Calgary-based oil sands developer Suncor Energy and cybersecurity provider Check Point Software are among 18 energy and technology-related firms that have vowed to improve their cybersecurity resiliency at the annual gathering of the World Economic Forum (WEF).
The announcement that the companies have agreed to the Cyber Resilience Pledge to enhance cybersecurity throughout their systems was made this morning from Davos, Switzerland, where the annual meeting of the discussion group is taking place.
“The action is in response to major security breaches in the past two years that have highlighted the vulnerability of critical infrastructure,” the forum said in a news release.
Separately the federal ministry of Natural Resources announced support for a cybersecurity incident response playbook (see below).
One high-profile energy sector breach was last year’s ransomware attack on the IT systems of Colonial Pipelines in the U.S., which forced the company to temporarily shut operations. That caused huge lineups for gasoline across the U.S. east coast. More recently, the forum notes, there have been cyberattacks on the Amsterdam-Rotterdam-Antwerp (ARA) oil refining hub and on two German energy firms.
Related content: Threat actors have new tools for attacking ICS, SCADA devices, say US cyber agencies
The forum first began developing a resiliency pledge for the energy sector in 2020. Last year the forum released a cyber resilience playbook for the oil and gas sector.
Organizations that agree to the non-binding pledge promise to
- strengthen ecosystem-wide cyber resilience by adopting six cyber resilience principles. These include cyber-resilience governance, taking a holistic-risk management approach, including resilience by design in operations, collaborating on cyber resilience across an organization’s ecosystem, taking corporate responsibility for cyber resilience and making ecosystem-wide cyber resilience plans;
- engage senior cyber leaders from signatory organizations to take collective action by developing global approaches and improving cyber resilience across ecosystems;
- advocate and showcase experiences by demonstrating the impact achieved by the Cyber Resilience Pledge.
The initial companies agreeing to the pledge are Aker ASA, a Norwegian industrial investment company with ownership interests concentrated in oil and gas; Aker BP; Saudi Aramco, which suffered a huge wiperware attack in 2012; Check Point Software Technologies; Claroty, which specializes in IoT cybersecurity; Cognite, a Norwegian industrial IT company; Dragos, and industrial IoT cybersecurity provider; Ecopetrol of Columbia; Italian energy provider Eni; EnQuest, Galp, the Global Resilience Federation, Maire Tecnimont, an Italian engineering firm in the energy sector; Occidental Petroleum; OT-ISAC, the Singapore-based Operational Technology Information Sharing and Analysis Center; Malaysia-based energy provider Petronas; Repsol, an energy provider in Spain; and Suncor, which also owns the Petro-Canada gas chain.
“First endorsed by key CEOs in the oil and gas value chain, the Cyber Resilience Pledge is a landmark step as it signals recognition of the complexities of building a cyber-resilient industry ecosystem and a commitment towards collective action to achieve it,” said Alexander Klimburg, head of the WEF’s Centre for Cybersecurity.
The Canadian federal government has several initiatives in place to strengthen cybersecurity in the energy sector.
Today it announced a $156,514 investment in a Canadian engineering company’s playbook that provides instructions and guidelines which energy sector organizations can leverage to counter and recover quickly from cyber attacks. A government spokesperson said the money was for the creation of the playbook
Created by the Canadian consulting engineering firm BBA, the Industrial Automation and Control Systems (IACS) Cyber Security Incident Response Playbook relies on industry best practices to provide for strong cyber security responses to ensure organizations are prepared to react systematically during times of emergency. In 2020 Ottawa selected BBA to create a methodology for assessing cyber risks for industrial control systems.