Understanding cyberthreats in the oil and gas industry
Haider Pasha, Sr. Director & Chief Security Officer, Middle East and Africa at Palo Alto Networks, discusses some of the key cybersecurity challenges facing the oil and gas industry.
What are the key cyber security challenges that Oil & Gas professionals should be aware of?
When we talk about cybersecurity, the oil and gas industry has two main segments: there’s the IT environment and the operation technology, or OT, environment. Both are vital for the healthy functioning of the industry, but in general IT is probably a bigger focus for cybersecurity.
Within IT, the challenges in the oil and gas industry are very similar to what any other organizations face – and include things like targeted attacks, malware and ransomware. However, the real challenge for the oil and gas industry is to focus on securing the OT side of the environment. We are beginning to see an increase in attacks that are increasingly sophisticated and which are affecting the OT environment.
The first critical challenge is that OT systems usually need to connect to the network. We no longer live in an environment where IT can be completely segmented. Many executives believe that ‘air gap networks’ – which are kept isolated from the connected IT environment – are inherently secure, but this not necessarily the case, and we live in a world where evermore devices need to be connected. Perhaps the most famous example of how peripheral OT devices can be compromised is Stuxnet, which targets Supervisory Control and Data Acquisition (SCADA) systems.
When it comes to OT control systems, the first challenge is identifying what level of service those industrial control systems need to have when they connect to the network. Then the main focus areas should be to ensure that all of your software upgrades and patches on both the IT to the OT side of the environment follow the right level of processes.
Why are threats to OT systems rising?
Threats targeting OT systems are rising because the level of connectivity those control systems have to the IT environment are rising. In addition, we see different types of attackers now, including nation states that are going after specific organizations, whether it is oil and gas facilities or a nuclear facility, for example. These are pieces of national critical infrastructure and they are areas that other nations are targeting.
Some nation states have hired teams to penetrate into those environments and they are constantly making those attempts. There are different avenues; it is not just about having a direct focused attack. The vulnerability could be through an HVAC (Heating, Ventilation and Air Conditioning) system that the oil and gas facility is using, or it could come through another angle, such as contractors and other people that are going on site.
What other threats should the oil and gas industry be aware of?
Another growing challenge is related to supply chains. When you have contractors that come into your environment, they may sometimes bring threats or vulnerabilities in when they connect to your environment. For example, a contractor may connect to your network with a compromised laptop or tablet. For this reason, it’s essential to have a process in place to verify that their machine is secure, fully patched and that there no vulnerabilities before you give them access to your environment.
It all goes back to having the right processes in place. You need to make sure that people – whether they’re contractors or the employees, are aware of the cybersecurity vulnerabilities and the processes they need to follow.