Oil and gas companies continue to be at a disadvantage when facing cyberattacks because they are not sharing information about incidents, experts said Tuesday at the American Petroleum Institute Cybersecurity Conference & Expo in Houston.
Although a few trusted professionals at oil and gas companies know each other and share information about attacks, communication has been limited and the need for more is extremely high, speakers said.
“We all talk about how we need to share information but we’re not doing it. Why?” said Stuart Wagner, director of information technology security at pipeline giant Enterprise Products Partners. “It’s something everybody thinks is a great idea but it’s not out there.”
A handful of energy company security professionals are working to develop a group that will share information, Wagner said.
But the process will take time, he said. And convincing companies to disclose information about incidents, even to a trusted group of security workers, is not simple, Wagner said.
Companies are concerned that information they share about an attack could be leaked to the public, damaging the companies’ reputations, he said. Also, security workers don’t have much of an immediate incentive to share information about an attack, Wagner said.
“It’s just difficult,” he said. “When you’re busy responding to an incident … you’re dealing with putting out our fire. You don’t wan to spend time telling people how to put out their fire.”
The benefits of information sharing are undeniable, said David Cowart, director of computer forensics firm Mandiant.
For example, as threats from groups in China grow, companies without information about previous attacks are left exposed to the same malicious software on its systems, Cowart said.
“There’s a lot of attacks coming out of (China) and no single organization can do as much as needs to be done working by themselves,” Cowart said.
Protected online systems for sharing information, perhaps anonymously, will be key in helping to improve oil companies’ awareness of threats, Cowart said.
Those sharing systems would help companies pool information about similar threats so all can look out for malicious files and computer networks that might access their machines, he said.
But for those benefits of information sharing to occur, a system for sharing has to be developed, and companies need to participate, Cowart said.
“They must come into place for us to be successful,” he said. “It’s going to enable us to multiply the force that we can bring to monitoring the threat. It has to be done.”