ISACA Journal
Volume 4, 2,018 

Features 

Data Spill Lessons From the Oil Industry 

Sridhar Govardhan, CISA, CISM, SABSA 

Historically, data management was a money outflow for organizations; the primary expense was allocated to data archival to comply with regulatory requirements. However, recent innovations in big data technology, complemented with cloud storage technology, have revolutionized how an organization’s business intelligence is obtained from data produced from these technologies. This concoction of software and hardware technologies has powered organizations to generate a treasure trove of insight about their customers, partners and investors. Organizations now have the capability to offer improved customer experience, new service models and higher return on investment, using these technologies.

Organizations have made huge investments in this data life cycle management. A study reveals that 2.5 exabytes of data are generated in a day, doubling every two years.1 The journey of data from cost burden to business enabler has generated a new buzzphrase referring to data as “the new oil.” Even though this is a financial reference, this comparison between data and oil appropriately incorporates information security aspects as well.

The oil industry’s biggest nightmare is an oil spill, which can cost millions to contain, have a massive impact on the ecosystem, incur regulatory penalties and erode the brand. A similar scale of impact is observed when a data spill occurs. Oil spills have a much higher impact on living beings and the ecosystem than data spills, whose aftereffects depend on the relative value of the data contents. The other impacts—regulatory penalties, brand erosion, competitive losses, investigation charges and economic damage—are equivalent to those related to oil spills.

A few other commonalities include threat actors (insider and external) and containment steps. The oil industry has matured its processes of handling oil spills.

Security professionals can learn from the oil industry how to build an incident response strategy to handle unforeseen events. There are several key factors to consider.

Prevention and an Early Warning System Are Wiser Investments Than Containment

Oil spills can be disastrous to an oil company, causing both tangible and intangible losses. In the largest oil spill, the responsible oil company had to spend a whopping US $62 billion for containment (clean-up costs, court fees, penalties and settlement).2 Global oil companies are now aware of the repercussions of a spill, and they know the cost of containment is many times the cost of preventive and early warning controls. Preventive and early warning controls are designed and implemented from oil production to distribution. High-risk zones have more sophisticated controls deployed. For example, a spill from a platform is a considerably elevated ecological risk and more challenging to contain, so satellite-based monitoring3 is used as an early warning system for oil companies.

The containment expenditure of a data spill for organizations, governments and industries is huge. In a few highly regulated segments (financial, healthcare and telecom) and for organizations operating from certain geographies, the cost of data spill containment could lead to bankruptcy. Some key lessons for information security are:

  • Organizations should adopt the approach of protecting the most essential data and deploy controls from the source of data to transport, consumption, storage and disposal. Implementing preventive controls may not always be feasible. In that case, they can be complemented with early warning/detection controls.
  • Managing legacy end-of-life (EOL) assets that still hold substantial value and cannot be retired could be a significant liability to organizations. Organizations can invest in building continuous monitoring capability, which can provide early warning.

To Survive a Crisis, Plan Well and Practice in Advance

The oil industry has mature oil spill incident response plans and highly efficient response strategies. The incident response process4 is defined to follow the trail of oil flow,5 an approach that ensures critical assets are covered and enables the response strategy to focus primarily on minimizing the impact and initiating containment procedures. A platform oil spill incident response plan is very different from an oil distribution incident response plan.

Several key lessons can be applied to information security:

  • It is time for enterprises to start working on incident response strategies to handle data spills if they have not done so already.
  • Organizations should consider designing, developing and implementing segmented incident response strategies to manage data spills. A segmented response plan aligned with the data flow trail will be advantageous in building adequate responses and will assist the engineering team in security controls design focused on threat prevention, detection or mitigation.
  • Providing training to users about the response plan6 and their duties and responsibilities, and subsequently conducting drills of the response plan, can provide valuable insights into gaps in the plan, operational challenges and people issues. Gaps identified during the drills need to be fixed. Repeating this cycle a few times can go a long way toward enabling the team to handle a crisis efficiently.

Figure 1Figure 1 outlines the steps in the containment processes for an oil spill and a data spill crisis.

Oil Companies Run on External Collaboration

Most oil companies today have negligible assets of their own; they function in a model wherein partners operate every other element for them, be it exploration, rig, transportation or monitoring. This enables them to focus on their core business of oil, and only oil. Today, organizations looking to be successful must focus on their core business and opt out of activities that add no value to that core business. In today’s digital world, entrusting a partner with access to business data is a cause for concern. The oil industry underwent this same dilemma long ago and has mastered the art of managing partner collaboration. Over the years, experience has made oil businesses build robust governance.

