Oil and gas companies are continuously looking for ways to efficiently manage their industrial assets and better streamline their operations to lower fixed costs and safely deliver the energy resources they provide.
With the dawn of the digital age, these companies are adopting a growing array of next-generation wireless sensors and related industrial internet technologies that enable them to connect to their industrial equipment in real time. Designed to increase visibility, monitoring and control of a wide variety of industrial assets, these next-generation technologies have the ability to monitor asset performance in real-time and can be integrated into the supporting SCADA control systems, making it possible for operators to remotely and/or automatically turn on, off or modify industrial assets based on real-time performance feedback.
As a result, the traditional distinction between information technology (corporate IT) and industrial
operations technology (OT) is blurring as these worlds continue to converge and provide new levels of industrial automation.
The increasing digitization and modernization of technology in the industry has many benefits, including a more reliable and continuous supply of energy resources to customers at a lower cost for the organizations that deliver it. However, along with these benefits comes a new issue to contend with: A growing number of cyber security threats that are emerging as a result of the convergence of industrial and corporate networks.
Modernization Increases Vulnerabilities
The operations technology running industrial control systems (ICS) has traditionally been closed-off and segregated from enterprise IT networks through “air gapped” security measures that ensure OT is isolated from other, ancillary corporate IT computer networks. However, with the rise of progressive industrial internet solutions, OT systems are increasingly becoming more adapted to an
open-standard, digital-age IT infrastructure while being bridged into corporate IT networks to take advantage of new capabilities. While there are positive advantages created by these changes, a side effect is new vectors of exposure of the ICS to potential cyber-based vulnerabilities.
The industry is already witnessing some of this phenomenon in the form of an increased number of cyber security attacks on its energy infrastructure. In 2015, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 295 cyber incidents, a 20 percent increase from 2014, when there were 46 energy sector incidents. Furthermore, a 2016 survey of 150 energy sector IT professionals found that more than 75
percent had experienced at least one successful cyber-attack in the previous 12 months.
Security attacks in other industries can create disruption and monetary damages to businesses and individuals, but when security attacks compromise oil and gas industry SCADA systems and overtake their industrial control functions, the results can be disastrous — even deadly. If cyber hackers compromise the industrial control network running a pipeline, for example, they could adjust pipeline compressors to increase pressure until a weak point in the pipeline explodes. And all this can be done from anonymous, remote locations via the internet or other similar external communications pathways.
Alternatively, the information from within the ICS could be generally gathered, manipulated and/or even extracted and sent to a third party, such as a terrorist group or non-friendly foreign nation, to be used with malicious intent. This approach was reportedly used to cause the 2008 explosion of a pipeline in Turkey. More recently, in March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye, New York. The attackers compromised the dam’s command-and-control system using a cellular modem. In June 2016, ICS malware targeted a European energy company. A backdoor was created that could be used to deliver a payload that could extract data from or potentially shut down the energy grid.
As the pace of digitization in the industry continues to intensify and cyber criminals continue to develop ICS-specific malware, there likely will be an increasing number of cyber security attacks against systems that manage critical infrastructure.
Guidelines for the Energy Sector
Securing assets such as pipelines and other energy infrastructure will require a combination of training, technology, industry standards and regulations and improved processes. There are some baseline recommendations and frameworks for addressing pipeline cyber security.
In 2015, the U.S. Department of Energy released the Energy Sector Cybersecurity Framework Implementation Guidance, which is designed to help energy sector owners and operators
implement the Cybersecurity Framework for critical infrastructure that was developed by National Institute of Standards and Technology (NIST). While it is a voluntary framework, it serves as an excellent starting point and shows pipeline owners and operators how to incorporate the framework into their cyber security and risk management programs.
The Transportation Security Administration’s (TSA) Pipeline Security Guidelines provides cyber security recommendations for pipeline operators, including general security measures, information security coordination and responsibilities, system lifecycle considerations and system restoration and recovery planning.
Additionally, industry associations such as the American Petroleum Institute (API), the Interstate Natural Gas Association of America (INGAA) and others provide cyber security guidance and recommendations.
