During the last quarter of a century, the global energy sector has relied on the protection offered by standalone and closed industrial control systems (ICS) as the primary barrier to IT security threats. Today, however, with energy facilities worldwide generally aging, upgrades and expansion projects are ushering in a wave of new ICS and supervisory control and data acquisition (SCADA) systems built on openness and interoperability. While the sector has been quick to take advantage of these new internet-connected systems to reduce cost, improve efficiency, and streamline operations, they have exposed it to a host of IT security risks that are only just beginning to be understood.
Brier & Thorn's energy practice serves all areas of the industry, providing IT risk advisory services to major and independent nuclear power plants; commercial oil companies; petrochemical producers; renewable energy companies; upstream. midstream, and downstream oil sector companies; oil field service firms; and private equity investors and sovereign wealth funds. Our risk advisors have worked in both permissive and semi-permissive environments, including conflict areas, for clients requiring both technological and physical security risk assessments, from the Western Siberian Basin of Russia to other basins domestically and around the globe. Our advisory teams of conventional and unconventional oil and gas E&P, midstream, refining and marketing, oil field service, and equipment manufacturing oil and gas experts combine global experience and proprietary approaches and insights to unlock significant value for our clients.
IT risk assessments in conventional and unconventional oil and gas exploration and production
Historically, numerous cyber attacks directed towards the global energy sector have largely been targeted and data-driven, as companies and individuals have attempted to gain access to personal or sensitive financial data, purposely crash systems and harvest data using APT malware, and attempt to gain valuable oilfield exploration and production data, especially in unconventional E&P methods. The nature of the threat is beginning to change, however, and companies across virtually all industry sectors have begun to witness much more intelligent and complex attacks that seek to take charge of systems and data in order to inflict damage to brand, property and operations.
Although the global energy sector has yet to experience catastrophic physical damage to facilities or disruption to supply as a result of a cyber-related event, publicly at least, the disproportionate rate at which it is a target for cyber attacks makes it appear that it’s only a matter of time before this trend is broken.
The energy sector’s resiliency to date is certainly not due to a lack of effort on the part of hackers. In August of 2012, the world’s largest state-owned oil and gas supplier, Saudi Aramco, was the victim of a malicious attack intended to halt the company’s crude oil and gas supplies using malware dubbed Shamoon by investigators. It destroyed the hard drives of more than 30,000 desktop computers and 2,000 servers, forcing IT systems to be disconnected from the internet for two weeks.
Just recently, Ukraine experienced a targeted malware attack against one of its utility companies causing an electrical blackout dubbed BlackEnergy.
Just as the cyber threat has grown in its complexity, so too have the possible motivations behind the attacks. Whereas cyber-attacks have previously tended to stem from lone hackers, today, they may originate from companies seeking to cause disruption to a rival’s operations in the hopes of gaining competitive advantage, or from nation-state actors intending to benefit from resulting commodity price fluctuations due to restricted supply; or from a rogue government as part of a cyber warfare campaign to damage or disable critical infrastructure.
Brier & Thorn’s energy practice is at the forefront of advising energy companies in risk issues impacting operational success. Our network of energy specialists in risk management is globally coordinated from our numerous overseas offices. Our wealth of expert knowledge is augmented by market-leading IT risk management services to meet our clients’ toughest risk management issues.
Technology is a critical enabler for delivering enduring change. We help our energy clients with securing their IT architecture, enterprise applications (SAP, Oracle and PeopleSoft), outsourcing advisory, and information security project management. High quality master data on customers, products, or employees are paramount to a company’s success. The majority of companies have understood this and are investing in IT security controls to lower the risk to their master data management (MTM) system. Still, business processes are not free of mistakes and weaknesses. We help our clients assess their information security requirements around their technical infrastructure, aligning conceptual and logical architectures with the appropriate security controls that helps build a complete roadmap to achieve our clients’ desired IT risk management goals.
Companies of all sizes, in all countries, in all industries now operate in an interconnected ecosystem – as do highly sophisticated and economically motivated adversaries. IT security has become a major threat, particularly to energy companies. We bring together the breadth of our global capability and a joined-up package of business, cyber threat intelligence, technical, behavioral change, forensic, legal and crisis management capability to assess maturity, implement improvements, and respond to data breaches.
The hard-hat world of energy and the hard-ball world of financial trading have progressively become more intertwined. Greater liquidity, increased participation of financial players, new types of exchanges and new types of commodities, such as emission rights, have all contributed to the growing importance of the use of financial instruments, and in some sectors trading.
These changes are producing new types of IT risk for companies that require a re-examination of their risk strategies and the way they conduct their risk management programmes. We help our clients:
We work alongside our energy clients, at all levels of the organization, to evaluate the risks and opportunities inherent in the industry and to implement solutions that produce enduring results for our clients.
This simple 6-step plan, distinctive to our firm lays out:
We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.
Large oilfield exploration and production company secures its biggest assets with Brier & Thorn’s risk advisory services.
Badger Meter launches software-as-a-service (SaaS) platform for utility companies leveraging smart meter technology monitored and secured by Brier & Thorn after ISO 27001 certification and SOC2 attestation. How IT risk management has been institutionalized into the culture at Badger Meter across all global facilities and driven by its CEO and executive leadership team.