Cybersecurity Threats for the Oil and Gas Sector
Mitigate the Risk of Cyberattack With the Right Preventative Measures
Cyberattackers strike where there is opportunity. When operational technology is breached, cyberattacks have the potential to cripple energy infrastructure and cause tragic outcomes. These attacks occur without regard to whether the target is a pipeline transporting oil or gas, a windmill facility contributing to the power grid, or a water treatment facility purifying a community’s water.
A July 2020 alert from the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency warns that cybercriminals could be targeting critical infrastructure across our nation. Such attacks wouldn’t be the first.
As recently as February 2020, a U.S. pipeline company was attacked, and operators lost human-machine interface capabilities. As a result, a gas compression facility station and its affected upstream and downstream facilities were forced to shut down for two days. In 2017, the well-known Triton/Trisus virus attacked the control and safety systems at a petrochemical facility in the Middle East bringing operations to a halt multiple times over the course of several months. Triton/Trisus attacks on systems continue to be seen today. The cyberattack known as Stuxnet was used to sabotage and damage equipment at an Iranian nuclear facility in 2010. These are just a few of the reported events.
Factors Affecting an Increase in Cyber Threats
Cyber attackers are opportunistic and take advantage of whatever openings are made available to them. Modern control systems, which require increased data availability to make gains in operational efficiency and situational awareness, increase the attack surface and present attackers with vulnerabilities to potentially exploit. Another possible entry point is the large number of mobile phones, tablets and other devices with access to operational systems. The Internet-of-Things, Advanced Metering Infrastructure and other advanced technologies present further opportunities.
According to IBM, 27% of successful attacks are due to human error. Important tactics to reduce successful breaches include effective training, clear and well-established best practices and policies, and an emphasis on employee responsibility. Owner/operators should establish cybersecurity roles, similar to safety, and have these individuals develop and educate employees on cybersecurity policies and procedures. Policies should guide the human elements of interfacing with the control system including system usage, maintenance and updates, and address personal devices. Contractors or employees may also have a misconfigured device that isn’t detected, which leaves the system vulnerable.
Prioritizing Systems Protection
Unlike cyberattacks on commercial interests which focus on consumers’ data, attacks on the oil and gas sector target operations and critical safety systems — the last line of defense to keep facilities and staff safe. Many safety systems, like emergency shutdown systems, are automated to protect against human error. But as revealed in the Triton attack, automated systems also offer exposure for oil and gas companies.
Because operational technology equipment is designed for availability rather than security, defense against cyberattacks must be designed into the system and maintained with firmware updates and component replacement. Many owner/operators fall into the trap of setting up control systems and forgetting about them, which introduces vulnerability and ultimately risk of attack. It’s also best practice to keep information technology and operational technology networks separate, so access to the whole system is not available when one area is infiltrated. It’s important for oil and gas owner/operators to follow current cybersecurity best practices and avoid becoming complacent with control systems.
Heeding NSA and CISA Warnings
The oil and gas sector should increase cybersecurity and protect the public as well as owner/operator interests. Suggested best practices include:
- Compartmentalize and segment control system network architecture. This lessens access and keeps business systems on a different network than critical infrastructure. Consider additional segmentation to protect critical assets and prevent hackers from accessing the whole system if they find a way into one area.
- Consistently evaluate and enhance policies, procedures, training and access controls. Constant vigilance protects against internal sabotage and employee error.
- Analyze systems and their impacts. To consider cost and value, owner/operators should decide whether they want to transfer, mitigate or accept the risk of cyber threats. What do they want to invest in and how much do they want to invest? It is not possible to build a perfect technology system, but companies must keep adapting and making systems more complex to stay ahead.
- Consider controls and cybersecurity in tandem. Protection is best achieved when implemented throughout the entire technology system design process.
- Treat controls systems as an asset. Control systems are just as important to an owner/operator’s business as pumps, pipelines and processing equipment, and require frequent preventive maintenance and replacement strategies.
- Take part in the Oil and Natural Gas Information Sharing and Analysis Center. This industry group (and others) privately shares intelligence regarding cyber threats with other oil and gas companies.
- Stay aware of alerts from the National Cyber Awareness System. A division of the U.S. Department of Homeland Security, this website actively publishes known vulnerabilities. Owner/operators should take action to address vulnerabilities before cybercriminals take advantage of them.
- Follow standards like ISA 62443 and NIST 800-82. This is a generally accepted practice for network design and security, and the Cybersecurity Framework supported by the American Petroleum Institute.
Accountability for Cybersecurity Best Practices
Cybersecurity is a growing concern. To force accountability, there are impending consequences for unsecured critical infrastructure control systems. Nearly every state has multiple cyber laws in process. With state and federal mandates on cybersecurity training and disaster preparedness on the horizon, insurance companies may soon stop paying claims to companies that do not follow best practices. Standards are coming and bringing accountability to make all companies protect consumers, themselves and, in some cases, the public.