From previously looking to disrupt OT networks that control industrial operations, threat actors have moved beyond stealing valuable data, to gaining control over entire market ecosystems, Ian Bramson, Global Head of Cybersecurity at ABS Group, tells OGN

Oil and gas companies must focus on building robust industrial cybersecurity programmes to prevent and respond to the next attack.

Over the course of the last year, a surge of unprecedented attacks has made industrial cybersecurity top of mind for industrial organisations around the world. This is particularly true in critical infrastructure sectors such as oil and gas.

Previously, cyber criminals concentrated their efforts on infiltrating the information technology (IT) networks that run business systems.

However, they are now looking to disrupt the operational technology (OT) networks that control industrial operations. Threat actors have moved beyond stealing valuable data, to gaining control over entire market ecosystems.

The recent Colonial Pipeline incident demonstrates how hackers can wreak havoc when organisations assume IT threats will not impact OT.

This ransomware attack was the strategic result of a password breach, which snowballed until OT operations were completely shut down.

The consequence was a shortage of gasoline along the East Coast, pushing gas prices to their highest level in six years.

These dangerous breaches and the correlating ramifications are just beginning. In December of 2021, a detrimental cyber risk was identified in a widely used software called Java Log4j.

Rated a 10 out of 10 on the vulnerability scale by the Cybersecurity and Infrastructure Security Agency (CISA), this threat has been labeled as one of the worst in history, with experts stating that organisation’s IT and OT networks worldwide are now at risk until further notice.

This breach, as well as the Colonial Pipeline shutdown, is not only a wake-up call for organisations, but for cyber criminals as well.

Their impact on the nation’s supply chain and economy has confirmed that the oil and gas industry is a vulnerable and valuable target.

Organisations must act now and prioritise the implementation of an industrial cybersecurity program to protect their operations, the environment and the community.

WHAT MAKES O&G COMPANIES VULNERABLE TO ATTACKS?

Recent security breaches are a wake-up call for energy companies

There are several reasons oil and gas organisations are vulnerable to attacks, with the most critical being:

• Lack of cybersecurity controls: The oil and gas industry does not have standard OT cybersecurity strategies and regulations, which has led to disparate and often inadequate security practices.

Control systems run non-stop, day-in and day-out, leaving limited downtime for upgrades and updates, resulting in unpatched and inherently vulnerable OT systems.

Complicating matters even further is the fact that OT support in the oil and gas sector is inconsistent.

Frequently, OT support relies on either IT teams who lack experience in OT cyber or operations teams who are at a disadvantage because they do not understand cybersecurity principles.

Contrary to what many organisational leaders believe, IT solutions cannot simply be applied to OT systems because they do not translate. OT systems need specialised cybersecurity solutions and dedicated staff with OT expertise.

• Remote capabilities are open to attacks: Today, many oil and gas organisations have dispersed assets and are heavily dependent on remote monitoring for management. While this connectivity offers many competitive advantages, it also creates vulnerabilities.

Increased remote control over operations means more connection points for threat actors to break down organisational defenses and take control.

• Growing operations are driving the expansion of attack surfaces: As oil and gas organisations expand their operations, the ways in which cyber threats can penetrate systems, also known as "attack surfaces," are growing. Attackers are now trained to look for the cracks in these attack surfaces and exploit them.

• Modern technologies pose new cyber risks: Digitalisation, data analytics and automation are all competitive advantages. However, they pose new cyber risks. Many industrial environments are comprised of legacy systems that can be anywhere from 10 to 30 years old.

These systems, given their age, were built for longevity, and not initially designed to be connected to wide area networks (WANs) or other modern technologies. These factors make them inherently vulnerable to attacks.

The combination of digitalisation and an expanded attack surface creates additional challenges in managing cyber risk.

When organisations centralise control and increase automation, analytics and data to gain a competitive advantage, the financial aspects often take priority, leaving OT cybersecurity tacked on as an afterthought. While high dependency on digitalisation is only going to increase as it creates efficiencies, it also increases risk.

• Attackers want more than data - they want physical control: Cyber attackers no longer just want to steal and manipulate data - they want direct control over the operations in physical environments where they can have the most impact.

Attacks can now damage critical infrastructure, grind operations to a halt and ultimately threaten national security by crippling essential industries like oil and gas.

Something as simple as a password breach can disrupt the economy on a national scale and cause a ripple effect into adjacent industries.

• Attackers are forming businesses: Although there are many distinct types of cyber attackers with different motivations, they all have started to form businesses around hacking.

Their common thread is targeting industrial sectors like oil and gas, where they can have the biggest impact, disrupt business operations and make the most money.

COMPONENTS OF A SOUND OT CYBER PROGRAM

Many organisations are unsure of where to begin when building out an OT cybersecurity program. The answer? Start at the beginning. OT environments are best protected when OT systems and networks are identified, so that any update, upgrade or renovation must have cybersecurity protocols built in from day one.

All is not lost for organisations that need to update security protocols within their existing facilities; they just need to do a little more legwork. That means hiring an experienced team specialised in OT security who can:

• Create a comprehensive asset inventory: Shockingly few organisations have visibility into the composition of their OT network - and you can’t protect what you can’t see.

Auditing the network to identify every device (connected or not) is the best way to build a cybersecurity plan that accounts for every possible point of attack.

• Map those assets: Knowing what’s there is just the first step. Facility operators should also understand how each asset interacts with the rest of the network.

Even assets that are updated via supplier USB drives or vendor maintenance should be noted as those points of connection can still pose risks.

• Evaluate vendors and suppliers: Your OT environment could be the most secure and tightly controlled in the world, but one supplier that’s unprotected can open you up to potential threats.

• Implement monitoring processes: Once a company has visibility into these areas, it can track changes and monitor for abnormalities.

Identifying OT attacks as the work of bad actors can be difficult as they often appear as malfunctions. With this in mind, tracking all activity is crucial to identifying breaches and addressing them before hackers use their access to wreak havoc.

• Develop a response plan: Despite the risks, many operators believe that a breach won’t happen to them - and they don’t know how best to respond when it eventually does.

All OT environments should have pre-developed response plans that account for attacks that harm employees, are executed for ransom, or result in downtime.

MAKE OT CYBERSECURITY A PRIORITY

Organisations must be proactive when it comes to securing their OT systems and understand that it is not enough to patch the vulnerability that led to the last high-profile attack.

Since attackers are highly adaptable and constantly evolving, oil and gas companies must focus on building robust industrial cybersecurity programs to prevent and respond to the next attack. It is vital to prepare for when, not if an attack occurs.

The most successful organisations will work to develop a framework to identify potential weaknesses, protect against attacks, detect attacks when they occur, respond quickly and recover effectively. Taking a proactive approach will make an organisation resilient to future attempts and give peace of mind in a quickly changing environment.

* Ian Bramson is Global Head of Industrial Cybersecurity at ABS Group and a recognised leader in the emerging threat landscape of attacks on industrial operations and critical infrastructure. With more than 20 years of experience in cybersecurity and technology, Ian works directly with executives in the energy, industrial and maritime sectors to help minimise their cybersecurity risks.

By Abdulaziz Khattak