The key lessons for information security are:

  • The vision and objective should focus on safe data production, secure data transport, safe distribution, secure consumption and disposal.
  • Enterprises (large, medium or small) that rely on extensive collaboration with external partners for their key operations should develop a robust vendor risk management (VRM) program. The VRM framework should ensure that adequate information security controls are defined as part of the contract and any additional regulatory obligations.
  • The VRM program should encompass key performance indicators (KPIs) and metrics to measure control enforcement, health monitoring and periodic compliance reporting.

Human Error Can Be Costly, and People Play a Vital Role

In oil production, refinery, storage and distribution staffs (employees/contractors/vendors) play a vital role in operations. An error (possibly inadvertent) caused by staff can lead to a disastrous situation. Over the years, experience and lessons learned in the oil industry have ensured that staffs are highly trained on standard operating procedures, and they are augmented with adequate controls to monitor and prevent any advertent or inadvertent mistakes. For example, everyone who enters a rig platform is mandated to first complete Basic Offshore Safety Induction and Emergency Training (BOSIET). Entry to the platform is denied until the training is completed.

The key lessons that can be applied to information security are:

  • Multiple recent data spills happened due to errors and omissions caused by humans. The causes varied, including lack of awareness, inadequate monitoring and disgruntled staff.
  • Empowering staff with adequate awareness, complemented with the right set of controls to monitor can deter or prevent inadvertent errors.
  • The effectiveness of any training diminishes with time if it is not reviewed and practiced frequently. It is useful to build layered sessions of face-to-face training, computer-based training, emails, posters and quizzes.
  • Periodic simulations should be performed to test awareness levels and provide real-time feedback.

Oil Spills Will One Day Wash Ashore

If people responsible for containment of an oil spill decide to cover up the incident, they can hide only until the oil washes up on the closest shoreline. Anything spilled will ultimately flow downhill and eventually become visible to the world.

The key lessons for information security to remember are:

  • This is also true for data spills. Recent incidents7 have shown that executives who decided to cover up breaches eventually had to face legal entanglement.
  • The incident response strategy should incorporate a country-specific data breach incident notification process along with timelines for reporting.
  • The individual responsible for containment of data spills should follow the steps defined in the incident response plan and involve respective stakeholders.

Conclusion

In the digital era, the value of data is beyond oil. Threat actors are continuously evolving their strategies and are developing innovative ways to compromise networks for gaining access to the new-found oil. This compels the enterprise to identify its crown jewels (data) and build adequate preventive, detective and/or corrective security controls to counter cyberthreats.

A paradigm shift is required from traditional security. Security practitioners should start focusing on what matters most, which most enterprises would recognize as data—their most valuable asset. Organizations should apply a data-centric design principle to create security that encompasses technology, people and processes. This innovative approach will bring an epic shift in the way security is perceived when it comes to protecting critical data assets and responding to threats.

Endnotes

1 IDC, The Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, April 2014, https://www.emc.com/leadership/digital-universe/2014iview/executive-summary.htm
2 Amon, M.; T. Panchal; “BP Puts Tab for Gulf Disaster at $62 Billion,” The Wall Street Journal, 14 July 2016, https://www.wsj.com/articles/bp-estimates-remaining-material-deepwater-liabilities-1468517684
3 Ayasse, R.; “Satellite-Based Monitoring of P&A Assets,” Konsberg Satellite Services, https://www.oceanologyinternational.com/__novadocuments/230260?v=635950458763470000
4 The Response Group, BP Gulf of Mexico Regional Oil Spill Response Plan, http://housedocs.house.gov/energycommerce/Docs_06152010/BP.Oil.Spill.Response.Plan.pdf
5 Sakhalin Energy’s Health, Safety, Environment and Social Action Plan, Summary of Oil Spills Prevention and Response Plan for Prigorodnoye Asset Offshore Operations, 2011, www.sakhalinenergy.ru/media/library/eng/Environmental/OilSpillResponse/5.4_Prigorodnoye%20Offshore_Summary%20ENG.pdf
6 Government of the Northwest Territories of Canada, “Spill Response Procedure,” 2014, http://ith.dot.gov.nt.ca/sites/default/files/2014-04-28_spill_response_procedure.pdf
7 Weise, E.; “Uber Paid Hackers $100,000 to Hide Year-Old Breach of 57 Million Users,” USA Today, 21 November 2017, https://www.usatoday.com/story/tech/2017/11/21/uber-kept-mum-year-hack-info-57-million-riders-and-drivers/887002001/

Sridhar Govardhan, CISA, CISM, SABSA
Is general manager and head of Cyber Security, Wipro. His core competency has been accumulated over 18 years of professional experience in the business-critical domains of cyberdefense, information protection and regulatory compliance. He has a proven track record of spearheading organizational initiatives in building defensible enterprise networks. Govardhan has earned 11 industry-recognized certifications in the domains of IT, information security, security frameworks and secure enterprise architecture. He has three patents (pending) in cognitive security.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.