Read the full episode transcript
00:00:00 Speaker 1
This episode of the Energy Pipeline is sponsored by Caterpillar Oil & Gas. Since the 1930s, Caterpillar has manufactured engines for drilling, production, well service and gas compression. With more than 2, 100 dealer locations worldwide, Caterpillar offers customers a dedicated support team to assist with their premier power solutions.
00:00:27 Speaker 2
Welcome to the Energy Pipeline Podcast with your host, KC Yost. Tune in each week to learn more about industry issues, tools and resources to streamline and modernize the future of the industry. Whether you work in oil and gas or bring a unique perspective, this podcast is your knowledge transfer hub. Welcome to the Energy Pipeline.
00:00:51 KC Yost
Hello, everyone, and welcome to this episode of the Energy Pipeline Podcast. Today, we'll be discussing a very interesting and what I feel to be a very relevant topic, cybersecurity in the energy industry. We're fortunate to have Philippe Flichy, fractional business information security officer at Cykur, as our guest. Welcome to the Energy Pipeline Podcast, Philippe.
00:01:13 Philippe Flichy
Thank you very much, KC. Very happy to be here.
00:01:16 KC Yost
Yeah. foreign language
00:01:18 Philippe Flichy
foreign language
00:01:19 KC Yost
Good. So I've used up all of my high school French. Very good. So anyway, great to have you here. Thanks so much for joining. So before we get started talking about cybersecurity, could you take a few minutes to share your background with our listeners?
00:01:35 Philippe Flichy
Yes. Well, I guess you just got it. I'm originally French. I first went to the US, I was 19 years old, one way ticket, 500 bucks. I managed to study in many universities for six and a half years. Went back to France and then back to the US to run the Olympics in Salt Lake City in 2002, and then Schlumberger acquired us and the rest is history. I was dumped into oil and gas.
00:02:05 KC Yost
Dumped into oil and gas. I bet that Olympic experience was really pretty cool.
00:02:11 Philippe Flichy
It was tense but cool, and that was definitely a big exposure to cybersecurity. At some point, we had a whole delegation of FBI cyber experts moving from the United Nations to Salt Lake City to help us, and it's been very, very useful for us.
00:02:31 KC Yost
Sweet. That's great. That's great. That's fantastic. Anyway, so glad to have you here. Let's get into cybersecurity. So it appears that cybersecurity appears in the news on a regular basis, and in some cases, it's telling us about the compromise of very large companies. Colonial Pipeline comes to mind. What's your take on the risk for energy companies today?
00:02:58 Philippe Flichy
It's very big, and actually, let me rebound on this Colonial Pipeline event. It's been definitely a learning experience for the cybersecurity community. They originally targeted the IT system, which is the information technology system, yet the company wasn't sure and it would actually get into the OT system, which is the operational technology, your SCADA systems and systems that are controlling machines and pipelines and things like this. Nowadays, IT and OT systems are extremely integrated because we want to get information from those OT systems to integrate that into the way we manage all our operations. I gathered actually that the metering system was still working but it could not communicate with the billing systems so you see how integrated things are. Some debrief that I had through InfraGard, which is this partnership for private citizens with the FBI, it seems that actually some Russian actors wanted to test the robustness of our infrastructures and some others thought that actually they gave too much away by doing this. But what is very concerning is that indeed, we talk about those big events and not about the smaller ones. And midsize and mid-market energy and utility companies are more at risk of being compromised than the large ones, but they don't make the news. For example, companies that are between 110,000 employees are getting over 80% of their cyber attacks leading to a material damage last year in 2023. And material damage, it can be a financial impact, it can be a reputational damage, a data breach, a business continuity issue. Midsize companies on average takes 21 days to recover from a cyber attack. I can go on a lot, but I think I've already talked a lot.
00:05:38 KC Yost
Yeah. So what I'm hearing you say is that the technology that we're using to make life easier for us to operate and maintain pipeline systems, production platforms or whatever the case may be, is giving an opportunity for bad actors, if you will, to have access to even more of our assets than we did when, as you were talking about, IT and ops were separated. Did I say that right?
