February 2024SPECIAL FOCUS—Bramson (ABS Group)

HP0223--SF--Digital TechnologiesSix reasons oil and gas organizations must implement an industrial cybersecurity programI. Bramson, ABS Group, Denver, ColoradoOil and gas companies must focus on building robust industrial cybersecurity programs to prevent and respond to the next attack. Over the last year, a surge of unprecedented attacks has brought industrial cybersecurity to the top of the minds of global industrial organizations. This is particularly true in critical infrastructure sectors such as oil and gas.Previously, cybercriminals concentrated on infiltrating the information technology (IT) networks that run business systems. However, they are now looking to disrupt the operational technology (OT) networks that control industrial operations. Threat actors have moved beyond stealing valuable data to gaining control over entire market ecosystems.The Colonial Pipeline incident demonstrated how hackers can wreak havoc when organizations assume IT threats will not impact OT. This ransomware attack resulted from a password breach, which snowballed until OT operations were completely shut down. The consequence was a gasoline shortage along the U.S. East Coast, pushing gas prices to their highest level in 6 yr.These dangerous breaches and correlated ramifications are just the beginning. In December 2021, a detrimental cyber risk was identified in a widely used software (Java Log4j). Rated a 10 out of 10 on the vulnerability scale by the Cybersecurity and Infrastructure Security Agency (CISA), this threat has been labeled as one of the worst in history, with experts stating that organizations’ IT and OT networks worldwide are at risk until further notice.This breach and the Colonial Pipeline shutdown were a wake-up call for organizations and cybercriminals. Their impacts on the nation’s supply chain and economy have confirmed that the oil and gas industry is a vulnerable and valuable target. Organizations must act now and prioritize the implementation of an industrial cybersecurity program to protect their operations, the environment and the community.What makes oil and gas companies vulnerable to attacks? There are several reasons oil and gas organizations are vulnerable to attacks, with the most critical being:

Lack of cybersecurity controls: The oil and gas industry does not have standard OT cybersecurity strategies and regulations, which has led to disparate and often inadequate security practices. Control systems run nonstop daily, leaving limited downtime for upgrades and updates, resulting in unpatched and inherently vulnerable OT systems. Complicating matters even further is the fact that OT support in the oil and gas sector is inconsistent. Frequently, OT support relies on either IT teams who lack experience in OT networks or operations teams who are at a disadvantage because they do not understand cybersecurity principles. Contrary to what many organizational leaders believe, IT solutions cannot simply be applied to OT systems because they do not translate. OT systems need specialized cybersecurity solutions and dedicated staff with OT expertise.

Remote capabilities are open to attacks: Today, many oil and gas organizations have dispersed assets and rely heavily on remote management monitoring. While this connectivity offers many competitive advantages, it also creates vulnerabilities. Increased remote control over operations means more connection points for threat actors to break down organizational defenses and take control.

Growing operations are driving the expansion of attack surfaces: As oil and gas organizations expand their operations, the number of ways cyber threats can penetrate systems (attack surfaces) is growing. Attackers are now trained to look for the cracks in these attack surfaces and exploit them.

Modern technologies pose new cyber risks: Digitalization, data analytics and automation are all competitive advantages; however, they pose new cyber risks. Many industrial environments are comprised of legacy systems that can be anywhere from 10 yr–30 yr old. Given their age, these systems were built for longevity and were not initially designed to be connected to wide area networks or other modern technologies. These factors make them inherently vulnerable to attacks. Combining digitalization and an expanded attack surface creates additional challenges in managing cyber risk. When organizations centralize control and increase automation, analytics and data to gain a competitive advantage, the financial aspects often take priority, leaving OT cybersecurity tacked on as an afterthought. While high dependency on digitalization will only increase as it creates efficiencies, it also increases risk.

Attackers want more than data—they want physical control: Cyber attackers no longer only want to steal and manipulate data; they want direct control over the operations in physical environments where they can have the most impact. Attacks can now damage critical infrastructure, grind operations to a halt and ultimately threaten national security by crippling essential industries like oil and gas. Something as simple as a password breach can disrupt the economy nationally and cause a ripple effect in adjacent industries.

Attackers are forming businesses: Although many distinct types of cyber attackers with different motivations exist, they have started to form businesses around hacking. Their common thread is targeting industrial sectors like oil and gas, where they can have the biggest impact, disrupt business operations and make the most money.

