The Times Have Changed. Ransomware continues to be the leading cybersecurity threat, and due to IT-OT integration and convergence of technologies, it is an increasing impact in industrial control systems (ICS) environments as well. A decade or two ago, operational technology (OT) cyber incidents were mainly attributed to configuration errors and unintentional IT malware causing reboots or network congestion in OT systems. But today, ransomware takes the lead, causing far-reaching impacts in industries with its more intelligence human-driven command and control capabilities, fast propagation, data exfiltration capabilities, and of course the denial of service (DoS) caused by data encryption. Now with ransomware, it is big business for cyber extortionists to target as many organizations as possible.
The Rise of Natural Gas. With the phasing out of coal and a global shift towards cleaner energy, dependency on natural gas is increasing. In various regions, it's the backbone for heating and electricity needs. In the energy industry, there was a time when methane gas in an oil well was wastefully burnt off; now it’s captured and monetized. Aided by hydraulic fracturing (aka., fracking) in the last decade or so, and an attempt to reduce the dependency on energy imports, natural gas production domestically has increased even further. But the economics of gas production are intricate.
A Peek into the Economics. The natural gas market has seen its highs and lows. Just six months ago, the industry was 10-year highs with prices over USD$7.50 per mmbtu (millions of BTUs). Now, the Henry Hub spot price hovers around USD$2.64/mmtbu in North America, just teetering at the break-even point for many producers. Gas exploration, drilling and extraction is a high capital expense, with the highest production occurring at the start of new wells, then declining rapidly over time. Downtime, thus, has severe financial implications in Gas Production, especially for older wells that have declining profit margins. Loss of view or control event, or even loss of data, can also incur other penalties for not having the necessary compliance reporting data, such as environmental monitoring.
Calculating Losses. Imagine a cyberattack, most likely a ransomware delivered via phishing, hitting a natural gas producer. The clock starts ticking immediately. Within a short span, costs grow rapidly:
Production Losses: Profit margins on wells start to erode swiftly.
Expanding Impact: As time progresses, the ransomware can affect more system endpoints, escalating the recovery costs.
Cyber Incident Response: Costs involved in containment and restoration.
Preventing Future Incidents: Diverting budgets from other valuable projects towards hurried cybersecurity mitigations, safeguards, detection, and response to prevent future incidents.
Risk of HS&E Penalties: Only ICS/OT cybersecurity incidents have the possibility of secondary losses causing health, safety, or environmental losses.
Operational Costs and Restart: The longer the downtime, the higher the expenses to get production back on track. More affected areas/pads/batteries mean more required resources, extending revenue losses. In summary, longer downtime is more expensive to restore full production.
Lost Opportunity: Faced with product shortages, gas processing facilities, gas transmission & distribution may increase their goods from competitors to uphold their supply chain commitments.
Contractual Requirements: Depending on the small print in the agreement with partners, causing upstream or downstream supply chain issues can result in contractual penalties.
For context, natural gas production at a rate of 500 million cfd (482,000 mmbtu/d), a week's halt in gas production can lead to revenue losses over USD$80M at the current rate of $2.64/mmbtu. Combine this with the expenses of downtime, cybersecurity response & recovery, environmental penalties, contractual penalties, it is difficult for most cybersecurity professionals to integrate business and operations losses into the justification of cybersecurity budgets & projects.
What is Cyber Risk Quantification and Management (CRQM)? Faced with business and operational costs like those listed above, against the technical complexities of cybersecurity, an organization wants to know if they should sustain or increase their cybersecurity investment, what is their risk, and what should they do about it.
financial attributes of the company (e.g., Firmographics), and
unique loss attributes of the industry, to better understand the cybersecurity risks in monetary terms.
Essentially, CRQM helps estimate the financial impacts of a cyber event, assisting in making informed decisions. For instance, how would a price surge per unit affect the losses from an OT cyber event? Which cybersecurity investment offers the highest risk reduction, or maximizes the return on the investment?
Our team at DeNexus is focused on understanding the unique costs & impacts of different industry verticals. We devote our attention to understanding when an IT data breach could cross the line into OT, leading to tangible operational consequences. We establish baselines using known cyber events with evident ICS/OT losses, aiming to bridge the data gap about cyber incidents in specific sectors. By understanding the variances between sectors, we can predict similar loss proportions in different organizations and industries. CRQ helps estimate those costs, CRQ+M helps you better manage those costs and aid decision-making in multiple facilities each having different financial attributes and security controls in place.
DeRISK Cyber Risk Quantification and Management Platform
To navigate this multifaceted landscape, forward-thinking organizations are turning to Certified Risk Quality Management systems. Leveraging platforms like DeNexus' DeRISK Cyber Risk Quantification and Management platform, gas generation companies can amalgamate data from standards like NIST CSF, ISO 27001 or DeNexus’ proprietary DNX CSF with the nuanced insights from facility managers, integrating them seamlessly with evidence-based data from various passive and active monitoring solutions across the manufacturing ecosystem.
By enhancing DeRISK integrated data powered by AI, ML and Probabilistic Inference with specific business operational metrics for manufacturing, DeRISK offers an enriched understanding of the overall risk profile. For individual facilities and complex portfolios. This convergence of Cybersecurity, Operational Technology, and business metrics ensures that organizations can gauge threats not just from a technical standpoint but also from a holistic, business-impact perspective.
On top of this, DeRISK enriches this integrated dataset by incorporating business operational metrics specific to gas generation facilities —such as production losses, equipment downtime, HS&E Penalties, and Operational Costs and Restart —. These metrics enable organizations to derive more nuanced insights into their overall risk profile, combining the typically siloed worlds of Cybersecurity and Operational Technology. By synthesizing all of this data, the DeRISK translates multifaceted insights into quantifiable business impact, thus allowing for well-informed, strategic decision-making facilitated by DeRISK Cyber Project Simulator that aligns with both organizational goals and risk tolerance. This holistic approach provides an enhanced security posture that meets the high standards of multiple leading industry guidelines.
By marrying cybersecurity risk quantification and management with the operational nuances of gas production facilities, DeRISK by DeNexus stands as a testament to the future of secure, efficient, and resilient gas generation facilities in the age of digital transformation.
Click Here to read more about the DeNexus Knowledge Center and the DeNexus Trusted EcoSystem.
Click Here to learn more about DeRISK, a comprehensive Cyber Risk Quantification and Management platform!