00:06:15 Philippe Flichy
Yes, absolutely. And actually, not only energy, one of the big discussions today in the Department of Defense is the replacement of our nuclear heads or actually the launching systems because they were analog so there were no way you could get into the system. And of course, we would replace them with a digital system. So you see, every time you put digital equipment, then now you are opening an avenue for people for remotely getting into your systems.
00:06:48 KC Yost
My, oh my. Okay. All right. Well, I'll back off the nuclear stuff and I'll ask you about the energy and the utility industry. So how does the exposure for the energy and utility industries compare with other industries regarding cybersecurity risk, greater, less, more, the same?
00:07:12 Philippe Flichy
Unfortunately, we are at the top of the list so we're not in a good position. And not only that, but we are considered by the US government to be part of the national infrastructure. The average cost of data breach in the energy sector last year was just under $5 million per breach. And bear in mind that 54% of the worldwide cyber attacks are actually reserved for the US.
00:07:47 KC Yost
My, oh my.
00:07:48 Philippe Flichy
This makes mid-market energy companies totally at risk. It's really bad.
00:07:57 KC Yost
That's a tremendous exposure. And compared to other industries, we're right at the top of the list, huh?
00:08:04 Philippe Flichy
Yeah, we are.
00:08:04 KC Yost
Okay. So what are the most common types of cyber risks in the energy industry?
00:08:13 Philippe Flichy
So they are the same as for any industries. It starts with social engineering. So social engineering is figuring out, getting information from everything that is around, plus contacting the people and trying to get information from them. In 2023, 85% of all the breaches involved some kind of human interaction. For instance, I think everyone heard about the Las Vegas casinos being attacked this year. They got it through the tech support. They talked to tech support and have been able to get the information they needed. What I'm observing with the clients that I'm serving is that email business compromise, and I'm not the only one, it's a statistic, is totally on the rise. And I will describe a little bit what it is. So basically, the idea is whether it makes you believe that you received an email from someone or actually get into the email system of a company and then start sending email on behalf of the person that was supposed to send the email, if you see I mean by on behalf.
00:09:37 KC Yost
Sure. I actually have a little bit of experience in that, if you will, that I still work part-time for an engineering firm who has clients who requires us, and this is how you and I met, actually has clients that requires our IT guys to send out phony phishing emails to get us to practice not opening those emails because the operating companies that we work for are concerned that once they get into our system, then they have access through a back door to their system. And so it goes on and on from there, right?
00:10:25 Philippe Flichy
Absolutely right. And actually, that's one other reason why the midsize companies are a big target. Sometimes they are not even the one that get the ransomware. The guys are really trying to go from there to somewhere else or steal information that they want to know whether intellectual property or business information to bid against others. And I can you tell you stories from all the companies I worked with where they were clearly taking information from us and under bidding us at the last minute.
00:11:02 KC Yost
Really? Wow. Yeah. So from an operating company standpoint, again, we talk about my company's clients and other exploration and production companies or pipeline companies or whomever we're talking about. They have a lot of remote equipment that are run by controls from a central location. Is that a pretty large exposure as well?
00:11:33 Philippe Flichy
It's certainly increasing a lot. Some of my partners who I used to work with in some of the big names of the oil and gas service companies are now really specializing in this IT/ OT merger because you can totally block the systems. If you have a pipeline that brings you X amount of revenue per day and suddenly you say, "Well, if you don't give me the money, then basically the 10X, then that means that in a few days basically, you've lost more than what I'm asking you."
00:12:18 KC Yost
Yes, yes. So this gets back to the Colonial thing where you said that the measurement system, Colonial is not a gas company, anyway, Colonial's metering systems were working properly, but it wasn't sending the information over to the billing group. So that's what's happening here. So that would be a perfect example of how the remote equipment controls can be affected by bad actors, right?
