ARTICLE: When cutting costs on defending your networks isn’t an option

The gas and oil industry’s uniquely political roles mean that the repercussions of a security breach can be more than just financial.

Access management and authentication processes are a necessity in any modern enterprise in almost every industry on Earth. The information held within a corporate network is valuable enough that nefarious actors will continue to target it mercilessly.

The ability to properly protect these assets is the difference between a strong, compliant organisation and one that ends up hauled in front of a regulatory board to answer for its failings. For the gas and oil industries, secure authentication can be an even more serious consideration.

For as long as gas and oil have been important commodities on the global stage, they have been political footballs to be kicked around. An appropriate security posture is not just important for safety, security and prosperity, but is also an important way for businesses to avoid raising their heads above the parapet and risking incurring political hostility.

For an example of how authentication and political crisis can intersect, we need to look no further back than May 2021. Nobody could have missed the seismic impact of the Colonial Pipeline hack in the USA. Hackers – assumed to be Russian-based – managed to successfully compromise a Houston oil pipeline, causing knock-on effects to the US petrol supply chain that for weeks left vast swathes of the country unable to fill up the cars that form the backbone of the country’s transport network.

This was one of the most high-profile ransomware incidents in US history and led the company’s chief executive to a Senate hearing in which he was forced to defend the organisation’s actions. Further fallout included President Biden signing an executive order strengthening US cyber-security defences. Herein lies the problem for the gas and oil industries: the geopolitical nature of the commodities at stake means they are inherently political in a way other industries are not.

For this reason, the basics of authentication become even more important. After all, it was a compromised password for a dormant account that led the hackers into the Colonial pipeline in the first place. The price paid by the company was dire – financially, politically and reputationally – and could have been avoided simply by deploying a more robust set of authentication standards. The Senate hearing that investigated the incident was well aware of this. The Colonial Pipeline CEO was asked outright if the organisation had a system of multi-factor authentication in place, and could not answer that it did. That being said, the attack didn’t even need multi-factor authentication as a defence – basic user-account management and modern password controls in line with NIST SP 800-63B would have done the job.

The CEO also claimed that this single-factor authentication was being used on a legacy VPN where the breach occurred. This is also not a strong enough excuse. Hackers will attempt to enter every point of the network, from legacy VPNs to organisations in your supply chain that might represent an easy route into a network.

The security issues that this presented did not stop at the domestic problem of disrupted petrol supply chains. Worse still, Colonial ended up in the midst of geopolitical manouevering. The cybercrime group DarkSide, which took responsibility for the hack, claimed that its motivations were entirely financial, not political. However, when a hacking group is assumed to be based in Russia, this distinction becomes less relevant. While stating that the Putin administration did not have anything to do with the hack, Biden did use the opportunity to suggest it needs to take “responsibility” for groups operating within its jurisdiction.

The seismic repercussions of a single authentication issue speak to a wider truth; one that suggests that although the gas and oil industries are among the wealthiest on earth, in some corners there has been wholesale failure to secure cyber-security defences and policies. This has to change.

While the associated time and resources spent on appropriate authentication may seem unnecessary when the threat is not visible, these costs pale into insignificance when compared to the operational, financial and reputation issues that could befall a business in a worst-case scenario. Ensuring that appropriate authentication defences such as multi-factor authentication and proper password security policies are in place may seem unnecessary, but they are definitely preferable to a trip to the Senate with your tail between your legs.

Steven Hope is co-founder and CEO at Authlogics

Article published in E&T News on 25th January 2022.