Cybersecurity threats in the operational technology (OT) environment in the oil and gas industry continue to be a major concern in upstream industry operations such as exploration, development, drilling and production.
According to a 2017 report issued by the Ponemon Institute, the oil and gas industry’s challenges to cyber-readiness include risks related to variances in security practices across the supply chain, general cybersecurity preparedness, failure of full alignment between owners of the OT environment and information technology (IT) teams regarding cybersecurity controls and the threat posed by negligent and malicious criminal insiders.
Additionally, the incredibly large number of interconnected and digitized industrial control systems (ICS) provides a uniquely vast attack surface for bad actors intent on disrupting operations, irrespective of their motivations for such attacks.
By way of background, an ICS monitors and controls infrastructure equipment both locally and remotely and operates as a collection of interconnecting devices for both automated and human actions working to monitor and control particular infrastructure. Oil and gas infrastructure has one or more centralized control stations to communicate with a multitude of remote stations each with a Remote Terminal Unit (RTU) or programmable logic controllers (PLCs) to concentrate data from remote station devices. These remote stations can be hardwired or Ethernet intelligent-connected to field devices designed to collect, consolidate and analyze data. RTUs and PLCs can also be Internet Protocol (IP) addressable, allowing for direct monitor control, which can create vulnerabilities for potential compromise, data manipulation or theft.
Moreover, oil drilling and production systems are comprised of numerous supply chains consisting of technological and computing components, third-party service providers and vendor partners, each individually creating a potential vulnerability for exploitation and attack. Relying on legacy and outdated OT, fractured and inconsistent ownership control as a result of cyclical patterns of sale and acquisition of wells and the supporting OT and ICS have also increased the risks as a result of failure to maintain accountability, modernization, upgrades and standardization.
Finally, the costs associated with upgrading and modernizing such systems could be staggering and could create delays, affecting production and possibly safety if the resulting upgrades and modernization efforts are not implemented successfully or in a timely manner.
Drilling operations and oil and gas production were once isolated in the relative security of a single lonely platform surrounded by miles of desolate ocean or desert. The internet of things (IoT) and its web of connectedness has introduced an entirely new set of cybersecurity, operational and safety risks.
Systems designed to connect multiple operations with access to operational data in real time, such as live views of drilling, access and connectivity to monitor well flow data and the sensors in place for such monitoring required to prevent blowouts, are at risk for compromise and subject to attack.
In 2017, engineers of the Anglo-Dutch oil major were using computers to perform what they call “virtual drilling,” based on their knowledge of Fox Creek, a shale bed in Alberta, using real-time data sent from a rig in Vaca Muerta to design the well and control the speed and pressure of the drilling.
Underscoring the risks and vulnerability of these interconnected systems is a 2016 report from FireEye that documents Advanced Persistent Threat (APT) groups in at least 16 companies, including companies in oil and gas exploration and production. These APT groups were assessed by FireEye to “take direction from a nation-state to steal information or conduct network attacks, tenaciously pursue their objectives and are capable of using a range of tools and tactics.” The report concludes that APT groups may “engage in destructive and disruptive actions against an adversary’s energy industry in the event of a conflict.” The report also highlights risks presented from hacktivists that may conduct distributed denial of service (DDoS) attacks, defacement of a company’s website or steal or expose provided information in an attempt to embarrass a company or gain attention for a cause.”
More recently, in December 2017, Waterfall Security Solution Systems proposed a list of top 20 potential cyber-attacks as a “useful standard set of attacks practitioners could use across a wide range of types of industrial sites.”
Among the top threats were disgruntled insiders with access to ICS or information technology equipment, common ransomware accidentally downloaded to an engineering workstation and spread to the rest of the ICS and targeted ransomware attacks relying on spear-phishing to seed a remote access Trojan virus (RAT) on an IT network to deliberately spread ransomware.
Chillingly, the report highlights the potential for attackers to use known vulnerabilities in internet-facing stems to seed RATs to simulate random equipment failures triggering commodities market manipulations.
In March 2018, the National Cybersecurity and Communications Integration Center (NCCIC) released a comprehensive alert outlining Russian government cyber activity targeting energy and other critical infrastructure sectors. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) characterized the activity as a “multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear-phishing and gained remote access to energy sector networks.”
The report concludes that Russian government cyber actors, as part of their exploitation, “conducted network reconnaissance, moved laterally and collected information pertaining to ICS.”
In the face of such rapidly evolving and sophisticated threats to ICS and the industry’s OT environment, how should oil and gas industry executives respond? Consider these high-level recommendations as cyber risks continue to intensify and show no signs of abatement:
- Continuously engage and educate top management teams and directors at the board level to ensure understanding, obtain support and buy-in for a rapid maturation of cybersecurity control frameworks to counteract increasing risks, to the extent they are immature within the organization. Explain the codependencies created between the failure to address cybersecurity risks and a potential failure for secure and safe operations, imperiled profitability and resulting loss, business interruption and unavailability of assets in the operation in the event of a cyber-attack.
- Conduct an assessment under the Cybersecurity Capability Maturity Model (C2M2) developed by the Office of Cybersecurity, Energy Security, and Emergency Response (CESER). CESER addresses emerging threats by improving energy infrastructure security and supporting the Department of Energy’s (DOE) national security mission. An assessment under the C2M2 can assist in the evaluation and improvement of the cybersecurity program irrespective of an organization’s maturity. The model can be used to strengthen and benchmark organizational capabilities, share knowledge and best practices internally and prioritize action and investment strategies to improve cybersecurity.
- Evaluate and assess the industrial supply for cybersecurity risks. In light of numerous technological and computing components, third-party service providers and vendor partners each create potential vulnerability for exploitation and attack. Carefully review and assess the risk of dependencies that may exist in the supply chain, and evaluate the underlying contractual arrangements, liabilities and indemnities within such agreements. If necessary, amend or revise the agreements to better secure and protect from reliance on participants in the supply chain.
- Engage law enforcement and representatives from national intelligence agencies to obtain information on threats and intelligence sharing. Foster these relationships, which can be invaluable in the future as threat vectors evolve and bad actors develop new tactics.