to the pipelines.

With respect to midstream/pipeline supply companies, the president signed a presidential memorandum in January instructing the secretary of commerce to develop a plan that would require any company that builds a pipeline within U.S. borders to use American-made materials and equipment. Since then, the Department of Commerce has reached out to oil and pipe companies, as well as steel manufacturers, requesting information about the feasibility and timeline of excluding all foreign materials and foreign-made pipe, and input on how it would impact the overall market. A review of all steel imports across the board for all industries has been announced. An alternative may be to impose a higher tax on imports, because many companies agree that American steel manufacturers don’t have the capacity to support demand for both drill pipe and line pipe.





What we said we expected: The overall effect of the Trump administration on utilities is unclear, but it could certainly alter the competition model in the various ways to generate power – coal, natural gas, nuclear, wind and solar. If Trump were to strike down the Clean Power Plan, it would impact strategic decisions by U.S. utilities to replace coal plants with wind and solar facilities. 


Developments since inauguration: 2017 was supposed to be a big year for coal, but since the election there have been a number of actual or planned plant closures – even though the current political winds are trending toward reducing regulations restricting coal and other fossil fuel plants. President Trump’s March EO to repeal the climate control regulations put in place by the Obama administration is intended to create more jobs by enabling companies to produce and use coal. However, given the hundreds of coal plants closed or planned to be decommissioned over the last decade, the bottom line is that utilities may be taking a long view toward investment in terms of where the regulatory climate and the related cost of renewable energy (which incidentally carries much less regulatory risk) may be a decade from now.

To illustrate, cost-effective alternatives to coal in the form of natural gas may give pause to utilities considering a reversion to the beleaguered commodity. In addition, solar and wind power costs are trending downward. If that isn’t enough, utilities have grown weary fighting the climate change battles with investors and environmental advocates, making more environment-friendly cost-effective options more attractive.



Tyler Chase
Managing Director
Leader, Energy and Utilities Industry Practice
Click here to access all series

Ready to work with us?