Risks for the Energy Sector: Securing operational threats in Oil & Gas operations

As industry embraces an accelerated pace of technology usage heightened by the Covid-19, there is also an increase in cyber-attacks observe Niraj Mathur, Managing Director, Security & Privacy, and Manish Laligam, Managing Director and Industry Leader, Energy and Utilities, both from the Protiviti Member Firm for the Middle East Region.

As the world paces towards a phase of digitalization, exacerbated by the pandemic, cyber threats have taken an upward trend.

Whether it is the use of big data and AI to fight malware or the increased dependency on contact less services such as robots or drones, this dependency has opened a Pandora’s Box of notorious cyber-attacks and generated the need for building a resilient environment.

Operational technology (OT) in oil and gas sector has never been looked at from the security lens as it is today. Key enablers that have made OT security at the forefront of the discussion are:

Convergence of IT with OT

The adoption of IOT and modernization of OT systems has led to convergence with IT and removed the silo’s that existed between OT and IT. Emerging technologies such as digital twins, Robotic Process Automation (RPAs) etc. have only expedited the need of the merger. The convergence has thus made OT susceptible to security threats normally targeted at IT systems.

Availability over security

Reliability and availability of the network is of prime importance as opposed to security. Hackers have often found ways to target the availability in turn costing millions to the company.

Dependency on technology

Industrial automation, control and safety systems used in the sector are to a large extent digitized. Use of RPA, Artificial Intelligence (AI), block chain has one common theme i.e., sensitive data that serves as bait to the cyber attackers.

Key vulnerabilities

The Oil & Gas industry is very often targeted by cyber criminals or hacktivists and the convergence of IT has only made it more vulnerable. Due to the complexity involved in maintaining OT systems, even the basic precautions tend to get ignored.

In a recent study, it was found that 71% of sites had outdated OS, 64% did not use encrypt their passwords, 27% of sites had direct internet connections, 66% of sites were not updating patches timely and 54% sites had devices accessibly remotely using standard protocols, fairly easy to hack. (Source: CyberX 2020 IIOT Report)

The scope of oil and gas industry’s value chain creates numerous possibilities of potential entry points for these attacks, ranging from attacks on physical infrastructure to disabling of critical systems. The top 10 vulnerabilities in control systems include:

• Inadequate policies and procedures
• Remote access to the control system without appropriate access control
• Weak access controls and unauthorized communications
• Insufficient tools to detect and report on anomalous or inappropriate activity
• Inadequate design control system network (no defense in-depth)
• Software used in control systems not adequately tested d or maintained
• Use of control system network bandwidth for non-control purposes.
• Unauthorized or inappropriate applications or device on control system networks
• Inadequate critical support infrastructure (Admin, network management and more)
• Vulnerabilities in legacy systems.

How to build cybersecurity consciousness and discipline among employees and contractors:

In November 2020, the UAE cabinet agreed to establish the UAE Cybersecurity Council aimed at developing a comprehensive cybersecurity strategy to create a safe and stronger cyber infrastructure in the UAE. While efforts are made at the national strategy level, we need to maintain discipline to give these strategies a fruitful outcome.

Oil and gas facilities are critical infrastructure assets, producing vital products for economies around the world. Protecting the supply chain and operations, therefore is not only of significant importance for the enterprises involved in manufacturing of these products. It is also for those who depend on and consume these petroleum products.

A framework for Supervisory Control and Data Acquisition (SCADA) systems is required to identify, evaluate and treat the various types of risks targeting these systems. Such a framework can be derived by putting in the following 6 parameters:

• WHAT can happen to the system (risks)
• WHO can do it (agent)
• WHY would someone do it (motivation)
• WHERE these risks can affect (system components targeted)
• WHEN can these risks be exploited by agents (component vulnerabilities)
• HOW can the risks be executed (penetration tools & methodologies)

There are 3 key verticals that are essential while considering SCADA Cyber Security in any organization:

• Technology – Solutions that aid prevention, detection, and response such as:
• Restricting logical access to the control system network and network activity
• Restricting physical access to the control network and devices
• Protecting individual control system components from exploitation and applying patches and hardening guidelines periodically
• Implementing a network topology for the control systems that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
• Timely Detection of security events and incidents.
• Effective Response to security events and incidents
• Providing logical separation between the corporate and control system networks
• Maintaining functionality during adverse conditions

Process and Governance: Develop, deploy and religiously follow an effective SCADA Security Policy and Procedures. The essence of such a policy should cover:

• Regulations: Setting the tone right by alignment of security policies with IEC 62443 and NIST OT guidelines
• Purpose: why this policy exists
• Scope: what is the context that the policy covers? Have security policies extend beyond IT to ensure gaps are adequately covered?
• The rules: what can and cannot be done?
• Responsibility: who can do what?
• References: reference to other policies already in force
• Revision history: a history of changes, who made them, when and why
• Enforcement: description of the consequences of acts performed within the system
• Exceptions: if any, they must be reported in the security policy
• Continuous Monitoring: Perform risk management periodically.

People: Lastly, to instill cybersecurity consciousness, an organization should organize employee awareness programs aimed at educating its employees and its suppliers on security hygiene.

Leadership teams need to take the onus for imparting such knowledge to functions for instilling a security centered mindset as they continue to resolve complex business problems.

As we strive in the digital world that will continue to change with only more advanced versions and updates, it is imperative to reflect on our existing modus operandi and continue to work with the mindset of creating a resilient organization.