OUTSIDE THE (BLACK) BOX.
Considered critical elements of national infrastructure, oil and gas companies are enticing targets for hackers and other cyber criminals. And yet, research shows that oil and gas players are confident in their ability to keep these systems safe.
To gauge the effectiveness of current enterprise security efforts and the adequacy of their existing investments, Accenture surveyed 2,000 top enterprise security practitioners representing companies with annual revenues of US$1 billion or more. The resulting High Performance Security Survey showed that nearly three-quarters of the energy industry respondents say they are highly confident their cybersecurity strategies will achieve favorable outcomes.
Specifically, they view preventing operational service disruptions and safeguarding the company's information and reputation as strategic mandates for achieving required business outcomes. What's more, between 75 per cent and 80 per cent of executives say they are achieving these goals.
In spite of their confidence, however, oil and gas companies are falling behind other industries.
According to the same Accenture survey, energy players consistently operate below the global average in terms of cybersecurity performance. In fact, the recently released Accenture Security Index ranked oil and gas companies second to last in a cross-industry evaluation of high-performance cybersecurity capabilities with an overall ranking of 27 per cent, meaning these organizations exhibited high performance in only nine capabilities on average. Additionally, oil and gas organizations ranked last in all industries in the cyber incident communications capability (22 per cent).
Energy executives also express much lower confidence in their companies' ability to secure the enterprise compared to the global, cross-industry total. For example, only 28 percent claim to know their organization's frequency of breaches, while 41 per cent of global companies say the same. What's more, just 30 per cent have confidence in their ability to monitor for breaches -- a critical capability in any cybersecurity strategy.
As more oil and gas players embrace new Operational Technology ("OT"), cybersecurity risks will continue to proliferate. The introduction of digital automation solutions in Information Technology ("IT") and OT networks to improve productivity, boost operational uptime and enhance safety and quality increases a company's attack surfaces, providing new openings for adversaries.
Mapping the Security Landscape and Recognising Institutional Overconfidence
Accenture's High Performance Security survey shows that approximately one in three breach attempts succeed; security teams identify fewer than two-thirds of them in real-time (often taking months or even years to do so); and energy players underperform the global cross-industry average in cybersecurity, at times significantly.
But energy executives remain highly confident in their ability to execute their cybersecurity strategies. Three-quarters say their organizations view cybersecurity as a board-level concern that their top executives support financially and culturally. And nearly two-thirds say their organizations have completely embedded cybersecurity into their cultures.
Despite their confidence, many energy players admit they lack the ability to monitor for cyberattacks and remain unaware of better ways to protect their organizations. In fact, a concerning 60 per cent of oil and gas executives surveyed claim that cybersecurity is a 'bit of a black box' -- meaning that they struggle to understand when and how cyberattacks might occur. This conflict is at the heart of the challenge facing cybersecurity executives in oil and gas. Businesses must address their changing security requirements -- or risk significant disruptions in production and increased safety concerns.
Some of this apparent cognitive dissonance likely arises because of the complex cybersecurity landscape oil and gas executives must defend. Operational technology produces massive amounts of data each day, which needs to be stored, analysed and applied in near real-time to verify productivity, efficiency and safety.
However, many OT solutions are ancient in digital terms; with design lives that span decades rather than years and fail to support even basic security protocols such as data encryption.
Nevertheless, the need for real-time data and remote accessibility is driving companies to connect these devices to each other, to the internet and even to corporate networks. While great for operations in the short term, these newly connected, often unprotected Industrial Internet of Things ("IIoT") devices are attracting ambitious hackers looking for alternate attack vectors into operations and back-office systems -- a virtual treasure trove of client data, intellectual property and other information.
Compliance Isn't Enough
Companies can also confuse the achievement of compliance program goals with the actions required to protect the business from breaches. And the opaqueness of compliance programs themselves may contribute to the problem. For example, when asked which factors negatively affect compliance, 70 percent to 75 per cent of energy executives gave all the listed factors the same highly negative ratings -- indicating a failure to prioritize factors that pose the greatest risk.
When an organisation believes that everything has the same impact, programs tend to lack focus. While security control frameworks and compliance programs often prove extremely helpful in defining foundational thinking, they many times fail to reflect real-world dynamics. Just as adhering to generally accepted accounting principles does not ensure protection against
financial fraud, cybersecurity compliance alone will not protect a company from motivated threat actors.
Overconfidence can also result in a lack of willingness to seek better solutions. For example, when offered additional cybersecurity funding, roughly half would use it to double down on their current strategies, namely protecting the company's reputation and company information. Far fewer (under 25 per cent) would use the cash to protect against financial losses--a huge consideration in most major hacking incidents--and just 23 per cent would invest it in staff training; another area that tends to pay outsized dividends.
