You are here

Cyber security for the oil and gas sector

14th March 2019

Duncan Greatwood, CEO of Xage discusses the dangers to the oil & gas industry from cyberattacks and what the sector needs to do to ensure its security

OGT spoke to Duncan Greatwood, CEO of Xage Security, about the implications of cyber security for the oil and gas sector. Prior to Xage, Duncan was an executive at Apple.

Xage Security CEO Duncan Greatwood
Xage Security CEO Duncan Greatwood

OGT: What are the dangers to the oil & gas sector from cyberattacks?

DG: Technological development in oil & gas comes at a price: vulnerability. When older industrial control systems become digitized and new IoT systems get networked, the centralized, network-isolation-based security systems currently in place can no longer handle the scope, nor the complex interconnectedness of the energy operation. Systems that were never designed to be widely connected can be remarkably easy to target and compromise. And of course, the risks of cyberattacks on the oil & gas space are massive - attacks are capable of  “shutting down entire countries,” producing seriously damaging explosions, or creating long-term environmental impact via oil spills or leaks.

Customers and partners in the energy sector share many cybersecurity concerns with us, ranging from:

  • State-directed attacks to gain control of oil and gas systems – disabling, or threatening to disable production upstream, mid-stream or downstream
  • Exploratory hacks to learn information about operations
  • Disgruntled employees using old passwords and threatening to vandalize systems or gain unauthorized access
  • Industrial espionage, in the form of hacks on the petabytes of field data stored by each individual oil and gas company, resulting in the theft or alteration of operational data, with potentially serious monetary and safety impacts
  • Blackmail/ransomware, as money-motivated criminal hackers demand payment after they have gained control of operational systems.
  • Transient device hacks, when well-intentioned staff bring malware-infected laptops and smartphones onsite inside the firewall, enabling the malware to install itself on industrial devices and control systems.

 

OGT: How prepared and aware is this sector of the challenges?

DG: As is, a mere 17% of oil and gas companies believe they would be able to immediately detect a hack on their digitized devices. The same survey indicated that 95% of companies believe that their current security solution isn’t meeting the needs of their company and industry.

In short, it seems that despite recognizing the challenges of a secure, digitized oil and gas system, companies across the industry are still looking for the most efficient, effective way to secure these diverse, distributed systems.

 

OGT: What does the sector need to do to ensure its security?

DG: Firstly, security for industrial control systems in oil and gas must be extended down to individual devices, control systems, people, applications and data streams––with managed security policies defined and automatically enforced on-site.

 

Secondly, the industry needs to move beyond network protection as the sole form of security, and implement application-level and device-level security that is as flexible and dynamic as the modern oil and gas operation. These solutions must also remains secure even if the network is compromised.

Thirdly, given the increasing adoption of IoT, the industry needs to adopt decentralized security enforcement which avoids single points of security failure, and grows stronger as deployments grow. This is possible with mutual-protection mechanisms that enable “strength in numbers.” Otherwise, the sheer number of IoT devices will ensure that there is always a vulnerable device somewhere that can act as a jumping-off point for an attacker.

Decentralized security is crucial to evolving industrial systems, especially multi-vendor and multi-application situations. Utilities, energy, and other global industries that employ a wide range of connected devices – including transient devices like tablets, phones, and laptops – must be able to securely communicate over large geographic areas, while simultaneously facilitating secure addition, removal, and control of resources. Distributed security underpins continuous edge-computing operations, even in the face of irregular connectivity, network disruption, and maintenance, and enables role-based access control to existing industrial systems.

Blockchain’s distributed ledger forms a particularly effective security-information store for the kind of distributed security enforcement system needed in oil and gas. This is due to its properties of:

  • Tamperproofing – to protect committed policies from unauthorized alteration
  • Consensus-based operation – which creates the strength-in-numbers effect of security increasing with scale
  • Natural decentralization and redundancy – enabling continuous operations no matter the connectivity conditions, and
  • Replication – which allows the secure pushing of policies and data site-to-site and between edge and cloud.

