June 2018, Vol. 245, No. 6
Features
The Next Generation of Cybersecurity in Oil and Gas
By Roman Arutyunov, Xage Security
As the next wave of economic growth and development steadily emerges, more and more industries are transforming their operations into cyber-physical ecosystems – replete with emerging technologies such as IoT, edge computing, artificial intelligence (AI), robotics, data-driven automation, and analytics.
For oil and gas, the internet of things (IoT) promises increased production output, enhanced efficiency, remote maintenance, and faster time-to-market. As a result, operators are increasingly moving to embrace digital oil fields and smart pipelines.
However, while digitization has rapidly increased within the industry, development of comprehensive security systems to protect these newly-connected, software-driven operations has lagged behind. Existing security systems within the industry are often centralized and network-based.
This means they don’t offer fine-grained control of operations in the field and create significant network management issues. With thousands of IoT devices and connected SCADA systems now in play, many oil and gas companies are operating on a highly vulnerable network of connected machines, people and applications. With this exposed network comes a heightened potential for attack.
In many companies, for example, the majority of remote terminal units (RTUs) are not password protected but use default or hard-coded credentials, allowing an attacker to enter through a single compromised unit and quickly spread throughout the entire network, wreaking havoc on production. Connected control systems that manage oil wells are also prime targets for attack.
With existing systems, there is a direct line of communication between the well and the tank, such that when the tank is full of oil, the well will stop pumping. With newly digitized, fully networked control systems and lower barriers to entry, however, the attack surface has increased significantly. This means a manipulated control system can quickly result in a production halt – or worse.
These types of attacks aren’t just a future threat; they’re already happening across the industry. As operators tend to keep details of these attacks private, the below instances known from reports are assuredly a small sampling of the true scale of attack happening today:
- 2012: Pipeline company lost their databases via a contractor’s SCADA-management network.
- 2013: Cyber-attack linked to a pipeline oil spill in residential neighborhood.
- 2013 (and ongoing): Nation state-sponsored cyber-attacks against Aramco, RasGas and others have damaged tens of thousands of systems.
- 2016: A series of fires linked to petrochemical plants attacked by malware.
- 2017: BrickerBot bricked millions of IoT devices across multiple industrials targeting communications systems.
- 2018: Schneider Triconex’s control system taken down across multiple industries by Triton.
The question is, why are these attacks on such critical resource networks still happening today? The reality is that industrial systems have different security needs than corporate enterprises, and as such need different security approaches from the existing IT security models.
The scale of machine-to-machine cooperation necessary for truly optimized production in oil and gas cannot exist without comprehensive protection. To solve the current security challenges facing the industry and take advantage of the capabilities promised by Industrial IoT (IIoT), a new vision for security must be embraced.
Blockchain technology, primarily known for its use in financial systems and exchanges within cryptocurrency, is a decentralized and tamper-proof ledger of digital data, mapping perfectly to meet the security challenges posed by the distributed nature of operations. By sharing identities and access control policies across the ledger, blockchain enforces continual cooperation across all devices and applications.
This means that when a rogue device or malware tries to enter and attack an industrial control network, the existing devices can establish a consensus to identify and isolate the bad device or application. This makes the system self-healing, without human intervention – eliminating the risk of a system-wide attack. Critically for the oil and gas industry, this ensures production can never interrupted by compromised access to HMIs, SCADA systems and remote assets. P&GJ
Author: Roman Arutyunov is the co-founder and vice president of Products at Xage, previously having held executive positions with ABB, Tropos Networks, and Mimosa Networks. He earned a bachelor’s in applied mathematics with an emphasis in computer science at the University of California, Berkeley and an MBA from Columbia University.
Comments