When KPMG conducted its annual global CEO survey in 2019, CEOs in the oil and gas industries ranked cybersecurity as the biggest threat to organisational growth. Fifty-one percent believed it was inevitable they would fall victim to a cyber-attack, however 63 percent believed their organisations were prepared for this scenario.
In October 2020, KPMG flagged the sector as particularly vulnerable, indicating the industry faces a “unique set of cyber security challenges requiring specialist understanding.” These unique challenges include:
- Cybersecurity not being considered a core business function
- Lack of awareness on cyber threats
- New cyber risks introduced through remote working
- The need to update legacy systems
- A lack of proper training for response to attacks
But there is one key challenge absent from that list: the increasing connectedness of operational technology (OT) and information technology (IT) systems.
As oil and gas companies have undergone digital transformation in recent years to boost the efficiency of their refinery and pipeline operations, better control their facilities and monitor performance, interconnections between OT and IT systems have been widely implemented. The newly created pathways between IT and OT can cause a significant jump in cyber risk for a number of reasons.
High risk connections
To start, these interconnections are often implemented without the necessary security protocols. OT and IT systems are fundamentally different, and therefore require fundamentally different security tools.
This is because OT networks run on proprietary protocols and there is a lot of legacy equipment which is incompatible with the traditional IT security tools used in enterprise IT environments, meaning the same security tools that work well in IT are not adequate for OT.
Therefore, when a company connects OT assets to their corporate IT network without appropriate security measures, they leave themselves exposed with potentially an expanded attack surface. Threat actors lurking the web are given numerous direct or indirect pathways into the OT network, and to the critical systems and physical processes it controls.
These problems are compounded by the fact that OT assets in the oil and gas industry are frequently spread across large geographical distances (sometimes multiple countries), and are typically sourced from different vendors, who each use different proprietary protocols.
These factors all make it challenging for oil and gas companies to identify and address potential cyber risks.
The world’s most murderous malware
Many of these shortcomings were evident in a cyber-attack that shut down a Middle Eastern petrochemical plant in 2017. Analysis of the attack showed that the plant’s systems had likely been compromised initially by a phishing attack three years earlier. The initial phishing attack had gone undetected, allowing attackers to inject the Triton malware into the plant’s system. This malware is specifically designed to disable safety instrumented systems, and has been called “the world’s most murderous malware.”
The hackers explored the network, found a way to gain access to its OT systems, discovered a vulnerability and eventually gained the ability to reprogram controls for the plant’s safety systems. This could have had very serious consequences, but their attempt to take control luckily caused the safety systems to shut down the plant.
The main lesson from this attack applies to all industrial organisations, including those in oil and gas: digital transformation expands an organisation’s attack surface, making it easier for threat actors to enter the network and gain control of OT assets. Without the correct security tools, organisations won’t be able to identify vulnerabilities or detect malicious activity.
Addressing these challenges through a comprehensive security approach
In order to address these security challenges, oil and gas companies need to take a comprehensive approach that addresses all the potential weaknesses across integrated IT and OT networks.
- Segmenting the network
The more devices that are connected to a corporate network, the more cyber risk increases. There have been several highly publicised instances where smart devices (that were unnecessarily connected to a corporate network) have caused a cyber attack. Take, for example, the casino hacked via a smart thermometer sitting in one of its aquariums.
Every connected device increases the attack surface for organisations, and therefore increases the threat of hackers gaining access to critical processes. Segmenting the network to ensure that only the necessary devices are connected is an important first step in securing industrial environments.
- Deep visibility and asset mapping
It’s impossible to protect what you can’t see, and that is especially true in the case of industrial security. In order to identify all the connected devices on a network at any given time, oil and gas companies require specialised security tools which provide deep visibility.
Companies should aim to create a map of their entire network, which pinpoints the location of all devices and enables them to identify any insecure or inconspicuous areas that could be used as an attack route.
- Establishing a baseline of normal behaviour
To understand which activity on the network is abnormal, companies must first understand what is normal. Automated security tools designed for OT environments can constantly monitor activity on the network over a long period of time, in order to establish a baseline of regular behaviour. Anything out of the ordinary can be automatically detected and addressed before it has the potential to cause damage.
- Secure remote access is a must
In the oil and gas industry, inevitably some OT assets will need to be accessed remotely, such as offshore drilling rigs. However, remote access also opens up a new realm of cyber risk.
In fact, Claroty found that 70 per cent of all industrial control system vulnerabilities disclosed during the first half of 2020 could be exploited remotely, underscoring the critical importance of properly securing all OT remote access connections.
Implementing technology that enables secure remote access is essential to ensure unauthorised access by threat actors is prevented.
As organisations in the oil and gas sector continue to advance their digital transformation initiatives, their OT and IT environments will grow increasingly connected, and therefore the attack surface available to adversaries will continue to grow as well. It is critical for all industrial organisations, not just those in oil and gas, to have deep visibility into their entire network, in order to detect threat actors and quickly remediate any breaches.