By Matthew Hoare
The recent technological boom in wireless communications, sensor applications and automated machinery is bringing untold benefits to the oil and gas industry; from enhancing remote monitoring capabilities and providing detailed analytics, to revolutionizing data storage and reducing operational costs. However, the connection of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems to the wider digital network has exposed critical pieces of infrastructure to cyber threats.
In addition to IT networks, cyberattacks now threaten operational technology (OT) used in rigs, refineries and storage facilities. As the traditional distinction between IT and OT becomes increasingly blurred, it is imperative that the sector works to ensure that its industrial assets are protected and its digital infrastructure is secured against the evolving threats.
Threats in a Digital Age
The extent to which cyberattacks can disrupt the energy sector was revealed in 2012 when the Shamoon virus breached the IT systems of Saudi Aramco and RasGas. The malware infected tens of thousands of computers and overwrote their master boot records, rendering them unusable.
The reappearance of Shamoon in 2016 and 2017 suggested that the affected organizations had not taken adequate measures to protect against existing threats. “If companies had followed security practices, such as protecting passwords, or not allowing remote access tools or VPNs insides the network, then they would have been less susceptible,” Ravi Patil, technical director at cybersecurity company Trend Micro, told Gulf News at the time. “It was human error.”
Unfortunately, recent research suggests that IT and OT systems in the MENA energy sector remain highly susceptible to cyber threats. Earlier this year, Siemens published the findings of their research into the sector’s readiness to combat cyber threats to OT, and found that three-quarters of surveyed companies reported a cyberattack that resulted either in the disruption of company OT or the loss of sensitive information. More than one in 10 (11%), meanwhile, said their OT had been subject to more than 10 attacks over the previous 12 months. On top of this, the survey reveals that companies fail to detect almost half (46%) of all cyberattacks, suggesting that these figures are in fact conservative.
These figures are backed up by data published by Russian cybersecurity firm Kaspersky Lab, which showed that ICS’s in the energy sector were the most frequently attacked around the world in the second half of 2017; the company recorded 178 attacks against the energy sector, comprising 38.7% of all attacks detected over the period.
These findings should be concerning considering the potential consequences of a cyberattack in the oil and gas sector, which range from financial and reputational damage to health, safety and environmental concerns.
Associated cyber risk varies between each upstream stage – from exploration to abandonment. The exploration process is less susceptible to outside cyberattacks than the development and production process. While seismic and geophysical studies integral to the exploration process involve the collection of large amounts of data, the risk level is minimal due to the use of closed data systems that are not connected to outside networks. In the event that these systems are compromised, there are no environmental or health risks involved, operations are not disrupted, and there are no direct financial consequences.
Risks are significantly higher for infrastructure used for well development and production; not only are these assets more vulnerable to attacks but the potential consequences are more severe. The large network of connected facilities, remotely-controlled or automated devices, and distributed control systems (DCS) means that malicious actors have many more points of attack. A successful attempt to gain access to a company’s ICS, disrupt wireless networks or cause the loss of key analytics, can severely disrupt business operations, damage assets, and result in financial losses. In addition, the high drilling activity increases the likelihood of an attack causing environmental damage, which in turn raises the risk of regulatory fines and reputational harm.
Furthermore, the long lifespan of facilities in the energy sector means that many rigs and refineries are dependent on older technology that was not originally designed with modern cyber threats in mind. Legacy technology is harder to monitor and has been sporadically retrofitted over the years, resulting in a varied collection of technologies over which it is difficult to apply a common OT security protocol.
With the advent of the so-called ‘Industrial Internet of Things’ (IIoT), IT and OT systems are becoming increasingly integrated. As more OT becomes connected to the wider computer networks, applying a single overarching cybersecurity protocol for the entire system may seem like a logical solution. Despite this, there remain fundamental differences between IT and OT networks. While IT systems are primarily concerned with supporting non-industry specific functions such as sales, finance and human resources, OT systems enable the control and monitoring of industrial technology, often via automated devices and remote control. As such, there is less human interaction with OT systems compared to IT.
Andrew Ginser, vice president for ICS at Canadian cyber security company Waterfall, told Egypt Oil & Gas that attempting to apply IT risk assessment guidelines to OT systems is a mistake and vice versa – despite the increasing integration of the two systems. “IT risk assessment and security programs are focused on ‘protecting the data’ while OT is focused on protecting safe and reliable physical operations by assuring correct and authorized control of the computers controlling that process,” he says. “These are two very different ways of looking at the world.”
