Six reasons oil and gas organizations need to implement an industrial cybersecurity program  

Oil and gas companies must focus on building robust industrial cybersecurity programs to prevent and respond to the next attack. Over the course of the last year, a surge of unprecedented attacks has made cybersecurity top of mind for industrial organizations around the world. This is particularly true in critical infrastructure sectors such as oil and gas.

Previously, cyber criminals concentrated their efforts on infiltrating the information technology (IT) networks that run business systems. However, they are now looking to disrupt the operational technology (OT) networks that control industrial operations. Threat actors have moved beyond stealing valuable data, to gaining control over entire market ecosystems.

The recent Colonial Pipeline incident demonstrates how hackers can wreak havoc when organizations assume IT threats will not impact OT. This ransomware attack was the strategic result of a password breach, which snowballed until OT operations were completely shut down. The consequence was a shortage of gasoline along the East Coast, pushing gas prices to their highest level in six years.

These dangerous breaches and the correlating ramifications are just the beginning. In December 2021, a detrimental cyber risk was identified in a widely used software called Java Log4j. Rated a ten-out-of-ten on the vulnerability scale by the Cybersecurity and Infrastructure Security Agency (CISA), this threat has been labeled as one of the worst in history, with experts stating that organizations’ IT and OT networks worldwide are now at risk until further notice.

This breach, as well as the Colonial Pipeline shutdown, is not only a wake-up call for organizations, but for cyber criminals as well. Their impact on the nation’s supply chain and economy has confirmed that the oil and gas industry is a vulnerable and valuable target. Organizations must act now and prioritize the implementation of an industrial cybersecurity program to protect their operations, the environment, and the community.

What makes oil and gas companies vulnerable to attacks?
There are several reasons oil and gas organizations are vulnerable to attacks, with the most critical being:

1.  Lack of cybersecurity controls. The oil and gas industry does not have standard OT cybersecurity strategies and regulations, which has led to disparate and often inadequate security practices. Control systems run non-stop, day-in-and-day-out, leaving limited downtime for upgrades and updates, resulting in unpatched and inherently vulnerable OT systems.

Complicating matters even further is the fact that OT support in the oil and gas sector is inconsistent. Frequently, OT support relies on either IT teams who lack experience in OT cyber, or operations teams who are at a disadvantage because they do not understand cybersecurity principles. Contrary to what many organizational leaders believe, IT solutions cannot simply be applied to OT systems because they do not translate. OT systems need specialized cybersecurity solutions and dedicated staff with OT expertise.

2.  Remote capabilities are open to attacks. Today, many oil and gas organizations have dispersed assets and are heavily dependent on remote monitoring for management. While this connectivity offers many competitive advantages, it also creates vulnerabilities. Increased remote control over operations means more connection points for threat actors to break down organizational defenses and take control.

3.  Growing operations are driving the expansion of attack surfaces. As oil and gas organizations expand their operations, the ways in which cyber threats can penetrate systems, also known as ‘attack surfaces,’ are growing. Attackers are now trained to look for the cracks in these attack surfaces and exploit them.

4.  Modern technologies pose new cyber risks. Digitalization, data analytics, and automation are all competitive advantages. However, they pose new cyber risks. Many industrial environments are comprised of legacy systems that can be anywhere from ten-to-30 years old. These systems, given their age, were built for longevity, and not initially designed to be connected to wide area networks (WANs) or other modern technologies. These factors make them inherently vulnerable to attacks.

Cybersecurity privacy of data protection, businessman using laptop Secure encryption technology, security Internet access, security encryption of user private data, business confidentiality.

The combination of digitalization and an expanded attack surface creates additional challenges in managing cyber risk. When organizations centralize control and increase automation, analytics, and data to gain a competitive advantage, the financial aspects often take priority, leaving OT cybersecurity tacked on as an afterthought. While high dependency on digitalization is only going to increase as it creates efficiencies, it also increases risk.

5.  Attackers want more than data — they want physical control. Cyber attackers no longer just want to steal and manipulate data — they want direct control over the operations in physical environments where they can have the most impact. Attacks can now damage critical infrastructure, grind operations to a halt, and ultimately threaten national security by crippling essential industries like oil and gas. Something as simple as a password breach can disrupt the economy on a national scale and cause a ripple effect in adjacent industries.

6.  Attackers are forming businesses. Although there are many distinct types of cyber attackers with different motivations, they all have started to form businesses around hacking. Their common thread is targeting industrial sectors like oil and gas, where they can have the biggest impact, disrupt business operations, and make the most money.

Components of a sound OT cyber program
Many organizations are unsure of where to begin when building out an OT cybersecurity program. The answer? Start at the beginning. OT environments are best protected when OT systems and networks are identified, so that any update, upgrade, or renovation must have cybersecurity protocols built in from day one. All is not lost for organizations that need to update security protocols within their existing facilities; they just need to do a little more legwork. That means hiring an experienced team specialized in OT security who can:

1. Create a comprehensive asset inventory. Shockingly few organizations have visibility into the composition of their OT network—and you can’t protect what you can’t see. Auditing the network to identify every device (connected or not) is the best way to build a cybersecurity plan that accounts for every possible point of attack.

2. Map those assets. Knowing what’s there is just the first step. Facility operators should also understand how each asset interacts with the rest of the network. Even assets that are updated via supplier USB drives or vendor maintenance should be noted, as those points of connection can still pose risks.

3. Evaluate vendors and suppliers. Your OT environment could be the most secure and tightly controlled in the world, but one supplier that’s unprotected can open you up to potential threats.

4. Implement monitoring processes. Once a company has visibility into these areas, it can track changes and monitor for abnormalities. Identifying OT attacks as the work of bad actors can be difficult as they often appear as malfunctions. Tracking all activity is crucial to identifying breaches and addressing them before hackers use their access to wreak havoc.

5. Develop a response plan. Despite the risks, many operators believe that a breach won’t happen to them—and they don’t know how best to respond when it eventually does. All OT environments should have pre-developed response plans that account for attacks that harm employees, are executed for ransom, or result in downtime.

Make OT cybersecurity a priority
Organizations must be proactive when it comes to securing their OT systems and understand that it is not enough to patch the vulnerability that led to the last high-profile attack. Since attackers are highly adaptable and constantly evolving, oil and gas companies must focus on building robust industrial cybersecurity programs to prevent and respond to the next attack. It is vital to prepare for when, not if an attack occurs.

The most successful organizations will work to develop a framework to identify potential weaknesses, protect against attacks, detect attacks when they occur, respond quickly, and recover effectively. Taking a proactive approach will make an organization resilient to future attempts and give peace of mind in a quickly changing environment.

For a list of the sources used in this article, please contact the editor.

Keon McEwen
Keon McEwen is Global Lead of the Industrial Security Operations Center (ISOC) at ABS Group. With over eight years of experience in OT technologies, his expertise includes cybersecurity, control systems, automation and data. He has a strong knowledge in OT/ICS systems and related compliance requirements including NIST, IMO, ISO and NERC CIP. As the ISOC Global Lead, Keon collaborates with clients and team leaders to manage threat alerts throughout the ISOC client’s environments.