Shutdown means more delays on cybersecurity

HOUSTON — The government shutdown is affecting cybersecurity for energy companies, many of which are waiting on federal guidelines that are now delayed, an expert said Monday.

Many energy companies are pursuing their own, often disconnected, Internet security efforts, and some are outright ignoring the problem, said Rocco Grillo, managing director for technology risk at consulting firm Protiviti, in an interview with FuelFix.

Federal cybersecurity guidelines have been in development since President Obama issued an executive order on the subject this year. But a final draft of the guidelines, which was set to be released earlier this month, has been delayed because of the government shutdown.

With the guidelines delayed, the president’s expected approval of them early next year is also in doubt.

Malware offshore: Danger lurks where the chips fail

Companies have had a number of guidelines to choose from, from international recommendations to advice from security firms, Grillo said. But there has been no clear, standardized guidance to ensure that all companies are taking measures to protect themselves from an attack, he said.

“Some take the opinion of, ‘Hey, we’re secure. Why should we bother doing anything?’” Grillo said.

Energy companies are among the most targeted for cybersecurity attacks, drawing 40 percent of all cyberattacks in 2012, according to the U.S. Department of Homeland Security.

Research by Houston-based security firm Alert Logic has shown that energy companies faced more targeted malware attacks than companies in any other field during a six-month period last year.

Attacks against oil companies have been serious. A single attack last year knocked out 30,000 computers at Saudi Aramco and was aimed at disrupting oil production for the world’s largest producer. Other infections have incapacitated offshore rigs, forcing some units to shut down for weeks at a potential cost of millions of dollars in downtime, FuelFix has reported.

Federal security guidelines will offer a range of recommendations for companies to follow to keep themselves safe from attacks, Grillo said.

On the rise: Cyberattacks at energy facilities jump at ‘alarming rate’

They also will put the pressure on companies to take significant actions to protect themselves from online threats, Grillo said.

“You can’t raise your hand and say I didn’t’ know,” he said. “But if you’re compromised and you haven’t performed due diligence, especially with this new framework that’s going to be put out in front of you, it remains to be seen how lenient the courts and the regulators are going to be, should you be compromised.”

That security framework, being developed by the National Institute of Standards and Technology, is on hold. The institute’s website says it is closed due to the government shutdown.

The result is a delay on clarity about the best approaches to tackling cybersecurity, and likely a delay on action from those companies most vulnerable and confused about the problem, Grillo said.

“The delay with the government shutdown compounds it because this issue has been out there for several years,” he said.