Wednesday, August 10 2022 Sign In   |    Register
 

News Quick Search


 

News


Front Page
Power News
Gas News
Today's News
Yesterday's News
Week of Aug 08
Week of Aug 01
Week of Jul 25
Week of Jul 18
Week of Jul 11
By Topic
By News Partner
News Customization
Feedback

 

Pro Plus(+)


Add on products to your professional subscription.
  • Energy Archive News
  •  



    Home > News > Gas News > News Article

    Share by Email E-mail Printer Friendly Print

    Q&A: Neglect the basics at your peril, cybersecurity strategist says


    December 31, 2016 - By Collin Eaton, Houston Chronicle

     

      Dec. 31--Hackers have gotten smarter and bolder in their recent attempts to steal coveted oil company data. Mario Chiock has worked for years to keep them at bay. Chiock joined Schlumberger in 1980 as a field engineer, but his traditional oil industry career took a turn in the mid-1990s when he began researching a new threat to corporate security, one that emerged alongside advanced computers and the internet. At the time, most in the oil industry had never heard of cybersecurity, much less practiced it.

      Over the years, Schlumberger's top cybersecurity adviser founded industry groups dedicated to educating oil companies on securing computer systems and sharing information between firms about cyber-incidents, as a way to learn how to guard against attacks.

      The initiatives he began at Schlumberger aim to teach employees that they're key to its cybersecurity. For example, Schlumberger sends its employees test phishing emails to see how many click on a link or email attachment.

      "We need to make sure we're always a few steps ahead of them," Chiock said. He spoke about his experience and Schlumberger's cybersecurity efforts. Edited excerpts:

      Q: When did the oil and gas industry first recognize a need for cybersecurity?

      A: In the late 1990s, Schlumberger realized protecting our customers' data was part of the service. But that was very early -- most companies didn't look into security at that time. When I moved into our corporate offices in New York in the mid-1990s, one of the things that caught my attention was the level of confidentiality and security needed at a corporate office.

      Q: How can companies prevent cyberattacks?

      A: Eighty percent of breaches can be avoided by doing basic things. Change default passwords. Don't use insecure protocols. Patch vulnerabilities on a monthly basis. It's cyber-hygiene. Technology alone isn't going to give you better security. You need to ensure you have the right people, trained people, and you have to have processes updated to the 21st century. Companies can't afford not to do at least basic security.

      Q: How often does Schlumberger send phishing emails to its employees?

      A: At least once a quarter. One we did a year ago told people they were going to lose their vacation. That was nasty. It could be anything: Click here to review your benefits. It could be about a package you received, or that your Yahoo account has been compromised, so click here and change your password. Every company needs to do this. When you learn, you're more prepared. Incidents may happen, but you'll be able to mitigate it or control it a lot quicker.

      Q: What other cybersecurity programs has Schlumberger implemented?

      A: You need to make sure you have drills -- fire drills for cybersecurity. We include cybersecurity scenarios as part of the crisis management drills we do on a regular basis. One scenario was, at a certain time, some computers became useless. People react, and we learn from that. Another scenario is a company website might be defaced. Or if the network goes down, how are we going to close payroll? We make sure we have a process in place regardless of whether our computers are working.

      Q: Oil and gas companies often rely on outdated software, such as Windows XP, in control systems that manage field operations. How do you design security around these systems?

      A: That's very true. And by the way, it isn't only true of the oil and gas industry. Industrial control systems don't run standard operating systems. They may be running an embedded Windows system, which you can't put anti-virus programs on. So control systems shouldn't be connected to the internet or a corporate network.

      Q: Tell me about the state of cybersecurity for industrial controls in the oil and gas industry.

      A: Back in the late 1990s, we had two groups of people, the traditional IT people and the operational technology people who were responsible for field operations. They didn't talk to each other. In 2005, we started integrating them. I got record miles that year, and I went around the world to our research centers, working with them to integrate. Cybersecurity should be under one umbrella. Information and operational technology need to have the same vision. You cannot treat their security as silos.

      ___

      (c)2016 the Houston Chronicle

      Visit the Houston Chronicle at www.chron.com

      Distributed by Tribune Content Agency, LLC.

    TOP

    Other Articles - Information Technology


    TOP

       Home  -  Feedback  -  Contact Us  -  Safe Sender  -  About Energy Central   
    Copyright © 1996-2022 by CyberTech, Inc. All rights reserved.
    Energy Central® and Energy Central Professional® are registered trademarks of CyberTech, Incorporated. Data and information is provided for informational purposes only, and is not intended for trading purposes. CyberTech does not warrant that the information or services of Energy Central will meet any specific requirements; nor will it be error free or uninterrupted; nor shall CyberTech be liable for any indirect, incidental or consequential damages (including lost data, information or profits) sustained or incurred in connection with the use of, operation of, or inability to use Energy Central. Other terms of use may apply. Membership information is confidential and subject to our privacy agreement.