Cyber Defence from the Inside-out
Organisations often fail to limit internal access to key information, and do not regularly review contract workers with administrator-level access or monitor for unusual traffic or activity on the organization's networks, all of which can have severe cybersecurity consequences.
However, better investments in cyber defense including advanced analytics on both industrial control systems and corporate networks can help identify issues that companies might otherwise miss and provide the data cybersecurity executives need to identify and prioritize highvalue assets and processes. Oil and gas companies should also look at how they can better use the tools that they already have. Most already have an arsenal of cybersecurity tools at their disposal, but fail to use them effectively. Through improved training and system integration, they can make better use of their technology investments.
Cyber Incident Management Programmes for OT and IT Networks
With oil and gas executives reporting an average of 96 attempted breaches in the last twelve months, it is no longer a matter of if cyberattacks will happen, but when.
This means that cyber incident management programs should be an essential aspect of any comprehensive cybersecurity program. Nevertheless, many incident management programs focus solely on the enterprise and fail to plan for potential cyberattacks on OT networks -- a big problem where safety is concerned. Virtually every energy business has invested in comprehensive environmental, health and safety (EH&S) programs designed to prevent and remediate safety and environmental issues in production operations. But many have not made the link between safety and cybersecurity, even though a successful cyberattack on an ICS environment could result in the same level of impact.
Like EH&S programs, cyber incident management focuses on identifying potential cybersecurity risks and developing comprehensive processes and procedures for dealing with potential issues when they arise. And as OT and IT become more integrated, it's essential that these programs encompass both enterprise and operational control networks and identify responsible personnel from both organizations.
Carefully Test Security Performance
To assess their ability to deal with high-impact threats, whether internal or external, oil and gas companies should "pressure-test" company defenses. Doing so can help leaders understand whether they can really withstand a targeted, focused attack. Organisations can engage "red teaming" external hackers in a real "sparring match" with their cybersecurity team to quickly determine whether it is up to the task.
Although testing is important, it comes with its own risks especially in OT environments. For example, a red teaming exercise of an offshore platform's ICS network could cause operators to lose control of production -- inadvertently causing an event with devastating environmental, health and safety repercussions.
Leadership should work closely with operations personnel and technical leadership to understand the capabilities and limitations of their technology infrastructure. Leaders can convene a committee consisting of OT and IT personnel to develop the organization's testing strategy, and set clear rules and limitations for the red team to follow. By involving both the OT and IT organizations in security testing, companies can get a better picture of their cybersecurity program's effectiveness while limiting its potential impact on business and production operations.
Make Security Everyone's Job
Organisations should make state-of-the-art cybersecurity an organisational mindset -- one capable of continually evolving and adapting to changing threats. To foster a culture of cybersecurity and move closer to a state of digital trust, organisations should emphasize an adaptive, evolutionary approach to addressing all aspects of security on an ongoing basis.
This means investing in education and training for IT and OT staff alike so that they can step beyond their comfort zones and collaborate across the organization. Together, they can help devise security strategies that make sense in both business and operational contexts while encouraging deeper engagements with enterprise leadership on a day-to-day basis. Doing so requires IT to speak the language of OT, and vice versa.
The Montblanc Patron of Art Edition is a tribute to one of the greatest patrons of Baroque art and 17th century art collector Scipione Borghese
Montblanc has recognised for over 25 years, the invaluable contribution of modern day patrons of the arts with its prestigious Montblanc de la Culture Arts Patronage Award. In 2017, this prize will be awarded to modern day patrons in 17 countries all over the world. Every year to coincide with the Award, a unique Limited Edition writing instrument inspired by a historical patron of the arts is commissioned to honour the contemporary ones. Montblanc's Patron of Art Edition 2017 pays tribute to Scipione Borghese, the Italian cardinal considered one of the greatest patrons and collectors of Roman baroque art during the 17th century. Scipione Caffarelli Borghese (1577 -- 1633) became one of the wealthiest men of his time after his uncle, Camillo Borghese was elected Pope Paul V in 1605 and appointed him to cardinal and head of the Vatican's governmental affairs.
Scipione Borghese generously promoted the fine arts and assembled one of the most valuable and significant art collections in Europe. Pieces from the collection are exhibited today at the Louvre in Paris, the Windsor Castle in London and the Villa Borghese in Rome. Under Borghese's patronage, artists like painter Caravaggio thrived and sculptor Bernini created innovative pieces that would become early touchstones of the Baroque style. The Patron of Art Edition Homage to Scipione Borghese honours this great art patron with design details recalling his passion for the arts and the legacy that lives on today through the works he brought together during his lifetime. The art collection at the Villa Borghese in Rome serves as a monument to Roman interior decoration at its most extravagant and houses one the finest collections of Baroque sculpture anywhere in the world.
