For at least 12 years, the international petroleum industry has been in denial about the need for proactive cybersecurity. This presentation walks through the following CyberSecurity Grief stages, providing key questions to ask yourself and your organization, determining where you fall on the Grief Scale and how to quantifiably measure what you need to get past Acceptance. Each stage includes a real world example from our industry.
Denial is when your initial reaction is to minimize and dismiss the proof of a hack and blame technology, people or business processes that have broken down. This is a pathological stage in technology immature organizations. There are only two kinds of organizations: those that know they’ve been hacked and those that don’t.
Anger is demonstrated by the irate superintendent, senior manager, “Company Man” or chief technician refusing to acknowledge a security failure was caused by a software programming error or a lost laptop with unencrypted data, or that the compromised system did not follow established security hardening procedures.
Bargaining occurs when senior management, who don’t know better, listen to employees that they just need another chance and they insist that a breach will not happen again, despite the fact that once secure information already in the “Internet wild.” The road to perdition is paved with good intentions.
Depression is what happens to your entire asset when the VFDs shut down or burn up because the network has been infected with Stuxnet.
Acceptance is this point that management understands that security needs to be an ongoing process in order to protect the confidentiality, availability, and integrity of the entire asset.
CYBERSECURITY CODES & STANDARDS REFERENCED
IEC/TS 62443-1-1:2009(E):
Defines the terminology, concepts and models for Industrial Automation and Control Systems (IACS) security
NIST: Cybersecurity Framework:
Framework for Improving Critical Infrastructure Cybersecurity
NIST: 800-30 R1:
Guide for Conducting Risk Assessments
For more information about Cybersecurity or to discuss applying the National Vulnerability Database and the National Institute of Standards and Technology’s CyberSecurity Frameworks for Oil and Gas to your assets, please contact us.