The State of Cybersecurity in Today’s Oil, Gas Industry
Karen Boma
The convergence of digital technology with existing supervisory control and data acquisition (SCADA) infrastructure has increased the oil and gas industry’s risk to cyberattacks, industry insiders say.
Oil and gas companies are lucrative targets for cyberattackers motivated to perform industrial espionage, steal intellectual property or cause critical infrastructure disruptions, Todd O’Boyle, co-founder and chief technology officer of Percipient Networks, told Rigzone. Attacks are typically part of an ongoing attempt by individuals and interest groups worldwide – in some cases, government agencies and nation-states – to disrupt the oil and gas market and damage the financial standing of these companies, said Jessica Cooper, lead marketing manager for Check Point Software.
The oil and gas industry not only faces cyberthreats that are commercial in nature, but cyberthreats from activists such as environmental groups. These threats, if successful, “could have severe threats not just on the industry but also on the environment, public health and safety and even national security,” according to March 2016 report by The Boston Consulting Group.
The oil and gas industry’s value chain not only offers many potential points for entry of attack, but leaves the industry vulnerable to multiple types of attacks. The Boston Consulting Group found that upstream data was the most vulnerable to cyberattacks. This is due to data often being transmitted from old or unsecured equipment and without standard protocols or security precautions.
While malware has been a common tactic used by cyberattackers, the types of threats continue to grow, such as ransomware. Malware has posed a threat to small and mid-size oil and gas companies that don’t have the skills or budget to deploy complex solutions to protect prime targets, O’Boyle said. The number of phishing attacks against industries, including oil and gas, is also growing. Between October 2015 and March 2016, the number of attacks grew by 250 percent, Eyal Benishti, founder and CEO of Ironscales, said. If successfully completed, these attacks can cost a company up to $4 million.
O’Boyle quoted a recent report by ICS-CERT that found, of the 295 breaches reported in 2015, 98 percent could have been prevented if certain basic security protocols had been in place.
“Small and midsize oil and gas companies, who previously were unable to implement proper protections based on budget or deployment complexities, now have resources to draw on to help educate and protect their operations,” O’Boyle commented.
The primary challenge that oil and gas companies face in preventing and mitigating cyberattacks is the convergence of the informational technology (IT) and operational technology (OT) environments, said Cooper. Oil and gas critical infrastructure is increasingly fusing these two different technologies together using open IT protocols: OT with SCADA and enterprise IT systems, Cooper explained.
“The problem is that SCADA environments in OT are running legacy systems that often go unpatched, making them extremely vulnerable to external cyberattacks,” Cooper stated. “The second problem is that there is an increase in connecting these OT environments to the external Internet, which is even worse. The solution lies in technology that can protect, monitor and manage this convergence, thereby keeping the OT environment safe against attack.”
Greater flexibility in the control and monitoring of infrastructure systems is behind the recent push to enable digital technology, said Christopher Walcutt, business development principal with Black & Veatch’s Security, Risk & Resilience. However, this move is a double-edged sword.
“Until recently, hackers have predominantly limited their actions against industrial control systems to probing and data collection,” Walcutt explained. “Sooner or later, they will want to use the information they have collected in more destructive ways.”
For critical infrastructure, particularly oil and gas, the most important step in protecting critical operational assets is to understand the very real threat that operational technology networks actually face, Cooper stated.
“Whatever the reasons, oil and gas environments are lucrative targets and sophisticated cyberattacks can cause serious economic and physical damage,” Cooper said.
Walcutt said Black & Veatch sees the bulk electric system, technologies with available intellectual property, and water utilities are larger targets. However, these subsectors and oil and gas all rely on the same basic technology.
“SCADA is SCADA, whether it’s running an oil rig, a water treatment plant or a recloser at a substation,” Walcutt explained. “Fundamentally, ICS [industrial control networks] are vulnerable to things that other, more advanced computer systems aren’t, because they haven’t had the time to mature the integrated security controls. Many ICS networks still rely on a ‘security wrapper’ to protect them.”
Digitization, Social Media Playing Role in Cyberrisks
Not only is the rapid adoption of new digital technology impacting the strategies that oil and gas companies should use against cyberattacks. The prevalence of social media also is playing a role.
Job Opportunities Exist for Cybersecurity Experts
The U.S. cybersecurity sector is generating new job opportunities due to a lack of qualified workers and a barrier to entry that requires technical acumen and cross-platform technology understanding not typically required by other sectors.
This shortage of cybersecurity experts will also be felt in the oil and gas industry as the use of emerging digital technologies raises concerns about cyberthreats against the oil and gas industry.
”It’s not really possible to take a freshly certified security employee with little experience and plug them directly into these complex environments,” Christopher Walcutt, business development principal with Black & Veatch’s Security, Risk & Resilience, explained about the need for training programs.
Walcutt said that Black & Veatch is seeing some trends towards educating experienced staff in cyber defense alongside the tech-savvy new hires who lack industry experience.
“This may not make sense to some, but energy companies tend to be funded by investors, and cyber strategy must take into account the risk of reputational loss, which can impact stock value and private equity availability similarly,” Walcutt said. Oil and gas companies in particular are seeing new technology push further into the field than has happened previously. This requires the ability to detect threats and react more quickly than in the past, “where the keys to the kingdom lived in a control facility somewhere.”
Another factor increasing the oil and gas industry’s exposure to cyberthreats is the move towards centralized data collection for business intelligence analysis, Walcutt stated.
“There is a growing overall fleet management mentality that requires pulling data back to a central location from the very edge of the network,” Walcutt commented. “Anytime centralized data collection takes place, there is a very real threat of network penetration and compromise from the outside. The defensive strategy in this space relies heavily on vendor partnerships because the most common technical vulnerabilities come in the form of an exploitable hardware or software bug from a vendor.”
“Oil and gas companies need to recognize this and create strong partnerships with their suppliers revolving around timely information sharing and remediation of identified exploits,” Walcutt commented. “Once a patch has been released to remediate that vulnerability, the energy company must have a robust testing and implementation program to push the patch into the field. This has been an area where ICS owners have traditionally struggled due to a lack of automation capability.”
As far as basic strategy for preventing cyberattacks or mitigating their impact, Farrell said there isn’t a lot of difference between upstream and midstream and midstream and downstream companies. But business rules – either business practices or rules coded in a system, such as a worker’s access to certain systems – can be of the problems that oil and gas companies face, said Alyssa Farrell, industry consultant with SAS global industry practice.
“While it’s important to maintain software patches and all the right types of good processes around the security mentioned before, it’s what you don’t know that can hurt you the most,” Farrell explained. The unknowns are resulting from the evolution of a company networks as new mergers, lines of businesses, and partnerships form. Increasingly, these IT partnerships are being formed by the line of business, and not by the IT organizations.
The key is to establish a mechanism by which a company monitors and analyze the information in network beyond the business rules as they are known, Farrell commented. Adding behavioral analytic capabilities are needed to complement these rules provides additional capabilities to understand anomalous behavior.While evolution is hard to predict, Farrell sees significant potential for cyberattackers to imbed malware on the manufactured systems coming into the oil and gas environment via supply chain. One strategy that other industries have used to address this issue is better alignment of incentives within a company so cyberattacks are viewed as an enterprise threat.
The reality of the situation is that “the basics are still not being covered in most organizations,” said Mark D. Combs, chief information officer for Steptoe & Johnsons PLLC.
石油圈
