The adoption of new technologies in oil and gas facilities is a dual-edged sword. On one side, there are the obvious benefits of implementing industrial internet of things (IIoT) devices to improve efficiencies and reduce operational costs.
On the other side, there are inherent risks associated with upgrading systems. Case in point: the Columbia Gas incident in metropolitan Boston last year, which produced a series of explosions in Andover, North Andover, and Lawrence, and resulted in more than 70 fires, one death, dozens of injuries, and the destruction or damage of more than 100 structures. Approximately 9,000 customers were left without power.
The New York Times reported that a system upgrade caused gauges that monitored pressure levels to be taken offline, and that unchecked over-pressurization triggered the blasts.
While human error was probably the cause of the Columbia Gas incidents, it could just as easily have been the work of terrorists.
Oil and gas executives are now acutely aware that once isolated OT networks charged with refining, mixing and the distribution of petroleum are increasingly connected to the “outside world” via the Industrial Internet of Things (IIoT).
In addition, modernization inevitably involves some degree of digital transformation, which exposes facilities to more security threats than ever before.
Attacks such as BlackEnergy, Industroyer, VPNFilter, and Wannacry are just a few of the recent malware campaigns that have affected critical infrastructures. The actors in some cases were rogue factions including nation states that hacked into industrial networks and caused havoc.
However, the threat from within is also omnipresent and highly significant, as insiders have ‘the keys to the kingdom’ — or at least know how to find them. Some studies show that insider threats account for more than 50 percent of all industrial cyber security incidents.
The IIoT Threat
The Internet of Things (IoT) and the IIoT hold tremendous promise for improving oil and gas operations. Increasingly, companies are investing in the cost-saving and the productivity-enhancing benefits of networked smart devices that can communicate and coordinate with one another via the Internet.
The downside of IIoT is that few vendors and customers have fully considered the security risks associated with the technology. The introduction of new access points into a company’s network, plus the current lack of security standards for IoT devices, can create holes for punching through perimeter defenses.
However, the planned or (worst-case scenario) unplanned introduction of IIoT devices into an enterprise network creates opportunities for a host of external and internal threat actors, including:
- Terrorists acting alone, independent of an organization or group, or is incited by an organization or group.
- State-sponsored adversaries acting on behalf of a government, whose activities can span computer-based as well as physical attacks.
- External cyber attacks caused by Hacktivists to promote a political agenda or a social cause.
- Internal attacks created by Malicious insiders such as a disgruntled employee or third-party contractor who is paid to exfiltrate information and/or cause damage to the organization.
- Or unintentional mistakes due to human error that causes damage and/or downtime because of incorrect changes to industrial processes or equipment.
Yet another variation, account compromise, resembles an insider attack since it occurs when an external attacker hijacks an authorized user’s account (employee, vendor, integrator, etc.). These are typically achieved using social engineering techniques such as phishing emails and a “call from the IT department” requesting the user’s ID and password.
Top Security Risks
1. Default Passwords
Most IIoT devices are pre-configured with a default password, which is clearly a time-saver for IT staff. However, this benefit is also a major security flaw. When hundreds of thousands of devices share the same default password, attackers can easily compromise organizations that have neglected or intentionally decided not to change it.
2. Missing Patches
This is another huge problem area for organizations, because many IIoT devices cannot be patched or vendors do not issue patches for known vulnerabilities.
3. Too Many Devices to Manage
In many organizations, the list of IIoT devices is endless and extends beyond traditional operational technology (OT) to alarm systems, cameras, thermostats, vending machines, etc. Even the most apparently harmless device, can pose a threat. For example, an IoT coffee-maker should never be connected to an IT or OT network as the machine has no security features.
Regardless of the IIoT device type, all of them can be used by attackers as a stepping stone to compromise IT and OT networks. For example, many IIoT devices use ports that are exposed to the Internet, and which can be used to bypass the firewall. Once inside the network, a hacker can do extensive damage to IT and OT infrastructures and move laterally between them. Think data breaches, viruses, ransomware, sabotage, and data exfiltration.
Protecting refining, petrochemical, and distribution networks from insider and outsider threats, involves the following key best practices:
Identifying and mapping all devices in the OT environment and keeping an up-to-date inventory of them — even of those that aren’t actively communicating over the network is vital first step. Some software can collect granular information on each device, including the firmware versions, PLC backplane configurations, and serial numbers.
Risk and Vulnerability Assessment
As there are so many potential attack vectors to defend, it’s best to focus on the greatest sources of risks and vulnerabilities. This involves automating the process by which new vulnerabilities are identified and processed. A vulnerability management system can generate periodic reports of risk levels for each asset in the industrial control system (ICS) network. When new vulnerabilities are discovered or disclosed, a mechanism should be in place to identify affected devices, remediate threats and verify a fix has been successfully applied.
Device and Configuration Management
Monitoring and managing changes in the ICS environment to ensure that device and system configurations are secure and well documented is essential. This requires maintaining a continuously updated list of the version numbers of all installed software and firmware, and comparing it regularly against a list of known vulnerabilities.
Meanwhile, regular scanning of OT networks can detect unknown devices and unintended changes made to them.
The best solutions issue notifications whenever a new vulnerability appears. They also combine network monitoring with device queries to provide in-depth vulnerability assessments. For example, they provide information on current device firmware versions and associated CVEs, list open ports, and calculate accurate, up-to-date risks.
Security policies should also be enforced to control which devices can perform certain (privileged) actions such as a code or firmware download to industrial controllers. In addition, policies should mandate that certain devices do not access the internet.
Unifying IT and OT Security
With increasing pressure to increase production and minimize extraction and refining costs, modernizing sites and systems is inevitable. Meanwhile, extending the life of mature sites has become a requirement to maintain supply levels, since developing new sources as well as extraction, transportation, and refining infrastructure, are a more costly and complex alternative.
As a result, monitoring control systems and processes for unintended changes, whether they are the result of malicious attacks or human error, is central to preventing shutdowns. This is an important beneficial byproduct of implementing an OT security program.
In addition to these market pressures, the oil and gas sector must also comply with stringent environmental regulations and standards that cover production, extraction, and distribution processes. Here again active monitoring of OT networks, devices and activity can help detect and prevent problems before they can lead to environmental incidents.
One way to combat the broader attack surface created by modernization initiatives, and mitigate the threat cyber incidents and human error pose to production and environmental control systems, is to converge IT and OT security groups. While challenging, such collaboration can mitigate the risks and vulnerabilities that span these two infrastructures, simultaneously facilitating the implementation of security best practices.