When a cyber-attack hit computer communications at four of the nation’s biggest natural gas pipeline companies earlier this year, the potential for future data breaches couldn’t be ignored. According to Deloitte, the crude oil and natural gas industries are in the crosshairs of hackers in a big way and have been for many years as more operations go digital.
According to the Ponemon Institute, just two years ago, the energy industry was named as the second most at-risk for cyber-attacks and more three-quarters of companies in the sector had reported at least one incident, enough to trigger an alarm.
“Recognizing the role in oil and gas as critical infrastructure requires understanding good cybersecurity as a way of life rather than just one of defense or economic costs balancing,” said Dave Weitzel, compliance officer at MITRE, a non-profit organization that operates government-sponsored research and development centers. Weitzel works as the standards and policy principal for the national cybersecurity federally-funded research and development center that MITRE operates with the National Institute of Standards and Technology (NIST). As such, he spends much of his time thinking about the impact of IT on some of the country’s most important industries.
His work with NIST on the impact of cybersecurity risks for the oil and gas industry has been challenging in recent years. “The threats are real,” Weitzel said. “Companies should especially pay attention to cybersecurity risks that may arrive via supply chain partners. They should address these risks as part of their corporate cybersecurity strategy.”
He said that cybersecurity must be a part of overall corporate risk management. “With the looming prospects of Internet of Things, the cloud and their related cybersecurity issues,” Weizel said, “the industry must prepare for risk vectors that haven’t been seen before. Done right, the risks should begin to be addressed now and mitigated where possible as part of a thoughtful corporate risk management process. Cloud technologies will also continue to include security features that will actually help with cybersecurity for smart cloud consumers.”
Digital Data and the Challenges of OT Networks
Phil Neray, vice president of industrial cybersecurity at CyberX, a security firm in Boston, said, “In the past, it was assumed that [operational technology] networks were air-gapped or isolated from corporate IT networks – and therefore protected from cyberattacks – but this is no longer the case.” As more companies are sharing digital data among employees around the world, often in far-reaching geographies, new solutions need to take potential new threats into account.
He attributes the higher risk for cyber-attacks in the oil and gas industry to trends in digitization and IoT specifically. “To reduce costs and optimize operations,” Neray said, “oil and gas companies are deploying more and more IoT sensors so they can closely track flows and data related to production operations. This has resulted in increased connectivity between IT and OT networks, which has increased the attack surface and hence the risk.”
As more people in the industry become aware of threats, like, for example, malware such as WannaCry, which was launched by North Korea, and NotPetya, which came from Russia, it’s more likely companies will need to consider taking more precautions to prevent breaches before they happen. Otherwise, Neray said, “These attacks can lead to costly production downtime, catastrophic safety failures, environmental damage and theft of corporate IP.”
The risks to the oil and gas industry have also increased because many OT networks and industrial control system (ICS) devices were designed decades ago, “lacking,” Neray said, “even basic protections such as passwords and network segmentation.”
International Threats Are Becoming More Sophisticated
As recent cyber-attacks have demonstrated – that traditional firewalls are no longer sufficient to protect against sophisticated nation-state adversaries and cyber-criminals – the industry is working on finding stronger and ultimately more effective solutions. One of the biggest efforts comes in analyzing the relationship between cyber-attacks and terrorism.
For example, in August 2017, a petrochemical facility in Saudi Arabia was struck with a sophisticated cyberattack that compromised the plant’s safety systems. “Experts believe that Iran was behind the attack,” said Neray, “perhaps with assistance from Russia or North Korea.”
The issue goes well beyond the IT realm into international relations. The fear is that because many energy executives may falsely believe that the Defense Department or Homeland Security is actually defending them against such attacks, that the threats could actually accelerate in the coming months and years.
“It is becoming more important to strengthen security with defensive solutions such as OT-aware asset discovery, vulnerability management, automated threat modeling and continuous real-time monitoring with behavioral anomaly detection,” Neray said.
New York-based ABI Research anticipates that the oil and gas industry will spend as much as $1.87 billion on cybersecurity this year alone. “The lack of appropriate security has already allowed a number of destructive cyber-attacks to lay waste to some of the most high-profile companies in the industry,” said Michela Menting, a senior cybersecurity analyst at ABI.
She added that while oil and gas companies have been the target of cyber-attacks since at least 2009, much more needs to be done now to keep up with the industry-specific threats that could result in everything from potential plant shut downs and diminished product quality to undetected spills, equipment damage and service interruptions.
Neray said, “One of the biggest issues facing the industry is the shortage of qualified OT security personnel. This increases the need for more automation and broader use of machine learning to address incident response in a more efficient manner.” As a result, he explained, integration between OT security platforms and existing security operations center tools like security information and event management, firewalls and ticketing systems is also becoming a requirement.
What’s Really at Stake?
Leidos, a provider of security solutions for defense and civil markets in Reston, Virginia, has been working on new ways to defend against more sophisticated threats to oil and gas investments worldwide. A few of the most significant threats the company has zoned in on include:
Slow to Patch: The oil and gas industry focuses on pulling product out of the ground, and then refining it. Applying patches to production systems not only distracts focus, but it also puts the process at risk should anything go wrong. This risk has caused the industry to delay patching their computing ICS infrastructure, which means that they are vulnerable to more attacks than a more traditional enterprise IT environment.
Laziness: Workers may set up rogue wireless access points and tape passwords to keyboards simply due to convenience.
Lagging systems: System design decisions are only now beginning to consider security.
Complacency: Some in the industry don’t see themselves falling prey to a cybersecurity attack.
Not knowing where to start: Companies may not know what risk areas to address first and what are industry best practices.
Passionate about cybersecurity? Click here to get involved with CompTIA’s IT Security Community. And click here to learn how cybersecurity is maintained at nuclear power plants.