February 2019, Vol. 246, No. 2
Features
Staying Secure While Migrating to the Digital Oil Field
By Amos Stern, CEO, Siemplify Amos
The growth of digital technologies has both benefits and risks to companies in the oil and gas industry migrating to the digital oil field. The major risk being the ability to keep their cybersecurity posture up-to-date in the face of ever-increasing vulnerabilities and threats.
In April of 2018, at least four U.S. pipeline companies saw their electronic data interchange (EDI) system shut down due to a cyberattack. A Ponemon Institute survey of oil and gas risk security managers showed that 68% of companies suffered at least one security compromise in the last 12 months.
Cyber-attacks are becoming more difficult to defend against, which means understanding the current threat landscape, and finding ways to secure their environment, is more crucial than ever.
In almost all industries, including oil and gas, an organization’s digital footprint grows while the company expands into spaces like IoT, mobile, and cloud. But, as company infrastructure (such as an on premises server) finds itself being distributed into various types of digital infrastructure, it too becomes more vulnerable to cyber threats and breaches, which means the attack surface is also growing.
For example, the bigger your house is, the more windows you have, and the more vulnerable it is for a break in. As the oil and gas industry becomes more digital, the higher risk with this industry is associated with an organization’s critical infrastructure or industrial control systems (ICS).
It’s no longer about the physical equipment, like wells and offshore machinery, though those too can become vulnerable as more companies connect them to the network. Digitization allows for more accurate measurement and deeper visibility, but internet connectivity also means devices can be accessed remotely, and maliciously. This is cause for huge concern since attacks targeting the oil and gas industry or power grids are more than just about stealing data as they take on an actual physical manifestation.
Notable examples include the malware that took down a Ukrainian power grid, where hackers “blacked out a portion of the capital equivalent to a fifth of its total power capacity.” Or, the widespread cyber-attack on German energy providers, where hackers tried “penetrating the computer networks of many Germany energy and electricity providers.”
Top Threats
When it comes to securing a system, it’s important to figure out the top threats first. For ICS, these include:
External threats – Targeted cyber-attacks seeking collateral damage.
Insider threats – Usually by disgruntled employees or compromised IT devices. These are also much harder to track because “insiders” can easily connect to the network. Additionally, many oil and gas companies work with a number of outside contractors – so lots of people coming in and out – making it also hard to track who’s using the system and when.
Human Error and Negligence – Unintentional, insecure on-site equipment. There are so many machines and physical systems likely lying around which are hard to 1) update and 2) keep track of in the first place.
Outdated Equipment – A lot of existing, traditional infrastructure was likely not developed by software or IT vendors, meaning these systems weren’t necessarily built with security top of mind. A lot of times security should be added after the fact, but it’s not.
The IT/OT Gap – Many organizations have two separate divisions: traditional IT (servers, workstations, and network) and “OT” or operational technologies (oil wells, trucks, etc.), which are typically managed by teams who sometimes report to different managers. The IT/OT gap stems from both different priorities and technical mindsets.
- Priority: For IT, the priority is confidentiality (making sure data is secure), while for OT it’s availability (making sure operations are up and running).
- Technical Mindset: For IT, the focus is on protecting data (personal computers, secured devices by design, networks), while OT’s focus is on operations, SCADA and naïve devices.
Proprietary Protocols – For those with inside IT networking, you likely have intrusion prevention systems to monitor traffic. In ICS, every new system invents some proprietary protocol, which becomes hard to track and monitor at scale. It’s also hard to track the various configurations, especially when new inventory is constantly being added.
Operations Challenges
The cornerstone of cyber defense is the security operations team. The Security Operations Center (or SOC) is in charge of monitoring the company’s infrastructure and investigating and responding to suspected cybersecurity issues. It is customary to think of SOCs as a trifecta of people, process and technology, but each come with its own set of challenges:
Technology – Modern security operations need to deploy dozens of detection and prevention technologies. These technologies often lack integration and work in isolation. Most technologies generate “alerts” that need to be investigated, and modern SOCs are inundated with more alerts than they can ever properly address.
Processes – Processes for investigation and response are typically manual, undocumented and inconsistent responses – it becomes too hard for individuals, or even teams, to manually track things across all security systems in order to investigate a threat.
People – With over two million unfilled cybersecurity positions, finding the right people to staff your SOC is a huge challenge. Many companies hire junior people, expecting them to make the most important decisions, but many times, these individuals lack the qualifications, or do not have enough visibility and/or data, to make those decisions. This is how alerts get missed or fall under the radar because people cannot identify the needle in the haystack.
Steps to Improve
1. Automate and Orchestrate Security Operations
Given the aforementioned challenges, it’s clear that security operations need to be managed much like other operations functions (such as HR, sales or marketing). From a technology perspective, this underscores the need for a security operations platform (much like CRM is used to run sales).
A prime objective should be to define and codify security processes (or “playbooks”) and automate as many of the activities as possible so that scarce analyst resources can focus their time on high value work. Another imperative is to track and measure KPIs and drive continuous improvement. All too often security operations teams never find the time to rise above the daily firefighting and analyze how they can improve.
2. The Everchanging CISO Role
The CISO role has evolved in recent years, with more board-level visibility and mindshare. The CISO isn’t just a technical position anymore, but a business-leader that must communicate the impact of security in business terms. For oil and gas companies, this means that organizational silos need to be overcome, and comprehensive and integrated security of OT and IT is centralized under the same hat. The CISO also needs to be more business-oriented and able to understand and measure how security impacts business outcomes.
3. Security Preparedness
The oil and gas industry is perpetually prepared to respond to incidents: hurricanes, supply issues, regulations, and accidents. Safety and incident response are in its DNA. Cybersecurity should be no different.
Today, much of incident response is reactive. However, in order to run a more secure operation, a change in mindset needs to happen where incident response plans are created in advance. Planning should be conducted end-to-end and include not just how you protect your infrastructure, but also how you detect suspected cyber-attacks and respond accordingly.
The oil and gas industry will continue to be a lucrative target for cyberattacks. Failing to balance digitization with improved cybersecurity practices may result in a blackout for companies’ balance sheets, not just their power stations. Understanding and addressing the key cybersecurity challenges will better position you to “keep the lights on” – figuratively, and literally. P&GJ
Author: Amos Stern is the CEO and co-founder of security orchestration, automation and response (SOAR) provider Siemplify Amos has extensive experience managing and training global security operations teams as part of both the Israeli Defense Forces and Elbit Systems’ Cyber and Intelligence Division.
Comments