A new direction for cybersecurity

from Hydrocarbon Engineering September Issue 2022

A deep dive into DRL

Jim Crowley, Industrial Defender, USA, outlines the importance of cybersecurity in the oil and gas industry, and provides a step-by-step guide to cultivating a more cyber-aware business.

The demand for stronger cybersecurity controls in the oil and gas industry soared in 2021. High-profile cyber incidents in the past five years, including the Colonial Pipeline incident, the 2020 ransomware attack at an unnamed US natural gas facility, and the devastating TRITON attack, all garnered significant media attention because of the real-world impacts that were felt by both the companies and their customers.

Although cybersecurity has had an increased presence in the news cycle, it is not a new phenomenon. In 2012, Chinese hackers broke into the systems of one of the largest gas supervisory control and data acquisition (SCADA) system providers, and stole project files and source code. The industry’s reaction was muted, with the system vendor downplaying the incident. Heads were stuck in the sand, and over a decade was lost for most companies that desperately needed to address the issue. These systems are still widely deployed.

OT vs IT security

As anyone working at an industrial facility knows, real-time systems are different to the systems found in the data centre, or applications that are cloud-based. The real-time nature and network protocols of SCADA-based technologies create challenges for deploying standard IT tools and technologies in oil and gas infrastructure.

Some technologies can be the same, such as firewalls that exist between plants and corporate networks, or anti-virus software that an original equipment manufacturer (OEM) has tested and recommended to run on human-machine interfaces (HMIs) and servers. However, other technologies with heavy footprint agents that block processes, such as managed detection response (MDR) tools, are disliked by OT engineers, as expert human operators need to remain in the loop with regards to any changes to real-time processes.

Further complicating matters, IT usually has specialised tools and skillsets to manage the different disciplines. There might be a network engineer that has sophisticated IT network tools, a data centre specialist that has tools to manage corporate Linux and Windows servers, or a desktop specialist that has desktop tools. If a company has a security operations centre (SOC), it may have security information and event management (SIEM) and MDR tools to manage risk on IT assets.

Oftentimes, OT faces all of the same challenges as IT when it comes to managing industrial networks, but not the specialists or tools to run them. Operators should be looking for strategies and tools that are OT-focused in order to manage the unique requirements of their control system infrastructure.

Playing catch up

Step one: carry out an assessment

Across social media, television and other outlets, there are an increasing number of advertisements promoting ways to protect systems from a cyber attack. Whilst it might be tempting to implement these readily-available tools quickly, it is best to undertake a cyber assessment to determine where the biggest risk lies, and where investments need to be made in order to plug the gaps.

There are quite a few consulting companies that specialise in carrying out OT assessments, with different scope and price points. Deloitte, Accenture, ABS and Burns & McDonnell all have dedicated OT security teams for the oil and gas industry that can conduct a risk assessment and make recommendations on setting up a program.

Table 1. Safety/security matrix

Safety issue Cybersecurity issue

Near safety misses Near security incident – i.e. malware detection Minor safety incidents Breach with no operational downtime

Safety incidents that lead to downtime Cyber incident that requires remediation and leads to facility downtime

Fatalities Fatalities Step two: choose a standard

“You can’t manage what you can’t measure” is a common quote in management consulting circles, and it truly does apply in this context. Managing risk is what a successful cyber program is all about. A program will never be 100% risk-free, but by implementing a cyber standard and getting the organisation on board to reduce risk, a program can be truly effective over time.

Most OT cyber standards come from the same playbook, but choosing one such as the Center for Internet Security (CIS) Controls, NIST CSF (this may be a requirement for some firms in the near future) or IEC 62443 will help to successfully manage risk in an OT environment, and demonstrate results to senior management or the board.

Step three: deploy foundational OT security controls

All of the common cybersecurity standards will recommend deploying foundational security controls on OT assets as part of their program. In fact, the CIS – a non-profit cyber standards body – has published studies that demonstrate that by implementing just the top five controls to systems, the risk of breach can be reduced by 85%.

The top five recommended controls are: n Inventory of hardware assets – create and maintain an accurate inventory of all hardware devices in OT environments. n Inventory of software assets – create and maintain an accurate software inventory for the end points in OT environments. n Configuration change management – monitor for any configuration changes in hardware and software. n Vulnerability monitoring – proactively identify and mitigate vulnerabilities to minimise the window of opportunity for attackers. n Event log management – create, maintain and monitor

OT security event logs to help detect and respond to a cyber attack.

Step four, five, six and beyond: focus on maturing the security program

Once the foundational controls are in place, companies should start to work on more advanced program enhancements, such as the following: n Establish metrics on the program and measure them.

Companies should ask themselves: how many critical unpatched systems do we have? How many devices are not communicating or need to be onboarded? Is someone reviewing baselines daily or weekly? n Develop policies and monitor users and passwords, and implement the recommended policies stipulated by company’s chosen standard. For example, passwords should be of sufficient strength and aged out periodically. n Deploy an OT network intrusion detection system (IDS) to monitor outbound communications and carry out

deep packet inspection (DPI) on traffic. Having an IDS will provide an additional layer of visibility into what is happening on a network. Understanding what outbound connections systems might have – or start to have – as well as examining network activity for suspicious traffic, could be an early indicator of compromise. n If an organisation is large enough, companies could consider building a security operations team to review alerts 24 hr/d, or outsource to a group that has OT security operations experience. n For very large organisations, there are also advanced machine learning technologies – as well as threat intel feeds – that can help provide situational awareness on top of the foundational controls to augment standards-based programs.

Cultivating executive support

The connection between safety mitigation and cybersecurity can help position a cyber program with senior management and the board.

For oil and gas companies, an important concept to consider is that the safety of employees and the environment depends upon the strength of that organisation’s cybersecurity. Much of the success that the oil and gas sector has had in mitigating the risks of working with a combustible element in a dangerous environment has been by implementing stringent health, safety and environment (HSE) procedures that track incidents and near misses, not just injuries and fatalities.

HSE best practices can be closely aligned to a cyber program. An OT cyber incident is not just a business issue. Rather, it is a safety issue, as recently demonstrated by hacks into OT systems in several different industries.

Framing the discussion as cyber safety and bringing the discipline of a safety program to the table as a means to mitigate risk has been an effective way for executives to understand the risks and the investments that are required to ensure the safety and operational integrity of an asset base.

Conclusion

Reducing a company’s cyber risk is not a one-time event or CAPEX. Instead, it is a journey that requires constant attention, just as with safety considerations. Whilst it is a large challenge, it can be managed just as any other risk to a business. When broken down into achievable goals, companies can avoid downtime and substantially reduce the risk of unpleasant surprises.

A company’s cybersecurity journey can commence simply by adding the topic of cyber safety into the conversation during internal meetings, in order to begin creating a culture of cybersecurity awareness, just as the industry did with safety.