The decor and masterpieces of the opulent Galleria Borghese also serve as inspiration for the Montblanc Patron of Art Homage to Scipione Borghese Limited Edition 4810 with its granite barrel mirroring the multi-coloured marble floors of the grandiose rooms.
The embossed ornaments and pattern on the cap and around the cone of this special edition fountain pen dons antique motifs as seen on the Borghese Vase. The top shape of the cap, crowned with the Montblanc emblem of black and white precious resin is reminiscent of a cardinal's hat, while the cone is elegantly set with a red carneol adorned with the portrait of Borghese, reminiscent of one of the ancient coins featuring the cardinal's face. The design of the fountain pen's clip is inspired by the enchanting park at the Villa Borghese with its ancient parasol pines. The artistically created clip brings to mind the branches of these colossal old trees, crowned by a smoky quartz. The Au 750 solid gold ruthenium-coated nib is enriched with an engraving of the
Fitting Homage to uRich Heritage
Borghese family coat of arms. The dark-green marble on the cap and cone of the Montblanc Patron of Art Homage to Scipione Borghese Limited Edition 888 recalls the floors of the lavish Borghese Gallery. Overlaid on the marble, the intricate skeletonised casing made of Au 750 solid red gold reflects the patterns found on the gallery's floors. The cone and cap ring are finely decorated with antique motifs from the famous Borghese Vase, considered as one of the finest examples of Antiquity decorative art and once housed in the patron's collection.
For this edition, the Montblanc emblem is made of mother-of- pearl while the cone top is a finely crafted coin in Au 750 solid red gold featuring his portrait. The branch-like clip set with a water-drop shaped smoky quartz pays homage to the magnificent landscaped gardens of the Villa filled with its pines, grottos, fountains and romantic corners. The partly ruthenium-coated Au 750 solid gold nib is enriched with an engraving of the great Roman patron's family coat of arms.
Limited to 89 pieces the Montblanc Patron of Art Homage to Scipione Borghese Limited Edition 89 is a masterpiece of Baroque style with the skeletonised cap in champagne gold evoking the Villa Borghese park and a clip embellished with a bright red water-drop shaped Mozambique garnet. Just like a cabinet of curiosities with its colourful drawers and compartments set with bright coloured marbles and inlays, the skeletonised Au 750 gold barrel is inlaid with lapis lazuli, mammoth ivory, paua shell and fossilized dinosaur bone. At the base of the Au 750 champagne gold cone, an ancient Au 750 gold coin displays the portrait of Borghese presiding over this masterpiece.
Limited to just three pieces in reference to the three floors of the Borghese Gallery, a second variation of this writing instrument features many exceptional curiosities. The skeletonised Au 750 red gold cap of the Montblanc Patron of Art Homage to Scipione Borghese Limited Edition 3 features an amber inlay with a prehistoric insect inclusion. A compartment on the side of the cap can be opened like a real cabinet to reveal a skull engraved in mammoth ivory inside. The skeletonised barrel is inlaid with a colourful pairing of jade, bull's eye, opal and fossilised coral. An intense red garnet adorns the base of the cone; while crowning this precious edition, the Montblanc emblem in the cap top set with diamonds and the branch-like clip is set with a water-drop shaped diamond.
To accompany these four limited edition writing instruments, Montblanc has created two pairs of limited edition cufflinks featuring design references inspired by Borghese's legacy. Limited to three pieces, a pair of red gold oval cufflinks is inlaid with amber with an insect inclusion to evoke the curiosities the cardinal collected during his life. Only the most rare amber has been used, sourced in the Bay of Gdansk and estimated to be between 40 and 50 million years old.
The unicorn cufflink mechanism features an onyx pearl at the opposite end of the amber. A second pair of circular cufflinks is designed around ancient silver coins framed in red gold. Every coin is certified and authentic to the Roman and Greek era and area. Because each coin is unique, the shape and frame of the cufflink is different making each of the 10 sets truly exceptional. While Scipione Caffarelli Borghese dedicated much of his wealth and time to the patronage of arts, Montblanc lends its passion for artistry and craftsmanship to a fitting tribute to an exceptional patron who surrounded himself with the most extraordinary works, and ensured their preservation for future generations.
The Montblanc Patron of Art Edition -- Homage to Scipione Borghese is available in Montblanc boutiques worldwide from April 2017. For more information visit www.montblanc.com
Copyright 2017 United Press and Publishing LLC Provided by SyndiGate Media Inc. ( Syndigate.info ).