Subscribe
Share
Share
Embed
Ross Brewer, Graylog, talks to Elizabeth Corner about how shifting geopolitical pressures, the energy transition, and increasingly digital infrastructure are combining to raise the industry’s risk profile, and why preparedness and proportion are the guiding principles for defence.
From cloud reliance and supply-chain exposure, to the need for regular incident-response rehearsals, Ross shares practical insight on what it takes to “fight while wounded” and keep operations running through disruption and uncertainty. A pragmatic, thoughtful conversation about risk, readiness, and the realities of cybersecurity for critical infrastructure.
From cloud reliance and supply-chain exposure, to the need for regular incident-response rehearsals, Ross shares practical insight on what it takes to “fight while wounded” and keep operations running through disruption and uncertainty. A pragmatic, thoughtful conversation about risk, readiness, and the realities of cybersecurity for critical infrastructure.
Creators and Guests
What is World Pipelines Podcast?
The World Pipelines podcast, with Elizabeth Corner, is a podcast that connects and unites pipeline professionals to learn about issues affecting the midstream oil and gas industry.
Hello, and welcome back to the World Pipelines podcast, a podcast for pipeliners featuring the brightest and best, most experienced, most forward thinking minds in the oil and gas pipeline industry. I'm Elizabeth Corner, and I'm thrilled to bring you a series of conversations with experts from across the sector. In each episode, we'll be talking about some of the latest challenges, trends, and innovations affecting pipelines worldwide. The goal here is simple, to give you real world perspectives on the topics that shape our industry. Oilfield's technology keeps upstream oil and gas professionals up to date on the latest technologies and developments in the industry through in-depth articles, regional reports and project news.
Elizabeth Corner:Sign up to our newsletter at oilfieldtechology.com/newsletter for a free copy of each issue. For this episode, I am pleased to welcome Ross Brewer, vice president and managing director for Europe, Middle East, and Africa at Graylog. Hello, and welcome, Ross.
Ross Brewer:Hello, Elizabeth. It's a pleasure.
Elizabeth Corner:Ross has nearly forty years of experience in cybersecurity and information technology under his belt, and he has advised governments, enterprises, and senior leaders around the world on how to strengthen their cyber resilience. Originally from New Zealand and now based in The UK, Ross has held senior leadership positions at some of the industry's most influential organizations, including SimSpace, AttackIQ, LogRhythm, NetIQ, and Symantec. At Graylog, Ross focuses on helping organizations gain greater visibility and confidence in their security operations, ensuring that systems and data remain protected in what is an increasingly complex digital landscape. Now, Ross, before we dive into the specifics of cybersecurity for pipelines, can you give us a high level overview of what Greylock does? So for those who may not be familiar, how would you describe the platform?
Ross Brewer:Certainly. So for the pipeline and energy industry, first and foremost, every technology, whether that be on the OT side or the IT side, the operations technology or the information technology side of their businesses, all of those systems are producing audit logs or log data. And the technology is known in the industry as a security information event management platform. So we're a modern SIM, we collect all of that data from all the different systems and many different formats at very large volumes and we consolidate that so that we could help organisations in their security operations center or their network operations center more effectively chase down threats and problems in the environment, respond very quickly to those through rapid search and then help them do better investigation, better incident management as far as outages and cyber security incidents go.
Elizabeth Corner:And can you describe for us the biggest challenges that pipeline operators are facing today when it comes to managing and protecting their data and operations? How does that landscape look in 2025?
Ross Brewer:Well, the pipeline industry's got several unique inputs that are impacting their sort of risk profile as it relates to cybersecurity. The geopolitical situation that we've seen over the last two or three years, clearly, that is coming at them from every angle. The certain government actors are focusing on critical national infrastructure and some sort of long term acquisition strategy to get into these environments. And then we're just seeing the normal criminal networks and with the likes of Colonial Pipeline in 2021, where anything that can cause mass outage or impact on society that can be ransomed or held against an organization politically or commercially is increasing. And then they've got the problem we're having to move to more decarbonized situations that's moving them to more modern technology.
Ross Brewer:Those modern technologies come with a lot more connectivity than the legacy systems. So we've just got this confluence of things that are really impacting the energy sector and the pipeline sector specifically. And we're just seeing an increased risk profile within the sector because of that. And then we're seeing a increasing number of regulations targeting the sector, not specifically with NIS2 in Europe, but some of the more energy focused safety standards that are coming through. And so this is making it very challenging for organizations in this space.
Elizabeth Corner:Yes. A lot of different angles on that one, things coming at us from all areas. So for pipeline operators who are perhaps still in the early stages of wanting and needing to strengthen their cybersecurity position, what kind of advice would you offer to them?
Ross Brewer:Well, they wanna make sure that they're starting out with a sort of a risk assessment of their environment, and then they wanna make sure that they're ticking off the usual suspects, you know, strong authentication, two factor authentication, making sure they've got adequate access controls in place. Make sure they don't fall under the misconception that their IT networks are separated from the operation technology networks because a number of suppliers now as these technologies become more IP based then the suppliers have connectivity into those environments. So they've really got to look at the supply chain, making sure that they're assessing their suppliers from an information security standard and then making sure that they're monitoring and assessing those suppliers on an ongoing basis. Because when you look at the big failures recently with Jaguar Land Rover, a lot of the retailers in The UK, it wasn't specifically their networks that were actually gone after initially, it was actually the suppliers that were gone after and the supply chain was leveraged to get into those organisations and create havoc. So this making sure that they're assessing on a regular basis, all of those aspects is critical.
Elizabeth Corner:We've always been taught, Ross, that connectivity is is the best thing ever. Right? So when you're telling me that that's not actually the case.
Ross Brewer:Well, it's difficult in cybersecurity because we get to a situation, and I have seen, in fact I did deal with a person at a very well known petrochemical company that might be based in Saudi Arabia, who was actually the individual that when they got hit a few years ago, he took the personal step of pulling the cables out of the wall in the data centre without authority because he felt he could stop the actual spread of the ransomware or the malware at the time that it was. And he was lucky he did slow the spread down, although they were massively impacted. He did personally slow the spread down. So yes, the only safe cybersecurity platform is a system that's not connected to anything. And obviously that's not good for business and that doesn't work.
Ross Brewer:So we've just got to deal with the fact that connectivity is key, but with it comes the risk that we have been outlining through this discussion.
Elizabeth Corner:Fantastic. This is someone else's anecdote, actually. But I do remember talking to someone. He said that he could print from his facility anywhere in the world, and then and there was it was that very connection that it maybe was making the company vulnerable. We are recording this episode a couple of weeks after the global AWS outage, and that caused a significant ripple across global systems, including those that manage energy, manage pipelines.
Elizabeth Corner:And I want to talk a bit about cloud based infrastructure. So how resilient is cloud based infrastructure in the face of outages such as this?
Ross Brewer:Well, generally speaking, cloud based infrastructure is gonna be more resilient than you can possibly manage on-site. That's the theory. Now you would hope that the organizations, the major logos AWS, Microsoft, Google, running the big Oracle possibly, running the big cloud infrastructures are gonna have more skill and more reputational risk at the sort of level that they're operating at where they're going to be applying the absolute best operational standards that you can possibly think of both from an uptime standpoint and a cybersecurity standpoint. However, now they've become such colossal providers, any failure in your environment has such broad ramifications. So what we are seeing organisations doing is taking a hybrid approach.
Ross Brewer:Most of our customers have a mixture of Microsoft, Google and AWS. Typically AWS is running their core sort of applications, Microsoft running their sort of front office and active directory and then Google perhaps running some large processing systems that require a large amount of compute. Now the majority of Greylog's customers though, especially in the energy sector to tend to still be focused on what we class as self managed. Now what this means is not necessarily on prem, but the customers are concerned about data sovereignty. So they wanna be able to make sure that this data isn't sitting in a shared environment that could ever possibly be compromised.
Ross Brewer:So they might put it on prem, they might put it into private cloud or they may have a partner manage that on their behalf. And that's the majority of our customers. We do have a software as a service, a cloud offering. Even that said that as I said most of our customers more than 95% run-in what we class as self managed.
Elizabeth Corner:That does lead me onto my next question, which is about the decision to go fully cloud. So many energy companies are thinking about going fully cloud. As you mentioned, they're a little nervous about that. They perhaps want to maintain on prem, on premises infrastructure. How should pipeline operators evaluate the risks and the benefits of going with either of those deployment models?
