Page 14 - Cyber Warnings
P. 14
The Proliferation of Informal Cybersecurity Guidelines
An Oil and Gas Industry Case Study
by David Navetta and Mia Havel, Norton Rose Fulbright US LLP
In recognition of the ever-expanding risk of cyber-attacks across a diverse array of digitally-
integrated industries, more and more international standards organizations, state regulatory
commissions, industry associations, and non-government organizations are stepping in
alongside federal regulators to provide informal cybersecurity guidance and best practices to
companies within their industries.
Cybersecurity standards for the oil and gas industry are a great example of how formal and
informal standards are proliferating and overlapping.
Oilfield services companies and operators have historically put in place operational procedures
to mitigate and respond to physical disasters, but companies and operators are increasingly
concerned with how to best assess, manage, and prepare to respond to cybersecurity risks.
While the proliferation of big-data analytics, digital technologies, and remote operations have led
to dramatic advancements in optimization and efficiency in the industry, companies must
grapple with the concurrent cybersecurity risks presented by these innovations.
The oil and gas industry has received guidance from the federal government in the form of a
Cybersecurity Framework and Capability Maturity Model from the Department of Energy.
The industry also looks to various other sources for informal standards and guidance, including
the following key sources:
NIST Cybersecurity Framework: The NIST Framework for Improving Critical
Infrastructure (2014) is a voluntary framework that has become golden important and
useful tool for developing a security programin the United States and beyond.
Created in response to Executive Order 13636, the framework provides guidance to
operators of critical infrastructure and services in managing and improving cybersecurity
risks, as part of the entire organization’s risk management process. In particular, the
NIST SP-800 series on Computer Security incorporates standards regarding
Operational Technology (“OT”) cybersecurity and a Risk Management framework.
ISO/IEC Standards: Published by the International Organization for Standardization and
the International Electrotechnical Commission and commonly used across Europe and
Asia-Pacific, the ISO/IEC 27000-Series on Information Security Management Systems
overlaps somewhat with the NIST SP-800 Series.
14 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