00:12:49 Philippe Flichy
Yes. In that case, actually, it was the main system, the billing system that was not working and could not get the information from the sensors. And that's great. That shows how the integration between the two systems, you block one, you block the other. Basically, that's the deal.
00:13:11 KC Yost
I got you. Okay. All right. So what's the way forward? What's the best approach for a midsize energy company with remote locations to protect themselves? Is there a silver bullet that they can use?
00:13:25 Philippe Flichy
I wish I could say yes, but one thing that we observed is that midsize companies tend not to have literally the army of people that are working in the cybersecurity for the large companies. So we have to find ways to help mid-market companies to get the resources on a fractional basis that the other guys have internally full-time. They need to externalize that access to the right experts. And I can understand that it feels very uncomfortable to say, "You know what? I'm actually giving the keys of the company to those guys that I barely know." Well, that's the point. You need to get to know them so that you can trust them. And let me give you a parallel. Midsize company, it's the same thing. In a large company, you may have a bunch of different lawyers with different specialties working within the company, but on the midsize companies, you may have one internal trusted in-house lawyer or actually external, and he or she will be the one that will direct you to the trusted experts in specific areas of the law that you need. And you would be hard-pressed to find them on your own because you're not a specialist of those very specific part of the law. It is exactly the same for the cybersecurity.
00:15:05 KC Yost
So let's say I'm an IT guy inside an operating company. It's a midsize operating company. And this goes down a little rabbit hole. Is there an organization that I can go to that Cykur and other companies like yours belong to that we can go and find reputable people? Are there certificates? Are there certifications or something like that in the industry that you can start to find someone to build a relationship with?
00:15:43 Philippe Flichy
Absolutely. So yes, there are many companies that provide that. You have a lot of accounting firms now that are helping usually the larger clients but with all the cybersecurity aspects. You talked about certifications. You want to know that the person you employ have the right knowledge or experience. So typically, whether you want to have the certifications like diploma or you want to know the track record of the people and what they've done. The other aspect is for the companies themselves to get certified. So one thing we do is that we help the companies to get to a level they are certified. The most common one is called SOC 2. It is actually delivered by an accounting firm because it's started by the National Accountant Association. And that gives you a label that says, hey, that company follows all those processes that lead to have a good cyber hygiene and keep the data safe and keep the whole processes in check.
00:17:14 KC Yost
So how does a company go about externalizing some of the cyber risk management? What do you suggest?
00:17:23 Philippe Flichy
Well, of course, I'm going to say come and talk to me. But more realistically, you need to find someone that can help you to understand your needs, the purpose of the systems that you want to put in place and how they complement each other. The general tendency is to say, oh, I'm going to use that technology, that shiny object, and that's going to solve everything. Well, that's actually usually not the right approach. You need to take a step back and first really understand what we call the crown jewels. What are the important things in terms of data or processes or whatever is the core things of your company? What we do is that we go through those things and we say, "Hey, if you were missing an eye, could you still drive? If you were missing two eyes, can you still drive?" You see the analogy here.
00:18:30 KC Yost
Sure.
00:18:32 Philippe Flichy
And we go through the whole type of things. It could be the eyes. It could be the ears. And that way, you start having a global view and then you define the appetite for risk. There's a whole equation between the tools you can put in place, the methodologies, process and procedures that you can put in place and, of course, the insurance you can put in place so in case something happens, you can fall back to that. But insurance are getting harder and harder to get in terms to protect your cyber risk. And the more now they're actually telling you, do you have this and that system in place, then I can insure you; otherwise, I'm not too sure. And the big mistakes people have is to think that their general liability will cover the cyber risk because there's a lot of exclusion and at the end, it's not that obvious that they will be properly covered.
00:19:41 KC Yost
Wow. It sounds like a great topic for a podcast just on its own right there. How interesting, how interesting. So when you're putting all of this plan together, are you looking at the cultural and systematic divide, if you will, between IT and OT and the conversations? And how do you build the structure? Do you build it first with IT and then OT or do you try to combine it? How does that all fit together?