In other words, oil and gas operators need to seriously consider blockchain-protected security systems so that the cybersecurity system itself is properly protected and does not become a point of hacking vulnerability.

Oil and gas companies should control each and every interaction between every individual components or devices within their network––an approach we call many-to-many security. We need to authenticate interactions between devices, and connections between processes, and determine whether the interactions are permitted. Step one in securing an operation means ensuring that no situation can occur where a hack on one individual device can take down all connected devices. Every identity needs to be managed, and every interaction needs to be controlled.

 

OGT: How willing is the sector to accept change and new technologies?

DG: At this point, half of oil and gas companies have digitized operations across all stages of production. Companies are automating their pre-drilling site research, and behemoths like Shell are monitoring line data via remotely accessible technology. In short, the answer is very willing. Companies are seeing the benefits of digitization through the tangible impact of streamlined, accurate, real-time data collection and remote access limiting on-site maintenance. However, the impact of this digitization will fall short, unless we are able to adequately secure the new style of operating and ensure the benefits outweigh the risks.

 

OGT: Are there enough skilled workers to implement and manage a cybersecurity policy?

DG: In 2018, an EY report indicated that 43% of cyberattacks at oil and gas companies were caused by lack of awareness, and 78% of those surveyed believed that the most likely cause of a compromise was a careless staff member.

That said, cybersecurity policy needs to meet employees in the middle. If the security system is not user-friendly, accessible, and suited to fit the needs of an oil and gas company, it’s far more likely that employees will face challenges in implementing and using solutions.

In particular, solutions should automate the implementation of cybersecurity (no more checklists on clipboards, or passwords being shared in spreadsheets), and aim to improve convenience for users. For instance, when technicians can move from a hodge-podge of access techniques to a simplified world of single-sign-on, and an increased ability to work remotely rather than on-site, adoption accelerates and mistakes are eliminated.

 

OGT: What advice would you give to companies looking to improve cybersecurity?

DG: I would advise companies to find a solution that is specifically suited to serve the oil and gas industry. Cybersecurity platforms are certainly not one-size-fits-all. Oil and gas systems need a solution that matches the structure of their connected networks: distributed, decentralized, and constantly growing the number of devices, applications, data streams and their interconnectedness.

Distributing security enforcement, whether to the well-pad, the pipeline, or the refinery floor, is the only solution to securing an ecosystem that is distributed, any-to-any, edge-heavy and where continuous operation is required. Decentralization enables system operators to cover large areas, as well as hundreds of thousands of controllers, sensors, and meters, while facilitating secure addition, removal, and control of resources. In multi-vendor and multi-application IoT networks (as with oil and gas), decentralization allows smart devices, controllers, and applications to cooperate securely.

Blockchain’s distributed ledger is the ideal tool for implementation of a decentralized security system, as well as a way to ensure data integrity and a tamper-proof IIoT. The distributed ledger solves a major issue for industrial control systems that are evolving to incorporate the efficiency of next-generation operations: maintaining security while continuing to add smart devices in a network. A blockchain-protected solution is distributed by nature. The ledger’s consensus mechanism and internal structure creates a more secure IIoT as it scales ––a perfect fit for industries comprised of large and complex operational networks.

Companies should be employing solutions that fit their own structure, defining appropriate industrial security policies, and offering every employee the convenience of managed identities, role-based access control and operation-wide single sign-on.

 

About Xage: The Xage Security Fabric is the universal security solution for modern industrial operations, creating the essential trusted foundation for every interaction, whether human-to-machine, machine-to-machine, or edge-to-cloud. The fabric protects all equipment, from new IoT devices to vulnerable legacy systems, providing tamperproof, non-intrusive protection for industrial operations. Xage enables efficient operations and innovation across the energy industry and oil & gas.

 

 

 

Related topics: