Danielle Jablanski on harnessing knowledge and ensuring visibility in the oil & gas sector
Industrial organisations are increasingly targeted by threat actors, due to their unpreparedness to tolerate even minor levels of unplanned downtime. Threat actors perceive them as more likely to pay ransomware demands to restore data and systems availability, and operational capacity.
As the adoption of new technologies by critical infrastructure sectors and industries continues to outpace cybersecurity and risk mitigation concerns cyber criminals increasingly have more access points for infiltration. Limited resources, lack of technical competency, talent and expertise constraints, and siloed communications also prevent rapid adoption of robust and resilient security capabilities. These compounding concerns lay the path for threat actors to invade the environment.
Back in February 2022, when the tension was heating up between Ukraine and Russia and the concerns over rising energy prices grew, multiple oil transport and storage companies across Europe were dealing with cyber-attacks. With IT systems at Oiltanking in Germany, SEA-Invest in Belgium and Evos in the Netherlands severely disrupted due to a co-ordinated ransomware attack, Europe felt a renewed sense of the severity and consequences of the lack of cybersecurity across critical infrastructure.
As cyber threat actors continue to probe industrial networks, particularly targeting the energy sector, some are looking to monitor and manipulate assets, devices, and networks. Beyond the IT examples above, organisations must realise that they are behind the curve in introducing and operationalising cybersecurity for operational technology (OT) and industrial control systems (ICS) networks as well, and need to rapidly adapt and protect themselves.
The cyber security issues in energy sector mainly lie in prescriptive recommendations that often overlook the realities of asset ownership, operation, transfer and custody. Depending on the source and year of analysis, reportedly nearly half of industrial cyber incidents go undetected. With owners and operators increasingly utilising and contracting third party equipment and technologies and integrators, a web of connected machines and devices are operating without full access to secure the data at rest and in transit between them.
The underlying security issues in mission-critical OT & ICS systems
The evolution of operational technology (OT) and industrial control systems (ICS) in oil and gas operations began with on premises connectivity between systems, connection of multiple sites and often remote locations, expansion of supervisory control and data acquisition (SCADA) architectures and increasing adoption of cloud technologies.
In the days before built-in, automated, and real-time visibility, operators would troubleshoot manually by reviewing point in time metrics of volume research with meter and transmitter calibrations. They would look at the way the code was written, review data sent from the flow computers to the control system, to correlate with the data historian, accounting software, and the product marketing system.
Nowadays, with the energy industry adopting new technologies and industry 4.0 initiatives pushing for optimised operations and enhanced resource allocation and efficiency, asset owners sometimes lack insight into their OT or ICS internet and remote access connectivity. They therefore struggle to detect unauthorised changes, face a mounting chain of custody and supply chain demands and are left at risk for remote access and control of assets. The outcomes can be unsafe operating conditions, manipulated products, equipment damage, and/or even unintended shut down.
As an example, pipelines, pumping stations and remote production wells in often remote geographic locations deploy some type of SCADA technology, potentially from a third-party provider. Despite the benefit of cost savings and outsourcing of SCADA expertise, the owners and operators of the SCADA system may not consider the cybersecurity of industrial components, the integrity of OT and ICS data, operational impacts, and cybersecurity best practices.
The pipeline operation may not have any way of recognising equipment failure for nodes attached to and communicating with the SCADA system. The organisation is in the dark in terms of detecting and monitoring new connections and tie-ins. The asset owners then ultimately cannot diagnose network performance issues, potential malware introduced and present on the industrial network, or potential equipment failure or damage.
Ensuring visibility in critical networks & environments
Past cyber-attacks such as the Colonial Pipeline incident showcase that companies must have an “assume breach mentality”. The focus for security products must be on reducing the severity of potential impacts. Although the energy industry cannot be blamed for adopting new technologies and sometimes falling behind on cybersecurity initiatives, asset owners must strongly consider implementing customised detections and prevention methods for the protection of their operations and supply chains.
Given the current cybersecurity landscape, the implementation of security solutions that can help energy sector to distinguish between malicious and benign behaviours and anomalies is crucial. This capability is necessary for root cause analysis to determine what is causing an issue: either a cyber threat actor campaign, equipment malfunction, misconfiguration, or ransomware situation.
Protecting mission-critical systems requires solutions that incorporate intrusion detection for network security monitoring and both network and process anomaly detection, to scan for known malicious threats on communications network, investigate assets for deeper pattern analysis, due diligence, and quality control and to build custom alerts based on process variables.
As security is a by-product of operations, the benefit of this dual efficiency allows for increased understanding of asset behaviour, customisable process variable detections, and plausibility checks for real-world outcomes, to augment threat intelligence and overall security postures.
Understanding and baselining both network communications and operational processes is vital to ensure visibility across:
Inventory: automate asset understanding of digital components, devices, and cyber-physical systems and infrastructure
Integrity: of data at rest, in transit, in use, and in view of operators for security and purpose-built operations
Impact: proactive assessments of risks, malfunction, and misconfiguration before an incident occurs
Implementation: automate required mechanisms to capture interdependent data and communications once statically logged and reviewed
Companies must become more efficient at asset intelligence, customisable process variable detections, and plausibility checks for real-world outcomes. The more capable implemented security solutions are at augmenting threat intelligence and overall security postures, the more secure operations will be. Additionally, it is more efficient to spend resources on scalable customisation rather than incident response capabilities alone for cyber scenarios where impacts can be limited by building in intuition and bolstering situational awareness.
Danielle Jablanski is OT cybersecurity strategist at Nozomi Networks