By Roman Arutyunov, Xage Security
As the next wave of economic growth and development steadily emerges, more and more industries are transforming their operations into cyber-physical ecosystems – replete with emerging technologies such as IoT, edge computing, artificial intelligence (AI), robotics, data-driven automation and analytics.
For oil and gas, the internet of things (IoT) promises increased production output, enhanced efficiency, remote maintenance, and faster time-to-market. As a result, operators are increasingly moving to embrace digital oil fields and ‘smart’ pipelines.
However, while digitization has rapidly increased within the industry, development of comprehensive security systems to protect these newly-connected, software-driven operations has lagged behind.
Existing security systems within the Oil and gas industry are often centralized and network-based. This means they don't offer fine-grained control of operations in the field and create significant network management issues.
With thousands of IoT devices and connected SCADA systems now in play, many oil and gas companies are operating on a highly vulnerable network of connected machines, people, and applications. With this exposed network comes a heightened potential for attack.
In many companies, for example, the majority of remote terminal units (RTUs) are not password protected or utilize default or hard-coded credentials, allowing an attacker to enter through a single compromised unit and quickly spread throughout the entire network, wreaking havoc on production.
Connected control systems that manage oil wells are also prime targets for attack. With existing systems, there is a direct line of communication between the well and the tank, such that when the tank is full of oil, the well will stop pumping. With newly digitized, fully-networked control systems and lower barriers to entry, however, the attack surface has increased significantly. This means a manipulated control system can quickly result in a production halt – or worse.
These types of attacks aren’t just a future threat; they’re already happening across the industry. As operators tend to keep details of these attacks private, the below instances known from reports are assuredly a small sampling of the true scale of attack occurring in recent years:
2012: A pipeline company lost its databases via a contractor's SCADA-management network.
2013: A cyberattack linked to a pipeline oil spill in residential neighborhood.
2013 (and ongoing): A nation-state sponsored cyberattacks against Aramco, RasGas and others damaging tens of thousands of systems.
2016: A series of fires linked to petrochemical plants attacked by malware
2018: Schneider Triconex’s control system was taken down across multiple industries by Triton
The question is, why are these attacks – on such critical resource networks – still happening today? The reality is that industrial systems have different security needs than corporate enterprises, and as such need different security approaches from the existing IT security models.
The scale of machine-to-machine cooperation necessary for truly optimized production in oil and gas cannot exist without comprehensive protection. To solve the current security challenges facing the industry and take advantage of the capabilities promised by Industrial IoT (IIOT), a new vision for security must be embraced.
Blockchain technology, primarily known for its use in financial systems and exchanges within cryptocurrency, is a decentralized and tamper-proof ledger of digital data, mapping perfectly to meet the security challenges posed by the distributed nature of operations in oil and gas. By sharing identities and access control policies across the ledger, blockchain enforces continual cooperation across all devices and applications.
This means that when a rogue device or malware tries to enter and attack an industrial control network, the existing devices can establish a consensus to identify and isolate the bad device or application. This makes the system self-healing, without human intervention – eliminating the risk of a system-wide attack.
Critically for the oil and gas industry, this ensures production can never interrupted by compromised access to HMIs, SCADA systems, and remote assets. P&GJ
Roman Arutyunov is the co-founder and vice president of products at Xage. Prior to Xage, Roman spent 15 years in vice president of Product and Engineering roles at ABB, Tropos Networks, and Mimosa Networks solving networking, security, and data analytics challenges. He holds a bachelor’s degree in applied mathematics with an emphasis in computer science from the University of California, Berkeley and an MBA from Columbia University.