The oil and gas industry relies heavily on automation for a variety of operations. By leveraging new automation technologies—such as deepwater drilling, tar sands and fracking—additional fuel sources have been made available for the first time. Concurrently, collaboration across the third-party value chain has yielded specialist properties and equipment resulting in efficiencies that were previously thought impossible.
The orchestration required to find, extract, refine, mix and, ultimately, deliver oil and gas all rely on the nonstop availability of operational technology (OT) infrastructure, which includes maintaining the security of devices and processes to prevent downtime.
In a recent Ernst & Young poll, 60 percent of respondents indicated that they experienced a significant cybersecurity incident, and 95 percent said their cybersecurity function does not fully meet their organization’s needs. Meanwhile, a recent United States Department of Homeland Security (DHS) report identified nearly 900 security vulnerabilities within U.S. energy companies, a figure that was higher than any other industry.
Several recent incidents confirm that the oil and gas sector is in the crosshairs of cyberattackers. For example, in December 2018, Italian oil and gas industry contractor Saipem was victimized in a cyberattack that affected servers based in the Middle East, India, Scotland and Italy. In 2017, a hacking group known as Xenotime shut down a Saudi oil and natural gas facility.
Oil and gas production and refining require close cooperation and support from third-party partners and specialists along the value chain. This exposes the OT infrastructure to external actors and potential new sources of risk.
Exploration and drill sites are often located in remote locations where implementing OT security controls is not always feasible. In addition, transportation pipelines increase security complexity since they are both remote and distributed.
The convergence of information technology (IT) and OT operations, combined with the increased adoption of internet of things (IoT) technology to boost efficiencies and reduce costs, is creating a much larger attack surface to be protected.
Finally, oil and gas OT infrastructures that were once isolated, today are connected to IT and have been opened to remote access. This disintegration of the traditional “air-gap” makes it possible for bad actors to penetrate parts of the operations environment from either the IT or the OT side.
Security Starts With Visibility
Due to the high cost of downtime and need to adhere to strict production schedules, it is often difficult or impossible to stop oil and gas operations to perform routine maintenance or even apply patches when a security vulnerability is discovered. Furthermore, in remote and distributed environments, maintaining an up-to-date inventory to identify specific devices that need to be remediated is challenging. As a result, vulnerability windows indefinitely expose operators to both known and unknown threats.
Therefore, monitoring the OT environment is a critical first step in securing oil and gas operations. This requires the ability to routinely perform inventory checks and maintain up-to-date visibility into devices including model numbers, firmware version, vulnerabilities, patch levels and much more. Doing so will provide accurate and detailed information needed to pinpoint devices that are at risk and allow mitigating actions to protect them until operations can perform the required remediation.
Maintaining Control Across All Sites
Since many oil and gas operations span the globe, maintaining a consistent level of security that reaches the main campus to remote locations is critical.
This requires access and configuration control extending to all locations regardless of how remote or distributed. By periodically querying individual devices at all locations, operators can detect when intended or unintended changes are made.
It is important to query OT devices like pumps and systems, as well as servers, workstations, networking equipment, gateways, and any other devices that are critical to regular network operations. Deep knowledge, including visibility into all types of devices, patch levels, firmware versions and backplane information is essential. It is also critical to account for dormant devices that are not communicating regularly over the network.
At the main location this can be performed via an on-premises system. At sites that are either too small or too remote to accommodate a dedicated security device, cloud-based monitoring and management may be used. These live feeds make it possible to achieve an always up-to-date OT security posture.
To comply with industry standards including American Petroleum Institute (API) Standard 1164, Department of Energy (DOE) Cybersecurity Capability Maturity Model, the International Electrotechnical Commission (IEC) 62443 and International Organization for Standardization (ISO) 27000, a comprehensive audit trail on the state and change history of every device
From a security standpoint, this audit data on the specific condition of each device must be correlated with vulnerability knowledge bases to identify and address risks. Because the threat landscape is dynamic, this information should be updated regularly and kept in sync with newly discovered vulnerabilities. If a deviation is detected, it should be captured in real time, as well as historically.
Furthermore, when changes are made, a full audit trail should be captured. This should include the user that logged in, the processes that were running, the code downloads initiated, as well as whatever was changed in the environment and more. Capturing and maintaining this detailed information can help speed incident response and demonstrate proactive compliance both internally and to external compliance organizations.
Implementing industrial cybersecurity controls is essential for addressing risks associated with the increasing digitalization of oil and gas operations. To mitigate OT security threats, full visibility into all the operational assets that control processes across exploration, extraction, refinement and delivery is a baseline requirement.