Glenn Warwick on building cyber resilience in an interconnected world
The oil and gas industry is one of the largest sectors in the world in terms of economic value. A global powerhouse, the unique role played by oil and natural gas (ONG) in enabling operations in other key sectors makes it critically important to industry and wider society.
For this reason, ONG is also a primary target for cyber attacks. Threats against UK energy companies and other critical national infrastructure (CNI) have risen since the start of the Russia-Ukraine war, while determined, highly resourced criminal groups continue to play the long game by probing for small holes and hidden vulnerabilities in even the most “secure” networks.
These security challenges are only heightened by the growing digitalisation and global interconnectivity of systems. With increasingly complex technology and networking infrastructures now forming the backbone of oil and gas organisations, new risks are being introduced that make both information technology (IT) and operational technology (OT) systems more susceptible to a concerted cyber attack.
Fortunately, progress has been made since the introduction of the NIS regulations, and the sector is in a stronger position to defend itself against attacks than before. But with any security risk having the potential to cause significant damage and destruction to daily life, organisations must be diligent in implementing threat intelligence and appropriate detection and response – all the while keeping sight of the basics.
Evolving threats facing oil & gas
Cyber threats against critical infrastructure continue to rise in scale, scope, and sophistication. Escalating geopolitical tensions are a clear catalyst: recent Bridewell research found that in the wake of the Russia-Ukraine war, over three-quarters (78%) of cyber security decision makers across CNI are currently worried about cyber warfare. For the ONG industry, recent sanctions against Russia are making the prospect of retaliatory cyber activity against UK organisations increasingly likely, with the ongoing energy crisis adding to a general sense of nervousness and concern.
But the influencing factors behind the heightened ONG threat landscape go far beyond the current conflict in Ukraine. Between 2018 and 2021, for example, ransomware and extortion attacks against industrial organisations increased by over 500%, with 5% of these attacks impacting ONG. In fact, a sizeable majority of publicly reported incidents targeting ONG in the last couple of years are due to ransomware – owing to its prevalence on the threat landscape, low barrier of entry to implement, and ease of conducting mass targeting campaigns.
Recently, one of the largest oil corporations in India, Oil India Limited, was targeted by a sophisticated ransomware attack, with hackers infecting one of the headquarters with malware before demanding a US$7,500,000 ransom. When considered alongside last year’s Colonial Pipeline ransomware attack in the USA - where the industrial control system (ICS) network was taken offline to protect it from an infection of IT systems, causing disruption to the entire East Coast gas supply - it becomes increasingly likely that breaches are breeding other hacking efforts on ONG organisations. This is a ripple effect that UK businesses cannot afford to ignore.
Connectivity: a delicate balancing act
The increase in remote connectivity since the pandemic is another emerging area of concern, highlighting the need for ONG operators to take steps to prepare for and manage greater digital interconnectivity. Traditionally, CNI facilities have been isolated islands with analogue-based connections to provide monitoring and basic control. But as systems become more connected, and IT and OT boundaries continue to blur, previously air-gapped SCADA infrastructure has given way to new working models that drive digital transformation and operational efficiency through greater connectivity.
For oil and gas, this is something of a double-edged sword. If companies lack connectivity in their environments, applying and updating security across assets is a costly, time-consuming challenge. However, by introducing digital interconnectivity, organisations also introduce new ingress points for cyber security threats. As physical boundaries disappear, new risks and holes emerge where previously walls existed.
Although organisations across CNI have made great progress in closing the security gaps and weaknesses that would have previously made them easy targets, the challenges are ongoing. Large nation-state groups can, and will, invest heavily in finding the less obvious vulnerabilities in an organisation’s security posture, exploiting them to inflict significant damage. Therefore, as greater connectivity comes with greater risk, ONG companies must implement more robust security controls to combat these evolving threats.
Detect, respond, recover
It is imperative that companies do everything they can to protect their environments and prevent cyber threats breaching the confidentiality, integrity, and availability of data. However, the fact remains that organisations can only truly protect what is in their direct control. It is unrealistic to expect to combat every threat, particularly at the hands of a highly capable, motivated and resourced adversary.
Many attack tools rely upon exploiting a weakness or gap. The only way to remove the threat altogether is to plug every gap and eradicate all vulnerabilities. In a complex and interconnected environment, this is almost impossible to achieve. ONG operators can often, however, reduce the impact of threats using what is within their control – their organisation’s response and recover capability.
The first step is to build a strong understanding of the specific risks. This should both incorporate and build on existing tools like the NCSC Cyber Assessment Framework, as each individual organisation needs to identify the risks they face, the security controls that best fit their objectives, and the outcomes they must achieve.
However, it takes more than just deploying controls to build and maintain a strong security posture. Organisations must ensure that these controls are properly managed, optimised, and continually improved, otherwise they will be quickly outpaced by ever-evolving cyber threats. Furthermore, to minimise the impact of these inevitable threats, companies must prioritise the development of their detect, respond, and recover capabilities.
There are multiple opportunities within the kill chain to detect malicious activity and subsequently evict them from the environment. For example, organisations can take back control from ransomware criminals if they have the capability to swiftly restore systems infected with the malware to the state prior to breach, meaning that there is no need to pay ransom to recover the files. The ability to detect, respond to, and recover from an attack is essential for ONG companies. It enables them to identify an attack at the earliest opportunity, adapt controls to defend against the threat, and quickly restore systems to their previously healthy state once the immediate threat has been neutralised.
It is equally important for ONG to remain diligent in applying strong basic or mid-level cyber security hygiene. Organisations need to both obtain and maintain visibility of potential cyber threats across the estate through the implementation of non-intrusive network-based detection mechanisms that support asset management, vulnerability management, and threat detection.
Securing the benefits of interconnectivity
Although interconnectivity brings clear risks, it also provides ONG with significant far-reaching business and security benefits. Digital connectivity enables organisations to deploy more sophisticated cyber security controls to protect not only against remote threats but also local threats, including malware on portable computers or USB drives. This was previously difficult to achieve in isolated silos, so increased interconnectivity has allowed businesses to remotely manage the security of their facilities with far greater confidence.
Connectivity also helps organisations to ensure the security of their systems are up to date. Through centralised management of assets and more holistic approaches to security, such as threat intelligence and detection and response, ONG can capitalise on connectivity to proactively strengthen its cyber posture in the face of evolving risks.
With interconnectivity here to stay, it’s an exciting period of change for oil and gas companies. Facilities can now be optimised with greater data insights, more streamlined operations, and a newly agile and remote workforce. To reap these benefits, ONG companies must strengthen their cyber resilience in preparation for their shared connected future.
Glenn Warwick is principal cyber security consultant at Bridewell