Mining, Oil & Gas
News

Identifying unique cybersecurity challenges in the oil and gas sector

July 22, 2020
cybersecurity challenges in the oil and gas sector

Oil and gas companies face a combination of common and unique challenges on the cybersecurity front, according to Jon Taylor, an assessment and testing services manager and principal consultant for Revolutionary Security, a subsidiary of Accenture.

Oil and gas firms face some of the same challenges as utilities

Speaking during a webcast hosted by Oil & Gas Journal on July 22, Taylor acknowledged that oil and gas operators had many of the same vulnerabilities as electricity providers and other utilities. Specifically, he said in response to a question from IndustrialCyber.co, cyberattacks on these companies’ industrial control systems (ICS) and operational technology (OT) have the potential to trigger undesirable changes in the operating environment.

“I think oil and gas, like any ICS or OT industry, does have unique issues. That is, we have physical consequences to any of our OT actions,” he said.

These consequences are of greater import when they involve OT problems such as production outages, equipment malfunctions or safety hazards rather than information technology (IT) problems, he said. “With respect to automated threat and response, from an IT perspective, we can just go shut somebody’s computer off, and I don’t care if you can’t get to your spreadsheet,” he said. “We can’t do that to a controller because we can lose control of that process.”

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

Oil and gas companies must consider profits and variable operating conditions

At the same time, Taylor stressed that oil and gas firms faced unique cybersecurity challenges, even as they shared common concerns with power and water providers.

For one thing, he said, oil and gas companies tend to operate under conditions that are more fluid and variable than those facing utilities. That is, he said, the parameters of the operating environment can change very quickly during tasks such as drilling new wells or extracting hydrocarbons from subsurface reservoirs. As a result, cyberattacks can be more difficult to spot, since work crews must pay attention to so many other things.

“It can be that the variability in field processes makes it harder to capture [security threats] than [in] the electric industry, where everything’s static,” he explained.

Additionally, he said, oil and gas operators are often trying to turn a profit – unlike many utilities, which have the task of ensuring supplies to the public, sometimes to their own financial detriment, and of protecting and maintaining vital infrastructure. “I think there’s often more focus on monetary gain in oil and gas, whereas in electrical [generation], it’s more [of a concern] at the nation-state level,” he commented.

“So yes, I think there are differences,” he added. “Overall, the theme sounds the same, but the words might be a little different.”

Oil and gas companies must guard their intellectual property

Taylor also pointed out that some oil and gas companies were particularly vulnerable to cyberattacks designed to secure outside access to intellectual property. For example, he said, refinery operators have the task of guarding the proprietary technologies and processes they use to produce specialized fuels, lubricants and chemicals.

“The amount of intellectual property we put in our refining processes can also be a challenge. The specific data can really be intangible, [but they’re] worth a tremendous amount to a company,” he said.

He noted, though, that there were many steps that operators could take to guard their facilities from outside intrusion. One such step, he said, involves getting creative with names.

He cited a hypothetical example of a technician who, when tasked with setting up a system to monitor all the OT devices supporting an oil and gas company’s operating facility, tagged every device with a descriptive name that revealed exactly what function each performed. “We see this very commonly in production environments where tag names give away a ton of information about the process,” he said.

The problem with this practice, he remarked, is that it gives cyberattackers too much information – and too much insight into their targets’ operations. Intruders who learn how companies organize and use their equipment “can easily reverse-engineer that production process,” he stated.

Even if companies do adopt non-intuitive naming practices, he added, they should take additional precautions to keep information about their OT systems secure. “That information should never be stored on the same network as your production network,” he said. “It should always be in a very tightly locked down environment, completely isolated. And we recommend if it’s really critical to a core part of your business or to part of your brand identity, that you put it away in a data vault.”

Taylor’s advice is valuable, given that oil and gas companies represent a key component of vital infrastructure. But it is particularly worth heeding at a time when cyberattacks on oil and gas companies are on the rise. Oil and gas operators that are familiar with their own combination of common and unique vulnerabilities on the cybersecurity front have a better chance of resisting attacks.

Jennifer DeLay Iacullo
Jennifer DeLay Iacullo is a freelance writer specializing in global oil, gas, and power engineering topics. She has covered the energy industry of the former Soviet Union, China, Africa, Latin America and North America for more than 20 years. She lives in Atlanta with her family.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape