Addressing cyber threats to operational technology in oil and gas
As a sector of critical importance, disabling energy-sector assets has a severe effect on a nation’s economy, denying access to basic services and impacting GDP. Governments around the world caution that the threat to infrastructure will worsen rather than lessen.
These attacks come to the fore as digital transformation programmes are rolled out across the region with the introduction of new technological tools to benefit the bottom line through enhanced efficiency and output. This has led to the convergence of both the data side of the business, traditionally the realm of IT, and the operational technology (OT) side, used to manage industrial control systems (ICS). As previously siloed systems are being meshed together, organisations are being exposed to new threats.
Ringfencing operational technology
Caught in the middle are the IT and security professionals tasked with securing these new intertwined systems in the face of compelling business arguments. However, they must remediate security threats against the impact on the organisation. These include:
- OT environments are often structured around legacy technologies. Designed for process functionality and safety, OT was often secured via isolating initiatives, such as air gapping. As modern plants increasingly connect machines, devices, sensors, thermostats and so on to the internet, this is no longer feasible.
- Most organisations that rely on OT have a zero-tolerance policy to downtime given the business criticality of the systems. For example, an energy provider may operate 15 or 20 different sites. It’s not a simple, or even quick, process to shut down a treatment system to fix a vulnerability in a programmable logic controller (PLC), even if we were to ignore the impact it would have further in the process. That said, could the business afford to risk a threat actor exploiting a vulnerability that could damage the plant or even threaten life?
- IT network solutions don’t always transfer to OT environments. A poorly timed security scan that probably wouldn’t even be noticed in an IT network could have a profound impact on sensitive OT environments. For example, potentially knocking out the gauge on a pipeline, causing a drill to malfunction or even taking the whole plant offline. Passive monitoring can help organisations solve this issue, allowing them to safely profile the network and devices connected to it. In this way, they can understand how assets are unprotected, and recognise and fix vulnerabilities without impacting system functionality.
- While vulnerabilities are discovered in OT technology, there have been occasions where a patch to fix the flaw is not forthcoming. If you cannot patch, then what else can you do to secure your environment?
Staff responsible for OT security cannot afford to be blinkered and focused only on OT vulnerabilities. The convergence of IT and OT means both ICS and IT vulnerabilities can be exploited to attack critical infrastructure. Therefore, viewing both systems together through a single pane of glass is the only way to view risks holistically.
Action points for security teams
Finding a solution to any problem begins with acceptance. It is essential that IT and OT professionals understand the increased attack surface if their organisation is to moderate their business risk. Although embracing solutions remains a challenge, organisations can take several steps.
First and foremost, they must understand the whole picture. Clear and complete visibility of the attack surface allows organisations to identify, address and mitigate cyber risk. This includes both IT and OT systems.
With a clear outlook of the threats, the next step is determining what is important to the organisation’s ability to function – and whether it is vulnerable to attack. Vital assets across the board must be identified and the steps to secure them enumerated.
None of this can happen without integrating IT and OT security efforts. The reality is that organisations with siloed OT security programs whose arsenal of tools, KPIs and policies differ from that of their IT security programs will not survive in today’s threat landscape. Traditional ways of tracking systems and vulnerabilities with excel spreadsheets are insufficient when it comes to addressing the threat landscape.
Security professionals are not the only ones who must be aware of the risks facing OT environments. Given the potential impact of any damage, executive leaders and company boards also need to understand the cyber threats their organisation faces.
Effectively securing connected OT and IT environments is a work in progress, with progress being the operative word – and not something that will be fixed overnight. As digital transformation continues to result in the convergence of OT/IT environments, industries that rely on OT are acknowledging the challenges and working towards solving the cybersecurity issues the industry is facing.