Ross Brewer:I think they have to evaluate the risks in in a similar way that we spoke about for themselves. Obviously, making sure that they're looking very closely at their suppliers, making sure that they're contractually holding those suppliers to account with penalties should they fail to deliver against those SLAs. And then making sure that by dealing with organizations that have experience in the regions and geo locations that are important to those organization.
Elizabeth Corner:Absolutely. Let's imagine that a breach has occurred in the pipeline sector. What is the typical first step in your response plans? How does Greylock help operators react after incidents?
Ross Brewer:I once was dealing with a very high profile mentor that mentored high level people, and one of those people was president of The US. And the president came to him about a particular incident and said, look, we've got a major PR problem. I've done something that I shouldn't have and I need your help. And his advice to the president at the time was, You should have spoke to me before you did it and I would have told you not to do it. So what I'm trying to say here is that it doesn't start at the time of breach.
Ross Brewer:It's got to start well before that. And this is the message that we need to get across to all operators. They need to make sure that they're securing their systems. They're gonna make sure that they're putting adequate monitoring in place. They're gonna make sure that they're maintaining those records over long periods of time in a way that they can access them rapidly when they need them and not go scrambling for them after the fact when they don't have them.
Ross Brewer:And it's the same thing with their incident response plan. Don't go into an incident and then go, okay, what's our plan? You wanna make sure that you've rehearsed your incident response plan. You've rehearsed what you're gonna do with the press because often what happens without adequate preparation, it leads to what we call over disclosure. We saw that in the Phones4You incident.
Ross Brewer:The CEO came out and said, We've potentially lost 4,000,000 customers' records of personally identifiable information. And the government was talking about holding an inquest and the cameras was in the CEO's face at the time. And that had profound impact on the actual organization. But what actually happened was a few weeks later, once the instant investigation had taken place, there was 12,000 records. Now no one reads that press release in four weeks time that says there was only twelve twelve thousand records.
Ross Brewer:Everyone remembers the 4,000,000 records and everybody that was a customer felt that their data was lost and was upset with that brand. And so this over disclosure and these kind of problems come from not being prepared. So once they are prepared and they have that incident, they want to invoke their incident response plan depending on how serious they think it is. They may want to bring in external parties that they already have on contract and available that can be called urgently. You don't want to go scrambling for those parties at the time of a breach and then work through the breach in a systematic way to identify what resources have been compromised, where the attackers have been, what assets, what data has been exfiltrated, and then make the appropriate publications too, whether it be the SEC from if you're in The US operating on The US share market or the the information commissioner's office in The UK or or whatever regulatory bodies appropriate in their jurisdiction.
Elizabeth Corner:Such an important message for pipeline operators. And do you find that a lot of your job is convincing people of the seriousness of this, of kind of trying to convert them to understanding that, in fact, a lot of work needs to be done when the risk isn't apparent?
Ross Brewer:I think we're in a very different position today. If I think back to the sort of early 90s, the mid 90s, the early 2000s, yes we were on a sort of a crusade if you will to try to educate people on the risks because we could see it. I remember trying to go into countries like Denmark and Sweden and trying to explain or Norway trying to explain that there's these bad people. You leave your house open, there's not bad people in their societies back twenty years ago. And you left your door open and that you knew everybody.
Ross Brewer:And so crime just wasn't even a thing in the psyche. And you're trying to say, hey, there's these big bad people on the internet and they're gonna get your data and they're gonna collapse your business. And honestly, they just didn't comprehend or really get it back in the day, like in San Francisco seeing it in the street. And so I think now it's become so prolific that I think our education is less so. We don't have to sort of educate people on this.
Ross Brewer:We used to use this term, it's not a case of if, it's when you get breached. I think most executives now know that cybersecurity is a sort of a top three risk within any organisation, possibly the number one risk. The challenge is that they don't understand enough about the problem to adequately resource it and fund it. And I think that's where boards need more representation, less representation from financial people and a little bit more representation from technology people that understand that risk and can fund the programmes appropriately.
Elizabeth Corner:Yes, quite. Now one of the new challenges we're facing is we are integrating smart technology, smart sensors into pipeline networks. We're very keen on that. But obviously, these innovations do perhaps introduce new levels of vulnerability. Is that correct?
