Energy firms must acknowledge cybersecurity as more than an IT problem, according to new Rice University paper

Energy firms have spent vast sums on the security of their information systems, but they must reorient from a reactive, tactical posture regarding intrusions and attacks to a more strategic, holistic view that expands beyond the categorization of the issue as an IT problem, according to a new paper from Rice University’s Baker Institute for Public Policy.

Chris Bronk

Titled “Cybersecurity Issues and Policy Options for the U.S. Energy Industry,” the paper investigates how energy companies involved in the production and delivery of hydrocarbons, as well as companies that generate and transmit electricity, face new risks posed by malicious software (“malware”). These risks can affect the continuity of their operations, capacity to deliver products and services and ability to protect investments — particularly in research and development — from theft or unauthorized disclosure. 

The paper comes against the backdrop of the U.S. Congress’ failure this summer to pass significant cybersecurity legislation for the protection of commercial and government information technology infrastructure. 

“For the energy industry, cybersecurity is not just a technology problem, but rather is one that includes the larger dynamics of information and operations,” said Christopher Bronk, the paper’s principal author and a Baker Institute fellow in information technology policy. “How public policy can form components of the response to cybersecurity issues pertaining to the energy industry and the critical infrastructure that it builds, operates and maintains requires considering both the complexity of the issue and the nuance in potential policy prescriptions.”

The paper details examples of major oil and gas companies that have suffered a significant data breach or disruption of IT service, the latest being Saudi Aramco. In August, Saudi Aramco saw as many as 30,000 computers on the company’s network compromised by a malicious piece of  “malware,” possibly the one labeled “Shamoon” by the computer malware analysis community.

“The issues of cyberespionage and true cyberattacks — the ability to achieve kinetic outcomes by manipulation of computer systems — represent significant challenges for the energy industry, the United States government and the international community,” Bronk said.

“Constructing institutions to cope with these problems and move beyond a reactive posture will require greater research investment, collaboration and unorthodox combinations of expertise from within the computing field and beyond it.”

Bronk hosted a range of international cybersecurity experts from business, government and academia at the Baker Institute Sept. 18 to share and discuss the latest information on how to detect, defend against and respond to emerging cyberthreats.

Bronk previously served as a career diplomat with the Department of State, where his last assignment was in the Office of eDiplomacy, the department’s internal think tank on information technology, knowledge management, computer security and interagency collaboration. 

Adam Pridgen, a graduate student and cybersecurity researcher in Rice’s Department of Computer Science, is the paper’s secondary author. Deloitte LLP supported the research activity from which this paper was drawn.

About Jeff Falk