You are Home   »   News   »   View Article

Can IT security add value?

Thursday, February 21, 2013

Everyone knows how expensive IT security precautions can be - but should security now add business value, if it helps companies get a better understanding of their risks as well as reducing spend? BAE Systems Detica's Joe Hancock thinks it can.

Mr Hancock, head of energy and industrial cyber security consulting, of BAE Systems Detica thinks that security industry has changed, it is no longer acceptable for security to be a cost function. Security and risk management should move forward and actually add business value.

Mr Hancock was the speaker of the digital oilfield conference by Digital Energy Journal that took place in London on 5th of December, and focused on the current cyber security challenges that the oil and gas sectors are facing.

BAE Systems Detica is a global business, a subsidiary of BAE systems. Headquartered in UK, the company specialises in two key areas, cyber security and data intelligence and data insight.

Mr Hancock emphasised the importance of business information, data and control systems that form the core operational backbone of large energy organisations as well as the increased risks these organisations face. Understanding these and other risks is key to delivering safe and secure systems. To help understand what threats are present Joe gave some examples of key risk areas effecting companies in the sector today.

The hardest to mitigate of these increased risks is the 'advanced persistent threat' category of attacks that are typically carried out by state sponsored groups. These attacks are different than malware or viruses and don't just target governments and specific high profile targets. In the last three to five years, the states that carried out these attacks have moved to include more economic espionage targeting oil and energy companies.

The second key risk area for the Oil and Gas sector is security in the move to the cloud. Mr Hancock gave examples of recent research by Detica showing how cloud providers are used as a base for attacks. During this research none of the cloud providers seemed to realise that they were being used maliciously.
Mr Hancock said that the monitoring systems BAE Systems Detica provides helps organizations to protect themselves from the above, organised and highly capable, threats that may threaten oil and gas companies.

Detica gave an example where an organization which once an attack had been stopped, it was observed that 10 per cent of network traffic had been the attacker, extracting data from that company, and launching attacks to companies in the same sector. Joe gave examples of the commands attackers were executing on compromised systems, clearly showing the types of intellectual property and commercial data being targeted. The types of attack highlighted showed how exchange mailboxes could be accessed, specific file types targeted such as word, pdf or visio but also an example of commands to take a complete copy of an SQL database.
Mr Hancock says that the impact of the removal of intellectual property or commercial data is often misunderstood by businesses, as an attack may by cheap to remediate however the organisation may be commercial disadvantaged for years to come.

The most high impact cyber-attack does not only include information retrieval, but also a breach of a company's control and operational systems. Security issues now become safety hazards, directly affecting personnel, operational output - unlike many other attacks controls systems have physical impacts. An example was given, that if security is breached in one of a company's rigs fire suppression systems, even if not successful, it may require assets to be evacuated or shut down.
Joe Hancock feels that compliance based security, using only 'one size fits all' standards does not deliver cost effective security or mitigate these high-impact threats. For Mr Hancock, understanding the company's risk means that the company understands its security needs, and it will not resort to wasteful and inefficient control measures for risks it does not face.

Assessing risk to the organisation in business terms is also important, and companies should accept that there is no bad thing having security risk provided it is known. An open and honest risk assessment allows an organisation to protect its most valuable and operationally needed assets.
BAE Systems Detica feels that understanding the threats Joe described, and managing the risks that unique to each organisation and only those risks can help an organisations security function deliver business value - increasing effectiveness, reducing cost whilst maintaining operations.

Associated Companies
» BAE Systems Detica
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition DEJ Dec 2022
Dec 2022

Download latest and back issues


Learn more about supporting Digital Energy Journal