Q&A with Andy Lee, Krystal Scott and Ewaen Woghiren on Jones Walker LLP’s Midstream Oil and Gas Cybersecurity Survey

What prompted you and the firm to conduct the survey?

We chose the midstream sector because of the unique areas of vulnerability presented by the transportation of commodities.

With an increase in remote-work and reliance on autonomous systems necessitated by the global COVID-19 pandemic, the reduction in commodity prices, and the worldwide economic downturn, there is increased opportunity for cyber attacks and it has proven more challenging for companies to respond to them.

As revenues decrease, midstream oil and gas companies must make difficult budget decisions. These choices are particularly challenging now, considering that a data breach can result in an eight-figure loss. For some, a cyber attack may be the final financial blow; for others, investments in stronger cybersecurity may require moving resources away from activities that could help them weather the current storms.

It is because of this landscape that Jones Walker LLP chose to focus on the midstream oil and gas sector for our second cybersecurity survey.

Why does the midstream space have more unique security challenges than other energy sectors? 

The midstream space has unique security challenges. In the United States alone, as of 2019, there were more than two million miles of natural gas pipelines, not to mention associated metering equipment, pumps, sensors, and valves, all of which represent cyber-attack points of entry. 

What do you consider the top five takeaways?

• Avoid overconfidence. Although the majority of respondents believe that both the midstream sector and their own companies are prepared for a cyber attack, more than one in 10 had suffered a successful breach.
• Know your enemies. To address cyber vulnerabilities effectively, companies must understand who and what they face. The survey respondents pointed to organized criminal groups as the top threat actors and to their own employees’ negligence as a source of major concern. In addition to risks of phishing and employee error resulting in trespass on company networks, remote technologies – including mobile and field-device management systems, web apps, cloud services, SCADA systems, and IoT devices – are seen as top vulnerabilities.
• Plan and practice for success. Survey results indicate that cybersecurity plans are not up to the task, largely because they are either outdated or not practiced. Across all companies in the survey, 40% reported an attempted or successful data breach in the past year but only 7% updated their written security policy during the same period.
• Match resources to the threat. Existing cybersecurity measures at midstream companies are varied and often do not correlate directly to their identified vulnerabilities. Notably, companies indicated an increased focus on cybersecurity, yet only 38% will increase their cybersecurity budget this year. Further, despite increased vulnerability during the current COVID-19 pandemic, when more employees work remotely and often utilize a mix of personal and company-issued technology, 74% still do not have cyber insurance or cyber breach insurance coverage.
• Partnering is sound strategy. Many companies work in isolation and do not take advantage of opportunities and cost efficiencies offered through industry collaboration and public-private partnerships. Only a minority (10%) of survey respondents indicated that their companies currently participate in such information-sharing programs. 

How has COVID-19 and Work-From-Home/remote access for midstream employees impacted companies’ existing cybersecurity plans?               

We learned that, due to COVID-19, midstream companies are more concerned about employees using remote access and creating increased vulnerability for a cyber attack. 74% of respondents listed deliberate and negligent employee behavior as a significant threat.

COVID-19 created a surge of employees working from home and demonstrated the importance of an in-house “go-to” technology leader with intimate knowledge of cybersecurity and a company’s operations. This can help a company quickly respond to shifts in technology and adapt existing plans. It was surprising to learn that, when asked if their company had a specifically appointed information security and compliance manager/officer, 61% of survey respondents said “No.”

Given the volatility of the energy market, what is one cybersecurity practice that companies can quickly and cost-effectively implement? 

Our survey findings tell us that energy companies can benefit from taking a fresh look at their Incident Response Plans (IRP). Though 97% of survey respondents indicated that they test their IRP at least annually, more than 50% of respondents report that their plans are more than a year old.

Start with a robust IRP using a solid framework (such as that of the National Institute of Standards and Technology) that will identify the top policies, tools, and technologies your company needs. Extensive use of encryption is inexpensive and will significantly decrease breach costs. Then, investigate whether cyber insurance offers a cost-effective way to reduce your financial exposure in a breach event. Typically, cyber-insurance costs are directly linked to the underwriter’s perceived risk. In other words, the more cybersecurity measures (such as those mentioned above) in place, the lower the associated insurance cost. 

How can midstream companies keep up with and respond to hackers and their rapidly evolving tactics? 

Companies can benefit from the opportunities found through industry collaboration and public-private partnerships. Surprisingly, 88% of respondents do not actively exchange cybersecurity best practices with their peers.

Cybersecurity is a common concern for all industry stakeholders. Working with others, even competitors, is a win-win strategy that arms your company with valuable information. There are significant – and low-cost – resources available in this arena.