With the world shifting towards remote working, increasing volumes of sensitive data in the oil and gas industry may be at risk.The digitization of the sector is becoming a double-edged sword, providing exciting opportunities but simultaneously posing a security threat. A cyberattack on the energy sector can, in fact, extend far beyond oil and gas production to hit the political and economic spectrum. Increasingly sophisticated cybercrime, often driven by nation-state actors with geo-political goals in mind, has become a national security threat and serves as an alarm bell for oil and gas companies to take action.
Understanding the Scope of Sensitive Data
In a paper published this year by Tyler Chase; Managing Director Energy and Utilities Industry Global Leader, and Justin Turner; Associate Director Oil and Gas Cybersecurity and Data Privacy, the authors emphasize that oil and gas companies deal with a wide range of sensitive business data on a daily basis. However, these companies do not tend to consider just how valuable their data actually is.
Whether upstream, midstream or downstream, the authors further explain that oil and gas sensitive data comprise plant maps, production trends, revenue forecasts, geophysical data and much more. Another type of sensitive data to protect, which oil and gas companies often overlook, is their employees’ personal information. From social security numbers, to bank account numbers, home addresses and much more, these types of data can induce identity theft and fraud.
Adel Mekkawy, HR Operations Executive and Managing HR Cloud at ProServ Egypt, remarked to Egypt Oil & Gas that “what is perceived as sensitive in oil and gas companies could be everything. Every tiny detail matters to competitors and to the field itself; starting from the project preparation to proceeding with the actual steps forward from budgeting, hiring, and relying on third parties. Any kind of service needs to be so accurate.”
Faced with the substantial ongoing threat of cyber-attack, organizations ought to protect their intellectual property, including information on pending lease bids, knowledge about upcoming mergers and acquisitions, geoseismic and engineering data, technology research, chemical formulae and telemetry data from wells in operation.
“Security is all about who to trust to get the job done perfectly with secured data. That is why whenever there is an oil and gas project in Egypt, you would find lots of tenders going around but clients already know who they would choose as business partners,” Mekkawy pointed out.
Data Breaches and Safety Culture
A report titled “Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry” by Trend Micro, draws on insights into almost a decade’s worth of cyberattacks against the sector, revealing that the industry face increased risk from building out digitally connected infrastructure.
The report sheds light on how the remote monitoring for performance, quality control and safety are essential for oil and gas companies, especially that their communications are often left unencrypted. Consequently, cyberattacks can lead to a plant or production shutdown, utilities interruptions, equipment damage or loss of quality, undetected spills and of course safety measure violations.
Advenica, a firm that provides expertise and world-class high assurance cybersecurity solutions for critical data to Top Secret classification, lists IT vulnerabilities as one of the major drawbacks of the sector. In addition, attention to security and building a security culture are a top priority.
“A major challenge with all security is awareness and training among employees – to have a security culture. Malicious codes are usually spread due to human error through attachments in emails that are opened, memory sticks that are inserted, laptops that are connected to unknown networks etc.,” the report further details.
Data Protection vs. Data Governance
Dale Waterman, a partner at White Label Consultancy (WLC), a boutique data protection and privacy consultancy, noted that “although data protection is about personal data and oil and gas companies have historically been far more focused on data governance, what we have seen recently is the convergence of data governance and data protection.”
As oil and gas companies increasingly use accurate information to help their governing bodies with strategic decision-making, Waterman clarified that “data governance is about managing data and improving the quality of that data. Traditional data protection, on the other hand, was very much about safeguarding who had access to corporate data and making sure you protect it against access by bad actors. However, the lines between these two fields are arguably converging.”
Waterman further noted that “if an Egyptian oil and gas company has a mature data governance program in place already, which would include policies and processes, roles and responsibilities, and appropriate monitoring practices, it should be very well positioned to begin a journey towards compliance with the new Data Protection Law.”