Components of a sound OT cyber program. Many organizations are unsure where to begin when building an OT cybersecurity program. The answer is to start at the beginning. OT environments are best protected when OT systems and networks are identified, so any update, upgrade or renovation must have cybersecurity protocols built in from day one. All is not lost for organizations that need to update security protocols within their existing facilities; they must simply do more legwork. That means hiring an experienced team specialized in OT security who can:

Create a comprehensive asset inventory: Shockingly, few organizations have visibility into the composition of their OT network—you cannot protect what you cannot see. Auditing the network to identify every device (connected or not) is the best way to build a cybersecurity plan that accounts for every possible attack point.

Map the assets: Knowing what assets are present is only the first step. Facility operators should also understand how each asset interacts with the rest of the network. Even assets updated via supplier universal serial bus (USB) drives or vendor maintenance should be noted, as those connection points can still pose risks.

Evaluate vendors and suppliers: Your OT environment could be the most secure and tightly controlled in the world, but one unprotected supplier can open you up to potential threats.¹

Implement monitoring processes: Once a company has visibility into these areas, it can track changes and monitor for abnormalities.² Identifying OT attacks as the work of bad actors can be difficult as they often appear as malfunctions. With this in mind, tracking all activity is crucial to identifying and addressing breaches before hackers use their access to wreak havoc.

Develop a response plan: Despite the risks, many operators believe that a breach will not happen to them—and they do not know how best to respond when it eventually does. All OT environments should have pre-developed response plans that account for attacks that harm employees, are executed for ransom or result in downtime.³

Make OT cybersecurity a priority. Organizations must be proactive regarding securing their OT systems and understand that it is not enough to patch the vulnerability that led to the last high-profile attack. Since attackers are highly adaptable and constantly evolving, oil and gas companies must focus on building robust industrial cybersecurity programs to prevent and respond to the next attack. It is vital to prepare for when, not if, an attack occurs.The most successful organizations will work to develop a framework to identify potential weaknesses, protect against attacks, detect attacks when they occur, respond quickly and recover effectively. A proactive approach will make an organization resilient to future attempts and give peace of mind in a quickly changing environment. HPLITERATURE CITED

ABS Group, “Supply chain cyber risk management,” online: https://www.abs-group.com/Solutions/Cybersecurity/Supply-Chain-Cyber-Risk-Management/

ABS Group, “Industrial security operations center (ISOC),” online: https://www.abs-group.com/Solutions/Cybersecurity/Industrial-Security-Operations-Center-ISOC/

ABS Group, “The next level of cyber threat detection,” January 2022, online: https://www.abs-group.com/Knowledge-Center/Webinars/The-Next-Level-of-Cyber-Threat-Detection/

First Author Rule LineAuthor-pic-BramsonIAN BRAMSON is the Global Head of Industrial Cybersecurity at ABS Group and a recognized leader in the emerging threat landscape of attacks on industrial operations and critical infrastructure. With more than 20 yr of experience in cybersecurity and technology, Bramson works directly with executives in the energy, industrial and maritime sectors to help minimize their cybersecurity risks.CoverAd—Shell revampContentsAd—Honeywell UOPMastheadAd—MerichemEditorial CommentAd—AFPM Annual MeetingGlobal Project DataAd—HPI Market Data 2024Viewpoint—Tanoguchi (Yokogawa Electric Corp.)Special Focus OpeningSPECIAL FOCUS—Gardner (KBC)SPECIAL FOCUS—McEleney (Emerson)Ad—PEMN CCS StrategySPECIAL FOCUS—McBul (OQ Specialty Chemicals)SPECIAL FOCUS—Burton (AMETEK Process Instruments)Ad—MEPECSPECIAL FOCUS—Bramson (ABS Group)Petrochemical Technologies—Delhomme (Linde Engineering)Maintenance and Reliability—AnwerTurnaround/Project Mgmt—BenomarAd—AFPM IPCEnvironment and Safety—Rodrigues (Saudi Aramco)Environment and Safety—Manelick (aeSolutions)Environment and Safety—Bowling (Seeq Corporation)Ad—PE Outlook 2024Carbon Capture—Carugo (Emerson)Ad—H2T CircTanks, Terminals and Storage—Advani (L&T Energy Hydrocarbon)Tanks, Terminals and Storage—Safamirzaei (Pasargad Energy Development Co.)Sales OfficeAd—HP Circ (Back Cover)