September 2021, Vol. 248, No. 9
Features
Securing America’s Critical Energy Infrastructure: 5 Steps for Operators
By Dillon Dieffenbach and Val Mukherjee, Ernst & Young LLP
Seemingly overnight, the oil and gas sector was rocked by news of a ransomware attack against a pipeline operator that hobbled critical infrastructure in our nation’s energy supply, rapidly followed by similar attacks in other sectors.
It seemed like science fiction about a future dystopia: an attack by a network of cyber criminals, demanding millions in a stateless digital currency, disrupting operations so thoroughly that gasoline shortages developed on the East Coast. But it wasn’t the future – it’s now the recent past.
To exploit a system at the level of the recent ransomware attack requires being in the network for a long time – possibly years. Today, fearing the worst, oil and gas companies – and the federal government – are putting a renewed emphasis on cybersecurity in this crucial component of our nation’s critical infrastructure sector.
Security and trust are the basis of business. Each new strategy pursued, or technology implemented, introduces new variables in security that could affect trust relationships. For instance, the oil and gas sector is seeing a lot of mergers and acquisitions and consolidation activity right now, and it’s not just assets changing hands – so are cybersecurity risks.
In this threatening and confusing landscape, operators can take the following five steps:
- Treat operational technology (OT) with as much rigor as information technology (IT)
OT typically was designed for ease of use in another era, predating cybersecurity compliance regimes, as well as the gradual embrace of a “security-by-design” mindset in product engineering. In fact, the oil and gas sector has lacked both a security mindset and an overall cybersecurity compliance regime with standards and controls. By contrast, a scheme has been developed in the last decade for the power and utilities segment, which arguably offers similar critical infrastructure upon which our nation relies.
OT also typically takes decades to update and upgrade, while IT has evolved much more rapidly. This can give owners and operators the impression that OT isn’t connected to the internet and is living apart from the rest of the business in so-called air-gapped environments.
This is an illusion that the recent ransomware attack shattered, highlighting the need to understand the many interrelationships between IT (including finance systems) and OT, and build resiliency into the entire system.
In fact, OT and IT are increasingly converging. For instance, thousands of sensors have been deployed to gather data about pipeline safety management, providing data that can be analyzed to enable predictive maintenance.
An EY survey from 2020 shows that the sector is placing a large bet on these technologies: 80% of oil and gas companies say that they plan to invest a great or moderate amount in digital relative to their total budget. But in the wrong hands, this information can open a window into a company’s operations and points of vulnerability.
In the “EY Global Information Security Survey 2020,” over 60% of respondents said the cyber or enterprise security function has taken over OT security. They must confront a different world of protection: thousands of control valves, piping and other possibly connected physical infrastructure components may need to be taken offline, at least for a short time, to be upgraded.
It’s not as simple as automating the rollout of a new software patch. This may mean, in some cases, that operators need to take plants offline entirely, sometimes for a matter of days. Therefore, upgrades and replacements must be considered within a security-by-design mindset, and not as another layer to add on after the fact.
- Scrutinize connection points
As the recent ransomware attack showed, companies today, across all sectors, must continuously assess their cyber infrastructure and programs and have command over their network architecture and user access levels, especially amid the growth in partnerships with third parties.
At many companies, “shadow IT” – in which the business moves ahead independently with technology decisions – potentially exposes operations to backdoor methods for sharing data or creating connections without the business stakeholders understanding the implications, especially when cloud services are involved.
As noted, more and more sensors are collecting more and more data about a company’s operations. That data and the critical tools used in the day-to-day business are often being stored in the cloud. What if something happens to that cloud provider – if it’s breached or an attack knocks it offline?
This is not an argument against cloud computing, but rather acknowledgment that there is a need to understand the end-to-end relations between systems and data: who’s connecting, why, have they done their due diligence, and what must be done now and when an attack occurs.
Automation has a role to play in this environment of rapid deployments and transitions. Monitoring and recognizing malignant activities go beyond what is humanly possible to track. Therefore, visibility is needed at an automated scale, relying on vetted and validated models of artificial intelligence, for example, to identify and surface anomalies that are prioritized by risk.
- Sharpen the workforce’s focus on security
Companies understand that their system maturity is important. But so is their people’s security capability maturity: whether their workforces have the skills they need to be effective in a rapidly changing world. Yet, the “EY Oil and Gas Digital Transformation and the Workforce Survey” shows the gulf between what companies want to do with their investments in technology and what their workforces are equipped to pull off.
Respondents estimate that 60% of their workforce needs to be reskilled or upskilled, with 10 months required to reskill the average worker. Cybersecurity was noted by executives as the second most important skill in their workforce, yet the gap between the strategic importance and the current maturity of cybersecurity skills was at 28%. How to fill this gap can be a challenge. About half (49%) do not believe their organization is good at teaching in-demand skills; just 3% strongly believe their organization is good at it.
