Oil and gas plants have increased their cyber risk profile as they modernise plants and close the “air gap” between IT networks and operational technology (OT) networks.
This is according to Phil Neray, vice-president of industrial cybersecurity at global security specialist CyberX, who notes that many oil and gas facilities are still using equipment that is 15 – 20 years old, and designed before industrial cyber security was a primary consideration.
In addition, many oil and gas facilities still run their IT and OT networks in siloes, with plant engineers – not cyber security experts – responsible for cyber security in the plants.
However, attacks such as last year’s high-profile Triton attack on a petrochemical facility in Saudi Arabia, where hackers compromised the plant’s safety devices, highlight the cyber risks facing oil and gas infrastructures today.
CyberX’s recent 2019 Global ICS & IIoT Risk Report, which assessed vulnerabilities across over 850 industrial control networks around the world, found several common vulnerabilities: 53% of industrial sites used outdated Windows systems; 57% were not running anti-virus that updated signatures automatically; 69% have passwords traversing the network in plain-text; and the ‘air gap’ is a myth – as 40% of industrial sites have at least one direct connection to the internet. In addition, 84% have at least one remotely accessible device and 16% of sites have at least one wireless access point.
“There are no compliance regulations obliging oil and gas facilities to report breaches, but we can assume there have been many more breaches than the Triton attack,” says Neray. “There could be various motivations for attacks on such infrastructure – nation state attacks carried out for political considerations; ransomware attacks; hacktivists objecting to policies or drilling activities; or even attacks designed to steal intellectual property.”
With oil and gas installations a significant and potentially lucrative target, attackers are likely to increasingly turn their attention to these facilities, particularly as plants modernise their infrastructures with new, connected IoT and automation systems.
While basic cyber security approaches such as patching, encryption and up-to-date AV are necessary in the OT environment, standard out-of-the-box IT network security devices are not effective in industrial facilities, says Neray.
“Industrial cyber security requires specialised solutions, since OT systems use unique protocols and non-standard operating systems. Industrial cyber security systems also need embedded machine learning and behavioural analytics to understand routine M2M traffic patterns and detect suspicious activity.”
Neray says oil and gas organisations are taking the increased cyber risk seriously, and are now moving to address vulnerabilities, but that more urgency is needed.
“Cyber risk at OT level is a business risk. A danger for management teams is that some tend to think of cyber crime as a technical issue rather than as a business risk issue. But cyber crime has the potential to cause millions of dollars in losses, environmental damage, human safety risk, as well as downtime, brand impact, compliance issues and loss of intellectual property.”
To effectively mitigate risk, CyberX and its Southern African implementation partners GECI recommend breaking down siloes between IT and OT and managing all cyber security under a single cyber security and risk team.