New Legislation of the Data Protection Law
On July 17, President Abdel Fattah El Sisi ratified the long-awaited data protection law no. 151 of 2020 (the DP Law). The DP is essentially Egypt’s version of the EU’s General Data Protection Regulation (GDPR), laying out the ground rules for how businesses use personal information collected online. Egypt’s new DP law mirrors several key elements of the GDPR, such as the concepts of lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
Dr. Heba Anwar Raslan, Managing Associate at Sharkawy&Sarhan Law Firm, told Egypt Oil & Gas that “Egypt’s data protection law No. 151 of 2020, is the first to regulate personal data privacy. It will touch most businesses albeit with varying impact depending on how intensive each business/sector is utilizing personal data and sensitive personal data.”
The legislation also encourages users to take legal action against parties exploiting private information and will impose a prison sentence of at least six months or an EGP 200,000 to EGP 2 million fine on individuals responsible for data breaches.
Raslan clarified that the Law will require appointing a data protection officer. “So far it is not clear if such officer must be located in Egypt and the ER is expected to clear that point,” she said, adding that “data controllers will be required to obtain a relevant license from the data protection center that will be established. If your company exports data then consider that it must be to countries of comparable protection levels and will require a license from the center. The center is not established yet and the ER is again expected to clarify several points on the licensing mechanism.”
Commenting on the new law, Waterman said: “When it comes to the new DP Law, decisionmakers in the oil and gas industry who are not privacy professionals or lawyers, must first appreciate that data protection and privacy regulations are all about the management of personal data, which is any data relating to an identified natural person, or data which could be used to identify a person.”
It is important to note that the DP Law also imposes licensing requirements for data processing, data control, dealing in sensitive data, electronic marketing, and cross-border transfer of data.
“The aim of regulations like the new DP Law is typically to give control to individuals over their personal data. The new law is therefore not about all company data. That said, companies often have large numbers of employees, and this HR data is clearly personal data. In addition, the industry is increasingly using new technologies to enhance safety and security. This surveillance technology involves the collection and processing of personal data, making the new data protection law directly applicable,” said Waterman.
Trickling Down into the Oil and Gas Industry
Raslan laid out some practical considerations for oil and gas companies to help them utilize the DP Law. “Consider, plan and eventually introduce internal policies and mechanisms for compliance with the law. Start early on. It is true there is still at least 21 months to go but you may need to bring considerable changes. For companies already compliant with GDPR we do not expect the changes to be significant. On that, track data cycles internally from the time the data is collected until it is deleted including processing, storage, exportation,” she recommended.
To deal with cybersecurity risks including technical measures, Raslan advised to “consider, identify and introduce measures such as controlled access for particular information, secure document disposal process, securing access to locations/premises with the devices containing access to personal data, and disposal of IT equipment. So you may wish to check the agreements and processes you have in place with for example third party providers of cloud services to check if any particular additions need to be introduced.”
The Managing Associate also urged “not to forget to train your employees on the changes and new regulations that will be in place to comply with the law and to constantly update and freshen employees knowledge and practices on the matter.”
“Cyber-attacks must be reported within 72 hours from the time of your knowledge of the attack. If the attack threatens national security this must be reported immediately (a comparable obligation exists under the Cybercrimes Law). There is no definition to what would be considered as of national security but in our view personal data pertaining to national energy and natural resources projects will be most likely considered as of national security nature. So, ensure you have adequate technological measures in place to enable detection of and timely reporting of cyber-attacks,” Raslan noted.
A Foundational Step to Improving Security
With that being said, it is obvious that what is defined as a national security threat is still ambiguous. And therefore, the law is still imperfect. However, as mentioned before, a cyberattack that specifically targets sectors such as energy would clearly threaten national security.
But Egypt can learn from Europe’s GDPR. GDPR and energy cyber security expert, Dan Mosca, endorsed how oil and gas companies can get ahead of the curve in terms of security. According to Mosca, companies need to understand the full extent of their responsibilities. In order to do so, oil companies should practice data mapping to assess the types of data they hold. This will help them prioritize their activities, which larger operators especially need in order to be efficient. Key stakeholders should begin appreciating the change in law as it will directly impact their day to day activities, Mosca explained.
Thus, it is necessary that data protection laws are not seen as a burden as they are merely an opportunity to review and reinforce companies’ cyber resilience.