Ross Brewer:Yes. There was a I think it was Gurick. I'm trying to remember the singer that sung it, but in his song he says, there were some smart bombs and there were some dumb ones too. Gil Scott Herron was it? Anyway.
Ross Brewer:And if you think about the smart technology, yes, it's called smart technology. We're moving rapidly to IP based but the suppliers of a lot of the IoT, the internet of things and a lot of the control technologies are not paying enough attention to the cybersecurity aspect and they're trying to gather telemetry that makes them more valuable as companies but that telemetry opens up the risk to some of the customers that are using their technology. So we've seen in the European Union, the European Union has introduced standards with respect to IoT and better cybersecurity. So I think we've got some way to go because on the OT side of the business there isn't the same, there's very few actual specific malware strains that are targeting OT. So it's not as bad as the IT side of the network.
Ross Brewer:It's a long way from it. So I think the risks are less, therefore people pay a little less attention to it. I think that needs to change as these networks and the cloud all become one. And there is no such thing as a border anymore within these environments.
Elizabeth Corner:Oh, that is a good quote. Now, I'm interested in specifically how a cybercriminal, a bad actor, could exploit the interconnectedness of pipeline networks, the way that they're connected across locations globally, you touched on earlier. Are you able to share a scenario where a cross border vulnerability has played a role?
Ross Brewer:We've just seen that in the airline industry most recently. So the outage of Heathrow and Brussels and other airports was an example of a cross border situation. And if we look at the outage at AWS a few weeks ago, again that was global. And so if we just come back to the cross border one for a second, this is why it's important to look at these suppliers. And that's what the cyber criminals are doing now.
Ross Brewer:They're trying to find common suppliers that will get them in across the industry, not into a particular organization. And then when you think about what happened with AWS, people think that, oh, if you were in the East, US East as it's called, data centres or data centre or regional zone or whatever you wanna call it, then you were impacted. And if you weren't in that area, you were okay. Actually, that's the pivotal point that AWS manages a lot of the DNS for their global environments from. So bringing down or impacting that environment will have profound impacts around multiple geos around the world.
Ross Brewer:We're seeing some of the Russians and Chinese go after the critical national infrastructure, specifically energy, specifically utilities. And they're trying to embed themselves in those networks just in case we believe or the industry believes just in case there's some form of activity and they want about to show their hand or cause The US, this is very strong in The US, The US and The UK. So whether at some point they wanna show their hand and slow The US or The UK down, but it hasn't yet been determined why they're trying to compromise these networks and lay dormant over a period of multiple years. So I think again, this is something that the pipeline and the energy industry's gotta be acutely attuned to, that the nation state actors are specifically targeting them and then just targeting them because they're critical infrastructure.
Elizabeth Corner:Fascinating stuff. Is there a growing trend in pipeline security where criminal groups are more targeted and more bold in their attacks? So a few years ago, I interviewed Sam Miyarelli from Siemens Energy, and I put it to him that the likelihood of cyber attacks had increased. This was about 2022. And he said no, he didn't think that cyber attacks were increasing.
Elizabeth Corner:He just suggested that awareness had increased instead. Is that still the case?
Ross Brewer:I think I obviously, it's different now, and I'll go into that. And I would disagree with that statement at that time. We've been on a, I mean, I just did a presentation on Friday and I covered the thirty years of logging and monitoring and how we started out in the 90s and up until 2025. And it's been a sort of an upward trajectory of increasing veracity and volume and sophistication and impact of attacks. So, however, if you go through the last sort of five years with the sort of Ukraine activity, with what's happening in North Korea, with the Trump interaction with the Chinese, the tariffs, and then if you look at Iran, we have certainly seen a massive focus and uptick in the energy sector and the pipeline industry just because of the geopolitical situation that's gone on.
Ross Brewer:And then the cyber criminals are getting more emboldened and going after bigger targets. Yes, of course, we're getting more communication and people are making it more public and there's more regulations. More than 95% of breaches used to go underreported back in the day. So yeah, I agree with the statement that we're seeing better reporting, which makes it look worse. But no, it is worse.
Ross Brewer:There's more than 500 criminal gangs being tracked by the intelligence agencies around the world at the moment, and they're wreaking havoc on a daily basis. And the crazy thing is that people don't realize that they're already in their networks, and they're running at risk on a day to day basis without the visibility and the analytics to look for the telltale signs of the behaviors of these criminal actors and to cut them off at the knees before their initial activity turns into a headline.
Elizabeth Corner:Absolutely. Sobering stuff. Right. We'll go for some quickfire now, shall we? Well, let's see how quickfire we can be.
Elizabeth Corner:So I wanted to ask you about insider threats. We've been talking about outside threats. How significant is the risk of insider threats when it comes to pipeline security? So could an employee or a contractor with access to some critical systems potentially cause more damage than a cybercriminal group?
Ross Brewer:Insider threats are always a concern, and they typically know more about the environment so they can help bad actors get to assets of value or interrupt the business in more impactful ways. And we saw there was even most recently in the last few months, a BBC reporter was offered in a large sum of money to turn on the organization he represented. And it just seems crazy to ask somebody at that level within an organisation of that type who's someone who's so publicly facing. So it just shows how these criminal gangs, how emboldened they've become and how they'll do anything to get into any organisation. And the insider threat's always a concern, but typically it's more to do with the disgruntled employee that possibly knows a lot about the network and can cause havoc.
Ross Brewer:And so therefore this is why the access controls and making sure that the policies and procedures are in place for levers that get taken off the systems and their access cut. Because sometimes that access is people give too much access too widely to too many people, and then when they leave, some of that access remains in place. So I think just general hygiene is critical in this environment.
Elizabeth Corner:Yes. Good housekeeping is needed in that department for sure. Okay. So I can sense that there is perhaps a tension between bolstering cybersecurity and then maintaining your operational efficiency. A lot of operators might resist putting into place new cybersecurity protocols if they think that they might disrupt workflow or slow things down.
Elizabeth Corner:So how do you strike the balance between tightening security and keeping those operations smooth?
Ross Brewer:Well, I think the risk assessment is key to that from the outset. Understanding what it is that the organisation is trying to protect, what is the likely scenario of it being impacted. You don't build a million dollar fence around a dollar asset. Okay, so everything has to be proportionate to the level of risk and the level of value that you're trying to protect. As sad as it sounds some construction companies might get fined $10,000,000 for knocking down a building that's listed, just knock it down and the building that we're building is worth 500,000,000.
Ross Brewer:So that's just a cost of doing business. Now obviously that's not what we'd encourage but you've gotta make sure that the investment that you're making is representative of the problem and the risk of actually the event happening. And I think the organizations unfortunately, because boards are mostly made up of financial experienced people, they find it hard to quantify what would happen if there was a cyber outage. And I think what they wanna do is look at that from a business impact standpoint. They will know how much, like, Darkseid Colonial Pipeline, know what their daily volumes were and would have been able to say, it's $10,000,000 a day or a million dollars a day or whatever.
Ross Brewer:So once you quantify that value, then you can start to think about, okay, what would we need to do to pay to protect that and stop that from happening? So in the case of Jaguar Land Rover, I believe they made it public that it was $30,000,000 a day now, and that went on for a month. And then you look at all the suppliers that were impacted and you look at The UK economy that was impacted and it's okay, was that worth an extra couple of million dollars spent on cybersecurity to analyze our suppliers to make sure we weren't at risk? Yes, maybe. But look, we're all billionaires with the crystal ball of hindsight.
Ross Brewer:But I think getting ahead of this is making sure that organizations bring in experts that can assess their network, exercise their controls, make sure that their monitoring picks up that activity, and in making sure that their teams are responding rapidly from an incident response standpoint.
Elizabeth Corner:Fantastic. Now, I think it's pretty much illegal to do a podcast episode without using the phrase AI. So let's talk about AI, shall we? How ready are current AI solutions for interlocking into cybersecurity? Is that the picture?
Elizabeth Corner:Is that what we're looking at? Is AI something that's going to be the future of cybersecurity?
Ross Brewer:Well, AI is gonna have a profound impact on cybersecurity, but it might not be in the ways that people are hoping. I'm optimistic and I remain optimistic, but people are racing to these technologies so rapidly and they're relying on them now to do coding. And yes, these systems are good at coding, but it's rudimentary coding that they're doing rapidly because you're not paying enough for them to do it properly. So yes, they can rudimentally code something. It's getting more sophisticated.
