Sean Plankey, Cyber Intelligence
Advisor at BP
In this edition of Cybersecurity Spotlight, I had the opportunity to sit down with Sean Plankey, Cyber Intelligence Advisor for BP, one of the world’s largest oil and gas companies. Based in Washington, D.C., Sean gathers intelligence to protect BP’s cyber and physical infrastructure. In 2012, with nearly a decade of experience as a U.S. Coast Guard officer, he was assigned to the then brand-new U.S. Cyber Command at Fort Meade in Maryland to develop offensive cyber weapons. He then deployed to Afghanistan, where he earned a Bronze Star for his work in countering roadside bomb threats and disrupting communications using cyber tools.
Today, he oversees BP’s internal hunts to detect cyber infiltrations and attacks and maintains the company’s external relationships with security agencies in the U.S. and United Kingdom.
What are some of the most common false impressions about those in cybersecurity?
First and foremost, apparel. Kidding, but not kidding. There’s a lot of thought that cybersecurity people only wear hoodies and jeans everywhere they go. If you want to speak to senior executives and you’re trying to convey the risk that my company, BP, might face, I can’t go in there with a hoodie and think that I’m credible. I try to dissuade the theory that cyber people sit in the basement and have more fun interfacing with the computer screen and keyboard than they do with the rest of the world. I don’t find that true at all.
Hoodies and jeans aside, any other misconceptions?
In some cases, senior executives—not at BP but at different places—struggle to take ownership of cybersecurity. As an example, when an executive has a finance issue, they have no problem getting into the weeds and understanding the balance sheet and talking to the Chief Financial Officer every day, understanding all the ins and outs of the CFO’s business. But then when it comes to a cyber issue, they say, “That’s the IT guy’s problem.” It’s not acceptable for a seasoned senior executive to say, “I understand CFO issues, but I have my CISO for the cyber ones.” They have to learn the basics of cybersecurity. It’s just as relevant. It can crush the company just as easy as a financial issue. I mean, we only have to look at Equifax to see that. That’s a fundamental shift that’s going on right now and I think it’s important to note.
“Cybersecurity is an evolving process. You’re never able to say, ‘Okay, we figured it out, we can walk away.’”
What’s the hardest part of your job?
Turning information into intelligence. And that means understanding why this information matters. How can I apply it so I can better protect BP? How does it directly affect BP? And then getting buy-in with that. People have to understand why this cyber intelligence is relevant to them and to their business inside of BP. A lot of people still don’t necessarily understand that something poses a risk to them because it’s emanating from cyberspace. There’s the inherent thought process that people have, “Why would a nation-state target me? Why would they care about what I’m doing?” And it’s responding with, “Well, they don’t necessarily care about what you’re doing. You’re the conduit to get access to something else that is bigger, that they do care about.”
“It’s not acceptable for a seasoned senior executive to say, ‘I understand CFO issues but I have my CISO for the cyber ones.’ They have to learn the basics of cybersecurity. It’s just as relevant.”
What advice do you have for others looking to get into the cybersecurity field?
Often times, people think cyber is an IT issue that doesn’t necessarily deal with other types of security. The study of security is its own career path. There’s definitely relevance and value in learning that career path and learning some of the basics of how you provide security. What are the concerns? How does the intelligence cycle factor into providing security against different threats? Learning about what security is, what it’s grounded in, and how it works, even from a physical sense, is a starting point for moving into the cybersecurity realm. And then understanding the terrain, the landscape, of cybersecurity is the secondary aspect. That’s where you start to learn what cyber does, how and why it matters. How do computer networks work, what’s the base process used for how the system functions… Because once you understand that, then you can start thinking about how you can apply security principles to secure that environment.
Why do you think the unemployment rate for cybersecurity professionals is virtually nil?
The unemployment rate for cybersecurity professionals is negligible because technology, and specifically the internet, was built for an open-based society. It was not built thinking that it would be weaponized. The technology was built for the good things that it can do, not for the evil it can do. Now we’re finding there are bad things that may be intentional or unintentional. I do like to highlight that it’s not like there are more bad guys than good guys in the world. People inherently are good and they make decisions to do bad things. So, that’s how the internet was built. And people are making decisions to wittingly or unwittingly do negative things. Global business growth accelerated at such a fast rate and such a fast adoption cycle that security wasn’t assessed initially because it was more about “How can I grow this business and out-think?”
How would you characterize the state of cybersecurity today?
I would just say that cybersecurity is a full scope. It’s an evolving process. You’re never able to say, “Okay, we figured it out, we can walk away.” And it’s not a process like old-school technology where a company can say, “Hey, we recapped our Microsoft systems, we don’t have to come back to this for four more years.” Much like your physical security, it’s an evolving marketplace, an evolving threat landscape, and it’s something you need to stay after. You have to continually train yourself as part of this. Your learning can never stop. You have to continually go to classes, you have to continually self-educate. You can’t rest on your laurels.
“A lot of people still don’t necessarily understand that something poses a risk to them because it’s emanating from cyberspace.”
Sean recognizes that the work in cybersecurity is never done. As threats evolve, we must evolve as well. In helping an oil and gas giant recognize maintain the best possible security posture, he also helps others understand that cybersecurity is not just a technology issue, but grounded in the same principles as physical security. And he rarely does that in a hoodie.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
SUNBURST/Solorigate Situation Briefing
BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
On the road to platform hardening, consider a STIG
Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.
To better see the threats on your network, try DNS
DNS is a vector used in most cyber attacks. When it comes to DNS, BlueCat can enhance visibility, detection, and containment of threats to your network.