Pub 2 2020-2021 Issue 3

I believe ARN, like most organizations, recognizes the evolution of cyberattacks as technology has matured and grown to be more embedded in our lives. continuity, management organizations need to have robust cybersecurity capabilities and promote proper cyber hygiene at the facilities they manage. Our leadership has served in the military and worked in the highest of fices of government. They understand this evolving need well. They established Woodstar Labs to improve AUI’s cybersecurity operations, increase our capacity as a management organization, and make the highest and best use of our capabilities as a nonprofit, nonmember institution. In addition to securing ourselves and our managed facilities, AUI and Woodstar Labs are focused on securing critical infrastructure. We convened the National Commission on Grid Resilience, led by General Wesley Clark (U.S. Army, retired), to provide nonpartisan, actionable recommendations to secure our electrical grid. Leadership at the North Carolina State Board of Elections understands the need to secure critical infrastructure, too. They were our first clients in the election space, and we continue to work together as Woodstar Labs explores securing states across the country. Cybersecurity has been important for a while now. The following website link (https://www.arnnet.com.au/slideshow/341113/top-10- most-notorious-cyber- attacks-history/) lists an attack as early as 1988. What do you think about the list ARN staff put together? Would you change it in any way? I believe ARN, like most organizations, recognizes the evolution of cyberattacks as technology has matured and grown to be more embedded in our lives. They did a nice job of capturing some of the earliest attacks. As the technology and the population that leverages it both grow, we will experience additional cyber threats and new attack vectors. Areas that we see the most concerning are areas within the critical infrastructure space. As mentioned in the ARN article, cyberattacks are nothing new, but the areas and ways they are targeting our environment are. One example that comes to mind within the critical infrastructure environment was Stuxnet. It really changed the landscape of cyberattacks. The malicious computer worm, uncovered in 2010, targeted ICS networks in the critical infrastructure environment. Another ICS-related cyberattack worth mentioning is the malware known as TRISIS that af fected Triconex/Triton engineering systems. This malware targeted the safety interlock systems at a large oil/gas facility in 2017. The malware could allow the attacker to either change process setpoints, causing physical damage, or shut down the system, resulting in process downtime. It is important to follow these reports. They show the level of sophistication in cyberattacks and the importance of organizations to acknowledge these attacks in their own risk analysis. The book Dark Territory: The Secret History of Cyber War by Fred Kaplan does an outstanding job of tracing the roots of some of the most damaging cyberattacks since the 1980s – I highly recommend it. What can you tell me about the Colonial Pipeline ransomware attack in May 2021? As mentioned by our own federal government and others in the field, we need to consider that attackers target our critical infrastructure environments by leveraging either known or unknown attack vectors. I think we all need to assume that we are a target and include these scenarios as part of our own internal risk assessments. By doing so, organizations may see the need to change processes, policies, or procedures to mitigate, transfer, or avoid the risk. Unfortunately, I think we will see an increase in these types of attacks. OT and common IT networks are converging to either increase ef ficiency and/or reduce process expenses. Operations managers need to continue to ask “what if " scenarios on their processes with a focus on cyber threats. According to an online news story, the Colonial Pipeline ransomware attack has prompted changes in federal pipeline security guidelines (https://www.nbcnews.com/tech/security/ colonial-hack-dhs-issues-first- cybersecurity-regulation-pipelines- rcna1050). Had petroleum companies put any security measures in place before the attack? From our experience with previous clients and companies we supported, we of ten find that they have a level of security in place. However, we of ten coach organizations to better understand that as technology and systems evolve to be more dependent on network connections and real-time data, we must consider that the attack vector changes drastically. We must assess risks regularly and ensure that we train our staf f by developing critical cyber skills to address the ever-evolving attack landscape. What changes have companies made since the attack? We see organizations starting to talk about it more. Leaders are prioritizing and allocating more resources and attention to the issue. If organizations are still unsure of the first steps, we recommend leveraging a good partner in the industry to start the process. Doing so ensures that organizations will not be working in a silo and will allow for a depth of experience. What security guideline changes do you expect to see in the future? DoD will soon require organizations doing business with DoD to pass a new cybersecurity standardization, called the Cybersecurity Maturity Model Certification or CMMC (https://cmmcab.org/cmmc-standard/) . This new model will require organizations to meet various cybersecurity maturity levels based on the type of business they are pursuing with DoD. Other federal organizations have also unofficially stated that they intend to have their contractors, supplies and supporting service providers meet these requirements. AUI is a leader in CMMC and supports organizations as they prepare for these new guidelines and requirements. We focus on education, training, consulting, and assessing for these new cybersecurity requirements. Do petroleum companies support the changes being mandated by the Department of Homeland Security? Within our partnerships and networks, we see many organizations working together to understand the risks and how the government can influence the best practices, specifically within the critical infrastructure environment. We see many opportunities where both the government and private industry can solve these complex issues. Continued on page 10 9 UP DATE

RkJQdWJsaXNoZXIy MTIyNDg2OA==