Ross Brewer:But with that, it comes the risks of what we've been dealing with for the last fifty years, which is developers not building in cybersecurity into their coding. And so that's the one aspect that we're gonna see risk in the code that's developed. Another aspect is we don't know what we don't know. So we're gonna put this magical system on our networks that's gonna monitor and tell us it's doing everything to monitor for bad behavior and stop that bad behavior. But these systems hallucinate.
Ross Brewer:They tell you what you wanna hear at the moment. And if you ask it the same question three or four different times, you'll get four or five different answers. And in cybersecurity, there are certain patterns that, yes, you could respond to like phishing, spam, things like that. But a lot of what we deal with is we don't know what the incident's gonna look like until it happens. And so these systems that work on patterns, pattern recognition, pattern learning are not so well suited to the likes of cybersecurity where the networks are complex, they're all different, the workflow's different, everything's different in every environment.
Ross Brewer:Even on every day, the networks are changing and the complexity is changing. So AI is gonna be helpful and useful and we're embedding AI into our platform so you can ask questions in plain English and it will interpret those and go after the right data for you. However, the downside to AI is where the hackers start to use it to speed up their ability to compromise organisations at scale. Their code doesn't have to be perfect, it's just got to work. So they don't care if they're using something to create code that's not bulletproof as long as it achieves their objective.
Ross Brewer:So I think we're gonna see an escalation in speed. And I think the big warning that I would put out to anyone in IT or anyone on a board of any company at the moment is be very careful because what you're doing most people are trying to build their infrastructure and their response to what's happening today. Whereas actually what you've gotta be doing is what is happening in the next two to five years. And if you look at the trajectory that we're on, obviously with this massive increase in speed and velocity and veracity, then we've gotta make sure that we are thinking much further ahead than today because these AI technologies are gonna take us to that place a lot quicker than we expected.
Elizabeth Corner:Great answer. My last question is about I think it's about downtime, really. So pipeline operators are always worried about downtime. If a pipeline is under cyber attack, but taking it offline would have huge consequences economically, environmentally. How do you make the right decision on what to do to protect your system or protect the asset?
Elizabeth Corner:How does that work?
Ross Brewer:Well, making the right decision in the middle of an incident depends on the data that you have at your fingertips. And this is why being prepared way in advance with your incident response, making sure that you're collecting adequate log data from all the different systems so that you can quickly analyse where things have gone wrong, where data's been copied to, what systems have been impacted, and then making sure that you have rehearsed that plan. And there's a term that they use in the military, and it's fighting while wounded. So it's not a case of making sure that you get everything back to how it is. You've really just gotta make sure that you can isolate systems that are impacted and that you can carry on your business without having to, as we talked about earlier in the podcast, pull the cables out of the wall, that you can actually operate the business.
Ross Brewer:So this comes down to how the business designs its infrastructure and making sure that you don't have single points of failure where you're reliant on a single technology at a single point and that you have redundancy and resiliency built into your operations so that especially in terms of monitoring and threat detection, incident response, all of these areas, making sure that they're on an enclave that's separate to the rest of your environment. So should your OT environment be impacted that your security operations center doesn't get impacted so they still have the visibility and can still help executives have those discussions to say, look, where do we think this has happened? What do we need to do to isolate it? Can we continue to fight the fight? As in other words, can our business continue to operate even though we've taken a shot to the the shoulder kind of thing.
Elizabeth Corner:Thank you so much for all of your expertise today, Ross. That has been wonderful. Thank you.
Ross Brewer:Thank you. I hope this was interesting, Elizabeth, and you have a great day.
Elizabeth Corner:That was Ross Brewer at Graylog giving us an invigorating, very up to date take on cybersecurity for pipelines and energy assets. Thank you for listening. Subscribe to the World Pipelines podcast for free wherever you get your podcasts. If you have enjoyed this episode, please rate and review and forward to a colleague or friend. Oilfield technology keeps upstream oil and gas professionals up to date on the latest technologies and developments in the industry through in-depth articles, regional reports and project news.
Elizabeth Corner:Sign up to our newsletter at oilfieldtechnology.com/newsletter for a free copy of each issue.