These industry standards and frameworks should be considered a starting point for developing your company’s specific cyber security posture in the energy sector. And while these frameworks can help get a program off the ground, to date the industry generally relies on voluntary compliance as mandatory cyber security obligations for pipelines are not yet hard-lined.
Pipeline owners and operators should not only look to leverage these sample frameworks as a starting point for their cyber security posture, they should also look to develop appropriate supporting management practices, employee training, performance tracking metrics and business intelligence related to their cyber security program in order to further safeguard their industrial infrastructure against cyber threats.
Education and Training
Malware is most often introduced and spread through networks due to unaware behavior by good actors. Employees, for example, unknowingly open malicious email attachments, are tricked into revealing passwords and/or connect their laptops in unsecure ways to networks they should not be connected to. The prevalence of personal, internet and network-enabled smartphones in the workplace also exacerbates the problem.
Both acts of commission and omission by good actors are quite often a material part of the root cause behind a malicious cyber intrusion. To change this, pipeline companies must create a culture focused on identifying and reducing digital vulnerabilities in the same way there is a culture for preventing explosions and fires.
Widespread awareness of cyber security issues must be cultivated among the workforce and employees should receive regular cyber security training tailored to their role in the organization. For example, the SANS Institute provides a Global Industrial Cyber Security Professional certification that trains ICS operators to understand how to best recognize and react to a cyber-attack.
Additionally, the Department of Homeland Security (DHS) has been engaging organizations managing critical infrastructure with a service where DHS will come on-site and simulate a cyber-attack using “white hat” hackers who attempt to compromise the OT and IT systems using the same techniques as a malicious hacker. The multi-day exercise helps these organizations identify where their greatest risks and vulnerabilities exist and provides recommendations for how to improve.
Solutions for the Oil and Gas Sector
Given how complex, multi-dimensional and highly regulated aspects of operations in oil and gas can be, asset owners should look for threat detection software solutions that are specifically designed for energy sector infrastructure to ensure these critical assets are appropriately secured. A simplistic approach such as installing a firewall is simply not enough to protect from the nature of today’s sophisticated and coordinated cyber threats.
When evaluating industrial cyber security solutions, an important feature to look for is machine learning. Its value in industrial cyber security is the ability to dynamically “paint a picture” of the entire industrial network. For example, from an industrial process perspective, such a solution can “learn” what each Programmable Language Control is touching (e.g., control valves, switches, related components), to identify if something out of the ordinary is occurring during the normal industrial process cycle.
Another key feature to look for is the ability of a cyber security tool to be fully passive. That means it requires zero downtime and zero interruption to the existing industrial control network in order to install, setup, learn and monitor the network. Think of the ideal cyber security solution as a fast learner, an exceptional listener and a 24/7 first responder of any anomalous activity on your industrial network, all while being fully passive and non-intrusive to the system(s) it’s monitoring.
And perhaps most importantly, a good industrial cyber security solution should have the ability to provide operators with real-time situational awareness related to security incidents, malfunctions or misuse in the process network, service disruptions, anomalies in the ICS and more. With the growing volume of digitally based data being fed to industrial operations centers, operators are becoming overwhelmed by the volume of atomic alerts and events they receive.
It’s no longer enough for a cyber security solution to simply create another alert without providing the necessary context. Mature cyber security solutions should be able to correlate individual anomalies into threat events, as well as score the threat level of those events, in order to provide operators with situational context into the nature of threat that could be developing. By doing this, operators will be better equipped to see the proverbial forest through the alert trees, and have the right insight they need to make actionable decisions to avoid service disruption, downtime or worse: A compromise in infrastructure safety that could result in human casualties.
As OT and IT continue to converge, industrial control systems in the energy sector are increasingly vulnerable to a growing number of sophisticated cyber security threats. Unlike other business sectors, a cyber security attack in the energy sector has the potential to be disruptive or even deadly.
By following some emerging best practices, frameworks and guidelines laid out by organizations like the U.S. Departments of Energy and Homeland Security, NIST and TSA; combined with employee training and industrial cyber security software solutions that are designed specifically for the unique needs of the oil and gas industry, companies in this sector can strengthen their cyber security stance and prevent attacks.
Ken Hans is vice president of sales and services at Trellis Energy, where he manages business development and delivery of digital transformation engagement for energy companies in the natural gas and electric utility sectors.