The workforce must be enabled to treat security as a fundamental component of system reliability and safety. Replacing old equipment isn’t enough. Workers must understand the equipment, its impact on the upstream and downstream environments, and how it interacts with legacy equipment.
Furthermore, the workforce needs to be consistently educated and reminded how to identify suspicious communications, such as carefully crafted phishing emails and other potential methods of attack, as employees often inadvertently let intruders into the system.
Cyberattacks on systems with overlapping safety functions can have devastating consequences, so they should be prioritized because they extend the sector’s well-understood and recognized focus on safety. Trusted advisors can play a role here. Amid a battle for cybersecurity talent, outside groups, such as EY professionals, can perform assessments and help companies create strategies to amplify the impact of dedicated, but often overstretched, in-house security professionals.
- Build resiliency based on context, not just security
A well-designed security system that appropriately considers cyber-hygiene and uses the right suite of properly configured security automation tools, can successfully prevent – or at least significantly limit the impact of – the majority of cyberattacks.
However, in today’s dynamic environment, with new technologies exposing new threats that new threat actors can exploit with new techniques, it’s naïve to think that the security infrastructure will always be a step ahead.
The MITRE ATT&CK Framework, for instance, is useful for thwarting attacks and boosting a company’s “attack IQ,” but any framework should be coupled with preparedness to plan for the worst happening.
For all practical business and technology purposes, such preparedness should not be a target maturity of the highest level because such goals usually are unattainable. Rather, the focus should be understanding the environment and setting priorities for the critical contexts under which the business’s operations need to continue. Then, a combination of compensating controls needs to be implemented across key systems connected to these critical scenarios.
A clear program structure and incident response process at every level, which consider key third-party interrelationships, are crucial should a company experience a breach. For too many companies in the industry today, however, current processes are no more sophisticated than making a phone call to the person in charge.
To improve, companies should perform both technical and governance-focused tabletop exercises, which are simulations that can help prepare for such an emergency, to help identify where gaps exist and where the response is lagging. These incident response plans must be practiced and cross OT and IT boundaries, with active involvement from the business.
- Work with government and industry associations
Executives may hesitate to be open and transparent in conversations with regulators, or other parts of the government, due to a fear of reciprocal legislation. Operators worry that by sharing what they are most concerned about, regulatory bodies will overreact and create standards and rules about what must be done without regulators having a thorough understanding of the potential impacts to these businesses.
This discussion, however, centers around risks to the national critical infrastructure – not one company – and one player cannot mitigate the risks independently. More than ever, the oil and gas sector must be engaged with the public sector. These discussions can be the most impactful and focused on the risks that matter through strong engagement between the industry, lawmakers and regulators.
And new requirements are coming. For one, there’s an incident notification mandate from the Transportation Security Administration that applies to certain pipeline and natural gas facilities. In-scope companies also are going to be required to perform an assessment relating to certain protocols, such as multifactor authentication and encryption.
Audits, from the government or an independent third party, could become mandatory in a regime similar to the one that exists today for power and utilities companies. Oil and gas companies should think proactively about how to prepare – for instance, with a third-party assessment.
If a company has uncovered or thwarted a breach or a cyberattack, it should inform law enforcement, including the FBI or the Secret Service (for certain incidents and indicators of potential financial crimes), so the sector can better understand the threat landscape and be proactive in addressing it.
The Oil and Natural Gas Information Sharing and Analysis Center, which gathers and disseminates cyber-threat information specifically for the sector, is another organization to engage.
Sharing information helps provide advance notice for others in the sector, thus preventing disruption, and it can shape careful scenario planning to address future cyber threats in a more meaningful way.
For the oil and gas sector, the cybersecurity challenge requires collaboration and a holistic understanding of organizations’ connected environments across OT and IT. This knowledge equips the organization to better confront the ransomware challenge of today – and the threats that will emerge from the shadows tomorrow.
Authors: Dillon Dieffenbach is a principal at Ernst & Young LLP and serves as the EY Americas Energy and Resources Cybersecurity Leader. He has more than 20 years’ experience helping energy companies manage cybersecurity and technology risks across the enterprise.
Val Mukherjee is a managing director at Ernst & Young LLP and serves as the EY Americas Oil & Gas Cybersecurity Leader. He works with oil and gas companies to mitigate risk and provide security, safety and privacy considerations in their digital transformation journey.
The views expressed are those of the authors and do not necessarily reflect the views of Ernst & Young LLP or any other member firm of the global EY organization.
Comments