Dec. 31--Hackers have gotten smarter and bolder in their recent attempts to steal coveted oil company data. Mario Chiock has worked for years to keep them at bay. Chiock joined Schlumberger in 1980 as a field engineer, but his traditional oil industry career took a turn in the mid-1990s when he began researching a new threat to corporate security, one that emerged alongside advanced computers and the internet. At the time, most in the oil industry had never heard of cybersecurity, much less practiced it.
Over the years, Schlumberger's top cybersecurity adviser founded industry groups dedicated to educating oil companies on securing computer systems and sharing information between firms about cyber-incidents, as a way to learn how to guard against attacks.
The initiatives he began at Schlumberger aim to teach employees that they're key to its cybersecurity. For example, Schlumberger sends its employees test phishing emails to see how many click on a link or email attachment.
"We need to make sure we're always a few steps ahead of them," Chiock said. He spoke about his experience and Schlumberger's cybersecurity efforts. Edited excerpts:
Q: When did the oil and gas industry first recognize a need for cybersecurity?
A: In the late 1990s, Schlumberger realized protecting our customers' data was part of the service. But that was very early -- most companies didn't look into security at that time. When I moved into our corporate offices in New York in the mid-1990s, one of the things that caught my attention was the level of confidentiality and security needed at a corporate office.
Q: How can companies prevent cyberattacks?
A: Eighty percent of breaches can be avoided by doing basic things. Change default passwords. Don't use insecure protocols. Patch vulnerabilities on a monthly basis. It's cyber-hygiene. Technology alone isn't going to give you better security. You need to ensure you have the right people, trained people, and you have to have processes updated to the 21st century. Companies can't afford not to do at least basic security.
Q: How often does Schlumberger send phishing emails to its employees?
A: At least once a quarter. One we did a year ago told people they were going to lose their vacation. That was nasty. It could be anything: Click here to review your benefits. It could be about a package you received, or that your Yahoo account has been compromised, so click here and change your password. Every company needs to do this. When you learn, you're more prepared. Incidents may happen, but you'll be able to mitigate it or control it a lot quicker.
Q: What other cybersecurity programs has Schlumberger implemented?
A: You need to make sure you have drills -- fire drills for cybersecurity. We include cybersecurity scenarios as part of the crisis management drills we do on a regular basis. One scenario was, at a certain time, some computers became useless. People react, and we learn from that. Another scenario is a company website might be defaced. Or if the network goes down, how are we going to close payroll? We make sure we have a process in place regardless of whether our computers are working.
Q: Oil and gas companies often rely on outdated software, such as Windows XP, in control systems that manage field operations. How do you design security around these systems?
A: That's very true. And by the way, it isn't only true of the oil and gas industry. Industrial control systems don't run standard operating systems. They may be running an embedded Windows system, which you can't put anti-virus programs on. So control systems shouldn't be connected to the internet or a corporate network.
Q: Tell me about the state of cybersecurity for industrial controls in the oil and gas industry.
A: Back in the late 1990s, we had two groups of people, the traditional IT people and the operational technology people who were responsible for field operations. They didn't talk to each other. In 2005, we started integrating them. I got record miles that year, and I went around the world to our research centers, working with them to integrate. Cybersecurity should be under one umbrella. Information and operational technology need to have the same vision. You cannot treat their security as silos.
(c)2016 the Houston Chronicle
Visit the Houston Chronicle at www.chron.com
Distributed by Tribune Content Agency, LLC.