More Data, More Danger: Cybersecurity Assessments for Natural Resources

The natural resources industry is working to meet a fast-growing slate of reporting obligations. Facing regulatory requirements, public company reporting mandates, and new sustainability standards across domestic and global jurisdictions, companies are responsible for managing and reporting more data than ever before. The nature and abundance of data required in their operations places the industry — already a prime target due to its role in critical infrastructure across the U.S. — at considerable risk for cybercrime.

To help safeguard their critical financial, operating, and client data and information — which, if compromised, could pose significant national security concerns — natural resources companies must strengthen their cybersecurity posture now. By adopting the right strategies and conducting a cybersecurity assessment to identify risks, companies can maintain compliance with new regulations and protect their valuable data from malicious actors and potentially devastating consequences. 

Regulation-Driven Data Reporting

Environmental, social, and governance (ESG) reporting requirements from regulatory bodies like the California Legislature, European Union, and Environmental Protection Agency (EPA), as well as pending legislation from the Securities and Exchange Commission (SEC) which is currently under judicial review, have prompted natural resources companies to expand their data collection efforts. However, tracking and extracting this information can prove challenging. 

Emissions data, for example, is often sourced from multiple systems and locations, creating challenges around consolidation and storage. Misalignment within organizations on where or how data is stored can also contribute to confusion and exacerbate vulnerabilities. 

In addition to climate and emissions data, natural resources companies must also collect and report a variety of other financial and operational information. For example, the SEC’s new cybersecurity rules expand public companies’ responsibility to provide annual disclosures detailing their processes for assessing, identifying, and managing material risks from cybersecurity threats. These disclosures must include details sufficient for a reasonable investor to understand those cybersecurity processes. Under these rules, organizations must disclose the role of the board and management in cybersecurity governance and the process by which cyber risk is monitored, mitigated, and, if applicable, remediated.

Increasing stakeholder demands for enhanced data transparency around sustainability efforts are requiring companies to collect and report vast amounts of data, a process that inherently expands the cybersecurity landscape and introduces new datasets that demand cyber controls and safeguards. The SEC rules provide even more reason for public natural resources companies to take a proactive approach to strengthening their cybersecurity posture. Private companies hoping to enhance security to remain competitive or prepare for acquisition by a public company should observe these rules, too.

Growing Cyber Risks 

Cybersecurity risks are not limited to compliance concerns. As natural resources companies’ data inventories grow, the associated cyber threats will follow suit. Hackers, hacktivists, and nation-state threat actors represent some of the biggest cybersecurity risks to the industry — seeking to disrupt natural resources operations for social, political, or financial gain. 

The top reasons threat actors target natural resources companies include: 

• Manipulating narratives
  • Hacktivists have been known to infiltrate the systems of companies they consider adversarial to shape narratives around a specific social or political cause and garner support.
• Disrupting infrastructures
  • Nation-state actors have supported intrusions into industrial control systems that keep energy facilities operational as a means of endangering workers or disrupting access to critical resources, weakening national security.
• Leveraging data for ransom
  • Cybercriminals often attempt to infiltrate company systems to install ransomware and hold important company data hostage in exchange for payment. Sometimes this tactic is used in support of an additional goal, such as deepening disruptions or raising funds for a particular cause.

The Solutions

Natural resources companies will find it difficult to assess the materiality of a cyber incident if they have an underdeveloped data foundation or cybersecurity policy. Companies that have not already done so should begin improving their policy by performing a cyber risk assessment to evaluate their existing cyber program, identify gaps and risks, and implement an effective cybersecurity framework. 

Natural resources companies should consider referencing the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST framework outlines standards for a strong cybersecurity program — from risk identification to prevention and post-breach recovery. The program is typically used as the foundation of a cyber risk assessment, and it provides guidance on cybersecurity best practices, implementing technical controls, and internal education.

Companies should also prioritize establishing a strong data foundation to ensure that data in their possession is both accurate and secure. Doing so will make it easier to track and store data, streamlining the cybersecurity process and improving day-to-day operations. With a strong foundation in place, companies can then build a comprehensive cybersecurity strategy. This strategy should encompass both cybercrime prevention and breach response strategies.

The Road Ahead

Though the natural resources industry faces an elevated risk of cybercrime, companies can take concrete measures to protect their data and maintain compliance with reporting requirements. Leveraging a third-party vendor for a cybersecurity assessment can be an effective avenue for testing defensive structures without internal biases and implementing sound cybersecurity programs based on deep industry experience.

By building a strong data foundation and investing in a cybersecurity program that implements both prevention tactics and incident response plans, companies can better protect themselves and their clients, and help safeguard national security against cybercrime.