Ensuring Cybersecurity for the Chevron/REG Acquisition

Summary

The May 17, 2023, Accenture Operation: Next ‘23 OT Cybersecurity Summit discussed prioritizing protection, defense and resilience. Of particular interest was Chevron’s recent acquisition of Renewable Energy Group Inc (REG).

Jim Guinn, senior managing director and cybersecurity leader at Accenture spoke with Chris Lukas, CISO at Chevron during the discussion titled, “Energy Expansion: The New Risk Frontier.” The discussion elaborated on securely accelerating sustainability, balancing security risk with business rewards, and safety and security that keeps pace with innovation.

Chevron acquired the Ames, Iowa-based REG—one of the largest biofuels producers in North America—in February 2022. REG is one of the leading manufacturers in the world of renewable biofuels, specifically biodiesel. Lukas shared what he learned and offered advice during this discussion. “There was a lot to learn from mergers and acquisitions (M&A) in acquiring REG,” he said. “With REG, we acquired 13 different manufacturing sites.”

Lukas explained that this is a different type of manufacturing along with the feedstocks REG brings in. “It is bringing in beans, corn, and solid waste to convert into biofuels, and then later into diesel. It’s a very different model for us to learn from and react to from a cybersecurity perspective.”

With any M&A endeavor, it is important to understand the culture of the organization being acquired. Lukas explained that with any type of acquisition, “you would love for all the technologies to line up as you walk in the door, which is often not the case. You’re using different types of technologies; you’re often living in two different worlds at the same time for a while. We want to make sure that we’re allowing [REG] to innovate, allowing them to bring that great culture into the Chevron family, and that we don’t quell their ability to innovate. From a cybersecurity perspective, we want to understand their culture and how we can actually be an enabler to them,” he said.
 

Key considerations

Lukas said there’s a lot to focus on when considering a business as complex as REG with multiple manufacturing sites, different culture, different size and complexity. “First, understand what you are acquiring from IT [information technology] and OT [operational technology] perspectives because they’re going to look different, they’re going to operate differently, and there will be different technologies. It’s really important to understand the complete risk picture from an acquisition standpoint. Understand the operating model because you may have two different operating models; there may be a different set of tools and processes that exist from a cybersecurity perspective.”

Lukas also recommended focusing on incident response. “That’s where we take a proactive approach to ensure we have incident response protocols [in place] quickly, regardless of what tools are [in position],” he said. “We need to make sure we can respond to any incident because on day one, you’re inheriting that risk. If there’s an incident, it’s on you to detect, respond, and recover.”

Chevron took a proactive approach on assessments early into the process around evaluating higher risk areas in the corporate environment. Lukas advocated understanding the risk on the IT and OT sides so you can take proactive actions before integration. “You want to integrate quickly. It’s really important to have a partnership between cybersecurity and the business to help understand the risk, how you can properly manage it, build a timeline for integration that meets the needs of both businesses, and then the risk profile that you’re trying to manage.”

Ransomware continues to be an issue that all companies must deal with at some point. “That’s not necessarily just nation states, but also criminals; they’re looking to make a dollar,” said Lukas. “It’s something that we’re very concerned with. Where I see a transition is in intellectual property [IP] theft. Intellectual property theft is still happening. We know that other countries are looking at technologies in the renewable and new energy space. Why invest in R&D if you can simply steal?”

Chevron’s cybersecurity strategy has evolved since its acquisition of REG. “We put a lot of focus on integration,” Lukas said. “We need to make sure our strategy includes a very strong business engagement around integration. One of the key things we had to discuss is who has decision [making] rights. Who has decision rights when we integrate these systems in both the IT and the OT side?”

Lukas encourages cyber professionals to know as much about the business as possible. “That way, we can actually protect them better, as in partnership,” he said. “From a strategy perspective, it’s gaining the knowledge of how that business operates so that we in the cybersecurity realm can actually support them.”
According to Lukas, people are foundational to cybersecurity. “There is a worldwide shortage of cybersecurity professionals,” he said. “It’s important to make sure the cyber professionals we do have are equipped for today’s modern cybersecurity challenges. In the renewable space, it’s a different business, it’s a different set of technologies. Make sure you’re investing in their knowledge. Investing in people is very important—specifically in our OT engineers and our risk professionals that do assessments. It’s really important that cybersecurity is not looked at as something that slows down innovation or slows down integration.”
 

Key takeaways

The discussion between Lukas and Guinn provided several key considerations regarding acquiring a new company as part of an expansion strategy:

• Understand what you’re acquiring from both IT and OT perspectives.
• Understand the complete risk picture including downstream players.
• Understand the operating model, especially for the first 90 days.
• Know the incident response protocols; the bigger company doesn’t always have the better process.
• Get in early. The earlier you can be in on business development discussions the better. This gives you visibility into the full scope of the acquisition to build into your risk equation.
• Have a playbook. Once you learn of an acquisition, have your M&A playbook ready and continually update and improve it after each use.
• Be prepared. As new technologies are introduced, intellectual property loss concerns are amplified given the growing interest globally in renewable and new energy space.
• Dig deep. To protect your organization, you need to know as much about how the business operates as possible. The risk profile of an acquired company can change dramatically once you understand its health, safety, and environmental (HSE) impact.