The recent cyber-attack on the Colonial Pipeline in May served as a warning bell for the oil and gas industry to better protect critical infrastructure. However, it was also a dinner bell for cyber-attackers.
Threat actors now see the impact they can have on operations, safety and the economy. No matter what their motivation, whether it’s politics, terrorism, competition or just plain old-fashion money, cyber attackers know now where a strike will hurt countries the most — the target: critical infrastructure.
We spoke to Ian Bramson, global head of cybersecurity at ABS Consulting, to understand the nature of cyber-attacks on industrial infrastructure, what to expect next and what can be done about it.
What can you tell us about this new term, “Cyber-Physical Events”?
Bramson: The industry, the media, the government, the public and board rooms across the industry have now been introduced to the idea of cyber-physical events. No longer do cyber attacks target data, they now can have real-world impacts, such as shutting down a pipeline for a week.
Cyber attackers adapt quickly and target the places where they can have the greatest effect. As they shift focus from the Information Technology (IT) networks that run business systems to the Operational Technology (OT) networks that control systems and devices, they know the impact on your operations, the environment and public safety increases.
OT is a new kind of prize. Instead of stealing and manipulating data, cyber attackers now want to take direct control of your operations. This includes shutting down, over-speeding, overloading and disrupting how you explore, produce, transform, store and distribute goods. Attacks from IT can spill over into the OT environment, or the attacks can specifically target your operations. Either way, the impacts and the risk are real.
What is the nature of these cyber-attacking groups and how do they operate?
Bramson: Organizations like the one that attacked Colonial Pipeline operate like a business. They advertise, have customer service to help victims pay and look at their bottom line. The even offer cyber attacking as a service, meaning anyone can contract to use their technologies or services to launch an attack.
However, you should remember that these are not legitimate businesses. They are thieves. Contrary to their marketing and statements, there is no honor among them. The recent attacks made DarkSide, the Colonial Pipeline attacker, very popular. Like any illegal enterprise, too much popularity is bad for business, making them a target for law enforcement. DarkSide announced that they disbanded, but don’t be fooled. This is a typical tactic among cyber criminals. They’ll likely disband, shift, reform and rebrand. If you are at the point where you are making deals with criminals, you’re too late.
What is the impact of “Industrial Cyber” becoming a more popular target?
Bramson: Cyber attackers are hitting critical infrastructure and governments are taking notice. From water treatment plants and oil and gas, to the food industry and ports, cyber criminals are stress testing national critical infrastructures. Governments are responding by putting regulations and guidelines in place for industries to strengthen their security posture. For example, in the U.S., the Transportation Security Administration (TSA) agency issued a pipeline-focused, 30-day directive for the oil and gas industry to be implemented by the end of June. Industrial cyber once was able to slip under the radar but that’s no longer the case. Companies need to get serious about industrial cybersecurity and that begins by understanding the problem.
According to the report “Dragonstone Strategy – State of Cybersecurity in the Oil & Natural Gas Sector” (ONG) by the Lawrence Livermore National Laboratory (2020), “The ONG industry is unaware of potentially useful technologies that have been developed for ensuring cyber-security of other infrastructure systems, such as the electric grid. Leveraging these technologies — and the science and engineering behind them — can provide some low hanging fruit that can greatly improve cyber-security in the ONG industry without significant investments in terms of time and money.”
How does a company’s growth impact its cyber-attack threat level?
Bramson: As your operations expand and your OT systems get updated, so do all the ways cyber threats can get into your systems. This is called your “attack surface” and the rush to grow has too often left cybersecurity as an afterthought. Cyber attackers look for vulnerabilities and when there is rapid expansion, they are trained to look for the cracks. The fact is that an important number of oil, gas and chemical companies don’t even know what they need to protect themselves. In OT, asset inventories are too often done manually, outdated or non-existent. Put another way, if you don’t know what you need to protect, how can you protect it?
Cybersecurity also needs to become an integral part of new and capex projects. Concepts such as security-by-design and supply chain cyber risk management must become core to new development. Unfortunately, this is often not the case, leaving new construction vulnerable to attacks throughout the supply chain. Remember that your greenfield projects are very attractive to cyber attackers.
How does new technology influence cyber attackers?
Bramson: The oil, gas and chemical industries are being built on and enhanced through digitalization. Innovation, data leverage and automation equal competitive advantage in this market. This causes two fundamental cyber risks. First, connectivity increases as more sensors, devices and Industrial Internet of Things (IIoT) are added to the operational network. This expands the above-mentioned attack surface, allowing more points of exploitation for attackers. Second, the push of the technology envelope and the pressure to beat competitors to market often means that cybersecurity is left out. The cyber risk equation is clear; more devices + more automation + little security = big risk.
Why do operators need to be especially careful with remote capabilities on energy infrastructure?
Bramson: Many energy solutions depend on the remote monitoring and management of assets, including oil, gas and chemical companies. Remote capabilities offer a lot of advantages, but they also leave your operations vulnerable to an attack. Remote systems offer more ways to penetrate your defenses, more connection points and more ways to remotely take control of your operations. Remember the more remote visibility and control you have, the more that you could potentially surrender to a cyber attacker.