| 03 March 2013
Interview with Frank Grace, Lead Cyber Security Analyst at Tesoro
INTRO: As has been widely reported, cyber threats to the oil and gas industry continue to increase in number and sophistication. Main threats involve cyber espionage and the insecurity of networked control systems. Industry-specific collaboration is needed in order to develop the security practices that are so critical to the future of the oil and gas industry.
Mr Frank Grace, Lead Cyber Security Analyst at Tesoro answered a series of questions put to him by Vigilance.
The responses below strictly reflect the views and beliefs of Frank Grace and not necessarily those of Tesoro:
Vigilance: What would you consider the defining attributes of the cyber threat landscape that the oil and gas industry is currently facing?
FG: Of primary concern to our industry, as well as several government-run agencies, is the critical infrastructure that facilitates production and consequently a significant amount of commerce. Not only are cyber threats to this infrastructure a constant factor, a single strategic breach in this area could mean significant loss of life and severe damage to production facilities and in some instances public and private, citizen-owned property. For these reasons, much of my effort during the past 5+ years has been focused on many initiatives designed to achieve the following:
1) Hide critical infrastructure from prying eyes
2) Completely isolate it from access that could be controlled by malicious insiders or external entities
3) Put in place measures designed to thwart, document, and automatically notify appropriate personnel about any effort to perform reconnaissance on, access, control, or modify such infrastructure
Of secondary concern are threats to the retail portion of the business, some of which may be addressed with the initiatives mentioned.
Vigilance: What trends in cyber threats and security do you expect to see in the future? Why?
FG: In regards to cyber threats, I am beginning to see more overt efforts by the "bad guys" to leverage personal and public information in an attempt to minimize the amount of time and effort required to successfully breach an environment. In my opinion, there may be some elements out there that must in some way feel as if they are "untouchable" by law enforcement and/or authorities because I am seeing more easily detectable attempts to gather personal, private information in order to gain unauthorized access to resources that the target(s) of such attempts may have the ability to control, view, and modify. What these elements do not realize is that there are individuals such as myself and others who will persist at stopping them until one of two things happen:
1) The responsible individuals or groups are identified, apprehended and brought to justice
2) The person(s) in charge of protecting targets are no longer living
With regards to security, I expect to see more companies investing in countermeasures designed to protect key human resources not only while on the job, but while at home or on the road. Forward-thinking companies such as one of my former employers (Rackspace Managed Hosting) have been doing this for years, but it is now being adopted by more private industry due to, in my opinion, the recent increase in publicity given to cyber security and social media.
Vigilance: What are the key components to a successful information assurance program?
FG: There are three key elements of a successful information assurance program: security awareness, threat management, and periodic assessments.
Vigilance: In your opinion, what are the most important factors to consider when constructing an incident response plan?
FG: In my opinion, the single most important thing to consider before constructing a plan is who to place on the company's incident response team. For any plan to work, the core team should be made up of well-rounded, seasoned individuals who respect and are committed to helping one another. They need to be friends, ideally close ones who have significant shared history. In addition, each individual on the team needs to have consistently displayed an above average sense of ownership in ambiguous situations. You want your team to jump in and confidently take the appropriate actions required to mitigate, track, and collect intelligence on threats they encounter on a continuous basis, regardless of whether or not it is in their job description or whose responsibility it is. Finally, each team member should be passionate about protecting people and assets against threats, and have a history of going above and beyond the call of duty as a responder. The second most important thing to consider is access and accounting. If the team does not have fully logged, encrypted, and backed up access to systems, networks, databases, and the tools necessary to manage them, then building an effective response team will be an uphill battle at best. Once you have these two essential prerequisites, the often lengthy, painstaking process of designing and building an effective incident response program may begin.
Frank obtained his constant drive for perfection from his father, an encyclopedic Ph.D. who passed the bar and can speak and write seven languages, instantly recall the most minute details of events from decades past, and both compose and direct orchestral pieces that are reminiscent of Mozart.
Frank's technical prowess and customer focus were obtained initially from his mother, who began her apprenticeship in electrical/electronics engineering and applications in elementary school with a military patent-holding, constantly innovating mentor whom she both adored and loved: her father.