00:20:21 Philippe Flichy
I don't want to advertise for anything, but we are the few, part of the few that have realized that IT and OT risk management system should be integrated and planned together. There's a lot of cyber information security officers that are not coming from the industrial environment and have less understanding of the OT environment. On top of that, it's interesting because OT and IT experts will use certain terms to mean something different. So you really need to know how you interpret and make sure that the language you're using will be properly understood by the person you're talking to.
00:21:23 KC Yost
I see. I see. So you guys, in particular, Cykur, will put this together and talk to IT and OT, make sure they're talking the same way and build a system that will help both succeed. So I understand that Cykur offers this type of service that we're talking about. What does a typical engagement look like when you specifically are talking to a new client?
00:21:56 Philippe Flichy
Well, we start with a one-hour complimentary review. Basically it's a high-level discussion, try to understand a little bit the cyber posture of the company. And typically out of that, we can define whether or not it would make sense to engage just for one-day assessment and take those 18 categories that we have reviewed during the one hour into a much deeper level. And when we say one day, it doesn't mean that it's from nine to five one day. It can be different sessions because it's a little bit excruciating to start having the inquisition of, the two face, asking all those questions, but they are very useful. It's a standard process known in the industry of those 18 categories and we try to gauge the resilience and where are the ones that are pretty good and the one that maybe need some help. And actually, in order to visualize that with the report that we write after that day, we include a spider diagram because then you can clearly see, oh, I'm doing pretty good here, but over there, maybe I need some help. And then if they want, they work with us or someone else, but now they know that there's weaknesses that they need to address.
00:23:25 KC Yost
So basically the company, the client needs to pull the drapes down or the covers off of whatever they have and expose all of their assets to you in order to understand what they need to do to be cyber secure. And what you guys do is start at the big end of the funnel, if you will, with the introductory visit and then the one-day visit or whatever the case may be for them to build a level of confidence in your abilities and your credence in getting the work done. Am I following that right?
00:24:14 Philippe Flichy
Yes. And honestly, a lot of our business comes from referrals because of course, the best thing you can do is having someone to say, "Talk to those guys. They really helped us." And what we do is we ask tough questions about do you have a business continuity plan, a disaster recovery, an incident response plan? When was the last time that you revised all those information? Do you rehearse them? Staying into the oil and gas environment. After the Macondo event happened in the Gulf of Mexico, I was part of one of these large oil and gas service companies, and we did a whole analysis to understand what happened. And what we realized, working with some experts from Harvard actually, is that the automatism for reacting wasn't there. The brain has different part of course, and you want to build a sudden event level of muscle memory. You want to be able to do things automatically. And I'm going to give you an example. I think most of the people listening to the podcast, and you and I included, the first time we drove a car, we were not particularly at ease.
00:25:50 KC Yost
Right.
00:25:50 Philippe Flichy
And look, after time-
00:25:53 KC Yost
By the way, just to be clear, neither was my father. Okay, go ahead.
00:26:00 Philippe Flichy
So we build those muscle memories, we build those things that become automations, and now we react to things without even thinking, and sometimes may even be a little bit dangerous but it's good. We prevent a lot of things. You were talking about culture earlier. We are big believers that all the users are the first responders. They are the first line of defense. The more they build those muscle memories and learn how not to click on this, not to do this, not to do that, helps. You were mentioning those phishing tests that a lot of companies are doing. We complement that with actual one-on-one lunch and learns, brown bags. You come with your sandwich and we have a discussion. And we help people get more at ease with those challenges. I think a lot of the problem is that if you... That's why I think the car example is really good because the more you drive, the more you feel comfortable about it. There's no mystery about it. It's the same with figuring out what's happening around.
00:27:24 KC Yost
Got you. Got you. So basically, what I'm hearing you say is that cybersecurity is much more than just a technological answer.
00:27:36 Philippe Flichy
Technology is the easiest part.