Penetration testing refers to the periodic testing of IT and OT systems. Tests are designed to replicate a real-world cyberattack in order to locate weaknesses or vulnerabilities in company networks. However, according to a report by Ernst & Young many companies in the oil and gas sector are reticent about regularly testing their OT systems for fear of potential disruptions. “That fear is understandable but overstated,” Leo Simonovich, vice president of industrial cyber and digital security at Siemens Energy, tells us. “Well-defined and scoped penetration testing, executed by an experienced security vendor specializing in ICS cyber security, poses minimal risk to the control system.” For Ginser, any fears of disruption indicate weaknesses in the system. “If systems are too fragile for penetration testers, then they are much too fragile, period,” he says. To get around these fears, he recommends the use of test beds – a copy of the system subject to testing. This way, the company’s OT systems will not be affected if any weaknesses are found during the penetration test.
Siemens’s research found that almost half of all cyberattacks against MENA oil and gas companies go undetected. Failing to detect threats means that not only is the company unable to provide an immediate response to the threat, but also it may never acquire information about the attack itself. Ensuring the company improves its visibility into its network – especially into remote sites – is therefore essential.
Despite improving awareness of the importance of network monitoring, Simonovich voiced his concern that many MENA oil and gas companies simply do not have the ability to detect cyber threats by themselves. “What is of concern is that most energy companies do not have the capability to monitor their OT cybersecurity environment on their own”, he says. “If they do detect a potential intrusion, they do not have the plans or capabilities to responds effectively.”
Companies should ensure that they have an intrusion detection system in place that rejects any attempt to connect unknown USB devices or laptops to the network, and logs the activity with the company’s Security Operations Center (SOC). Regarding OT systems, Ginser tells us that companies can use Unidirectional Gateways and Unidirectional CloudConnect systems to extend their monitoring capabilities to OT systems.
While companies assume responsibility for ensuring their systems are protected against outside threats, resources exist at state-level to assist with serious cybersecurity breaches – especially when it involves critical sectors that affect national security.
According to the 2017 Global Cybersecurity Index, Egypt was ranked second in the region and 14th in the world in terms of its national capacity to deal with cyber threats. Central to the government’s cybersecurity strategy is the computer emergency response team (EG-CERT), which provides emergency assistance to public and private organizations operating across a variety of sectors. It also provides cybersecurity training and raises awareness about the importance of securing computer networks against attacks. EG-CERT is primarily concerned with threats targeting IT systems – such as distributed denial of service (DDoS) attacks, the spread of malware and viruses – instead of OT systems.
However, Dr Sherif Hashem, vice president of cyber security at Egypt’s National Telecom Regulatory Authority, told Egypt Oil & Gas that EG-CERT plans to set up a separate laboratory dedicated to ICS and SCADA in the future. “We have colleagues who went and engaged in training for ICS and SCADA security and we are waiting until we move to our new facility… I hope in the very near future but it depends on relocating the CERT,” he told us.
Should EG-CERT broaden its remit to ICS and SCADA, companies operating in the Egyptian oil and gas sector will have an additional resource to call upon should they encounter a serious security breach affecting OT.
Providing Adequate Training
One of the more interesting findings to come out of Siemens’s research is the perceived threat of company employees. Of the 176 respondents, 68% believe that untrained or careless employees constitute the biggest threat to company cyber security. While there is no data regarding the percentage of cyberattacks enabled by human error, it is clear that industry figures are concerned about the damage that can be caused from within.
While a certain level of human error can be counteracted by internal monitoring systems, it is important that companies provide all staff members with adequate training to ensure that company cybersecurity protocol is followed. Simonovich tells us that, in order to do this, companies must put into practice a holistic, top-down strategy for protecting their industrial and digital infrastructure. “Every company in the oil and gas industry must develop an industrial cybersecurity strategy, stand up a cyber-governance model, re-examine their security fundamentals and build smart infrastructure defences that include extensive cyber training,” he tells us.
Future-proofing Digital Networks
As ICS and SCADA become increasingly integrated into the digital architecture of MENA oil and gas sectors, companies are tasked with ensuring that their industrial technology is adequately protected against evolving cyber threats. As evidenced by recent research, it is clear that industry leaders have more to do in order to improve confidence in the sector’s ability to defend against attacks.
As Simonovich tells us: “By ensuring asset transparency and rapid detection, organizations can best manage OT cyber risk and unlock the broader benefit of digitalization in the oil and gas industry.”