Oil & gas cyber risk grows as IT-OT air gap closes
Oil & gas plants have increased their cyber risk profile as they modernise plants and close the ‘air gap’ between IT networks and operational technology (OT) networks. This is according to Phil Neray, VP of Industrial Cybersecurity at global security specialists CyberX, who notes that many oil & gas facilities are still using equipment that is 15 – 20 years old, and designed before industrial cyber security was a primary consideration. In addition, many oil & gas facilities still run their IT and OT networks in siloes, with plant engineers – not cyber security experts – responsible for cyber security in the plants.
However, attacks such as last year’s high-profile TRITON attack on a petrochemical facility in Saudi Arabia, where hackers compromised the plant’s safety devices, highlight the cyber risks facing oil & gas infrastructures today.
CyberX’s recent 2019 Global ICS & IIoT Risk Report, which assessed vulnerabilities across over 850 industrial control networks around the world, found several common vulnerabilities: 53% of industrial sites used outdated Windows systems, 57% were not running anti-virus that updated signatures automatically, 69% have passwords traversing the network in plain-text, and the ‘air gap’ is a myth – as 40% of industrial sites have at least one direct connection to the internet. In addition, 84% have at least one remotely accessible device and 16% of sites have at least one wireless access point.
“There are no compliance regulations obliging oil & gas facilities to report breaches, but we can assume there have been many more breaches than the TRITON attack,” says Neray. “There could be various motivations for attacks on such infrastructure – nation state attacks carried out for political considerations; ransomware attacks; hacktivists objecting to policies or drilling activities; or even attacks designed to steal intellectual property.”
With oil & gas installations a significant and potentially lucrative target, attackers are likely to increasingly turn their attention to these facilities, particularly as plants modernise their infrastructures with new, connected IoT and automation systems.
While basic cyber security approaches such as patching, encryption and up-to-date AV are necessary in the OT environment, standard out-of-the-box IT network security devices are not effective in industrial facilities, says Neray. “Industrial cyber security requires specialised solutions, since OT systems use unique protocols and non-standard operating systems. Industrial cyber security systems also need embedded machine learning and behavioural analytics to understand routine M2M traffic patterns and detect suspicious activity.”
Neray says oil & gas organisations are taking the increased cyber risk seriously, and are now moving to address vulnerabilities, but that more urgency is needed. “Cyber risk at OT level is a business risk. A danger for management teams is that some tend to think of cyber crime as a technical issue rather than as a business risk issue. But cyber crime has the potential to cause millions of dollars in losses, environmental damage, human safety risk, as well as downtime, brand impact, compliance issues and loss of intellectual property.”
To effectively mitigate risk, CyberX and its Southern African implementation partners GECI recommend breaking down siloes between IT and OT and managing all cyber security under a single cyber security and risk team. Oil and gas plant managers and security analysts should ask themselves the following questions:
- “What devices to I have, how they connected, and how are they communicating with each other?.
- What are the risks to our “crown jewel” IoT and ICS assets – and how do we prioritize mitigation?
- Do we have any IoT and ICS threats in our network – and how do we quickly respond to them?
- How do we leverage existing investments – people, training, & tools – to centralize IT/OT security in our SOCs?
- Who is targeting us – what are they after – and how are they doing it?
CyberX is available in Southern Africa through GECI, an international tactical cyber security specialist now launching a portfolio of cyber security innovations in the region. “Cyber war and cyber crime could happen to anyone – it’s a pandemic. And critical infrastructure is at risk,” says South African GECI representative Mike Bergen.