00:27:39 KC Yost
Well, there you go. There you go. There you go. So let's talk about the easy part. Okay. What about the technological aspects that you might need to delve into?
00:27:52 Philippe Flichy
Well, usually you arrive, you see what the company already has in systems, whether it can be improved and how it can be complemented with other things. But usually, we point to people where you can externalize certain aspects. One example for instance is the security operation center. It costs a lot to have someone permanently looking at a screen and figuring out what's happening. Is there any type of attack or whatever? Is there some end devices that are being compromised or whatever. When I was in one of those companies, we were doing that for the drilling environment and basically, you need three people for one seat because you need to account for vacations, weekends and all of that.
00:28:47 KC Yost
Right. Right.
00:28:49 Philippe Flichy
And you need experts that understand that. So more than likely, you need more than one expert. In the drilling environment, we had a bunch of different experts knowing different things so then suddenly, it's very costly. If you can externalize that and know that you're going to have the right expert that look at everything, do the first response and then communicate with someone inside your company and say, "Hey, there's some water leaking over there. You might want to come with a bucket and try to fix it."
00:29:24 KC Yost
All right. Very interesting. Very interesting. Okay, so elephant in the room. The one thing that I hear more about than cybersecurity is AI.
00:29:41 Philippe Flichy
I know where you're going. Yes.
00:29:41 KC Yost
It's AI, right?
00:29:41 Philippe Flichy
Yes.
00:29:42 KC Yost
So I believe my mother has already had a telephone call from someone claiming to be her grandson. Well, she doesn't have grandsons, so it worked out well and all of that kind of thing. But nevertheless, how does AI impact cybersecurity?
00:30:02 Philippe Flichy
A lot for the short answer. A little bit longer answer is the bad guys have now a lot more tools. The first thing is that now they can send you a message in proper English. They can talk to you in proper English and in a voice that sounds like an English person, even if they are talking with a thick accent like me, and they can create deep fake voice and videos. Indeed, there's all kinds of stories about people being called. So one advice for all the people listening, agree at least at the family level with a safe word. So if your son calls and say that he's being held in jail and the miracle lawyer is just next to him to get your money, if your son or your daughter doesn't give the safe word, it doesn't exist. It's not right.
00:31:14 KC Yost
So that can apply also to the small, the medium size energy or utility company as well?
00:31:23 Philippe Flichy
Absolutely. Actually, you would be... The number of companies that are... So unfortunately, some companies call us after the fact. We try to come before so we can prevent from things to happen. But the business email compromise is huge. So for instance, inside your company, don't change the banking information of your employees unless you have really talked to the employee, preferably in person or otherwise confirmed by two ways that you've been talking to that employee and that you need to change the bank information. Through also with your providers and through also with the people you pay, if you receive something, it says, "No, now you have to pay on that bank account." Use a phone number that is not on the bill. Use a phone number that you know of that company. I can tell you that once I received an email I didn't trust, I called my bank back using the number on the back of the credit card and they said, "Oh yeah, we got a transfer. Yes, indeed. We tried to call you." I'd rather have that experience than talking to people that have no business with my banking.
00:32:48 KC Yost
Yes. At the end of the day, none of us, whether we're talking about individuals or families or corporations, can be complacent. We all need to be on guard for those nefarious people out there that are trying to cause harm to us or our businesses.
00:33:11 Philippe Flichy
Correct. And the other thing is really, I mentioned earlier the social engineering. Well now with AI, they can automate a bunch of things and know a bunch of information that you are leaving crumbs all over the internet. Be very careful about what you share.
00:33:27 KC Yost
Okay. All right.
00:33:29 Philippe Flichy
A typical example is they would find out that the CEO is on vacation somewhere, and suddenly, they will contact the CFO on behalf of the CEO and say, "Hey, move all this money over there." I've seen it happen.
00:33:48 KC Yost
My, oh my. Yes. So we must all be diligent. We must... Yes.
00:33:54 Philippe Flichy
And last point that I'd like to make is now you have all those large model language system, your training datasets. Well, guess what? The guys are coming in and now injecting wrong information into your datasets so that your models now are giving false information.
00:34:18 KC Yost
My, oh my. I'm really glad for two things. Number one, that there's you and guys like you out there that are trying to protect us. And number two, I'm glad that I am retiring. You want to talk about a brave new world, this is really something. This is amazing, amazing.
00:34:41 Philippe Flichy
Yeah, but there's some light at the end of the tunnel. So how can AI be used for the good guys?
00:34:48 KC Yost
Yeah, there you go.
00:34:50 Philippe Flichy
And I think we should finish on a good note.
00:34:53 KC Yost
Please.
00:34:54 Philippe Flichy
So there's a lot of attack these days that we call zero-day attacks. They are attacks that have not been used before, so we don't know what we call the signature of the attack. You have all those antivirus. They have a whole list of different type of viruses. They look through that and they say, "Oh, you have that problem. It's okay. I'm putting that in a separate environment. It won't affect your computer." But now they're inventing new ones or exactly like we've seen the Corona viruses. There were different versions of it where they do the same with the... That's why we call it a virus because it really works the same way. And so now we are saying, "Well, it's not exactly the same as the one we saw before, but close enough that we're going to start putting some guards on." The other thing is that we were talking about those security operation centers. Most of them now are using tools to help the operators by looking through all kinds of tiny, little habits, things that are changing and say, "You know what? This is not normal." And it can be for external attack but also insider threats. People sometimes leave a company in bad terms and decide, "You know what? I'm going to copy a lot of information before leaving or get the names of the people," or whatever it is. And so we start seeing that, oh, on Saturday morning from a remote connection, we have all those things being copied. Weird. But it could be also things that are happening that we think are bad actors, internal or external, but actually can lead to understand that someone has challenges. I have an anecdote. The company we work to provide those SOCs services, one day they noticed something and they alarmed their client. And what they found out is actually the person who was actually suicidal and was ready to commit suicide, and he had patterns that were unusual and triggered and they prevented the guy from doing some bad stuff.
00:37:36 KC Yost
Oh, my. Oh, my.
00:37:38 Philippe Flichy
So you see, you can really identify a lot of trends, and that's really the hope, is that at some point, we can be at least as good as the bad guys. Also, we are starting to analyze patterns even on the way they are using AI to give us some ideas that this is too polished or this is not right. We are learning a lot. So we have now those AI tools to extend our ability to learn.
00:38:16 KC Yost
Excellent, excellent. So AI to the rescue.
00:38:21 Philippe Flichy
Hopefully.
00:38:22 KC Yost
Yes. Very good. Very good. Very good. Well, we've talked quite a bit, Philippe, and I've absolutely enjoyed our conversation. We'll have to visit again sometime soon if that's okay with you.
00:38:37 Philippe Flichy
With pleasure. I can certainly explain you a lot about these insurance things. I wrote some papers on the subject actually.
00:38:43 KC Yost
Excellent, excellent. So if anyone would like to learn more about Cykur, you can find them on the web at cykur.com. Did I say that right, cykur.com?
00:38:58 Philippe Flichy
Excellent.
00:38:58 KC Yost
All right, great. So thanks to all of you for tuning into this episode of the Energy Pipeline Podcast, sponsored by Caterpillar Oil & Gas. If you have any questions, comments or ideas for podcast topics, which this one was, by the way, feel free to email me at kc.yost@oggn.com. That's kc.yost@oggn.com. I also want to thank my producer, Anastasia Willison-Duff and everyone at the Oil and Gas Global Network for making this podcast possible. Find out more about other OGGN podcasts at oggn.com. This is KC Yost saying goodbye for now. Have a great week and keep that energy flowing through the pipeline.
00:39:41 Speaker 2
Come back next week for another episode of the Energy Pipeline, a production of the Oil and Gas Global Network. To learn more, go to oggn.com.