Cyber Vulnerabilities of Energy Companies’ Control Systems Can Be Addressed Safely and Successfully

 

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and

Michael Porier, Managing Director
Technology Consulting – Security and Privacy

 

The realization is growing across the oil and gas industry that the major cybersecurity threats to upstream, midstream and downstream data and operations are often aimed at operational technology (OT) systems and equipment – usually older, legacy models – rather than at the information technology (IT) side. Those operational technologies typically include industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and other related technologies implemented at operational facilities, such as plants, pipelines, terminals and rigs.

A recent survey of more than 300 oil and gas companies found:

  • More than 60 percent of companies have suffered a security compromise in the past year, which exposed confidential information and disrupted OT systems and operations
  • Two-thirds of companies believe risks to OT systems have increased substantially in recent years, and 59 percent believe they face greater risks in OT than in IT
  • Only one-third of companies report that OT and IT are fully aligned in their organizations
  • Just 35 percent rate their readiness to address cyber threats as high
  • Close to half of all attacks on OT are going undetected

These survey findings appear shocking – but they are also consistent with Protiviti’s experience in performing cybersecurity assessments for energy and utility clients, particularly evaluating their OT systems. We often find unprotected field terminals with inadequate physical security of connection points, live ports that lack deterrents, and an absence of intrusion detection capabilities. We also commonly see flat networks that are not segmented to appropriately segregate the OT systems from the corporate network environment, making it easier for potential hackers to exploit vulnerabilities across the organization.

Obviously, OT systems with any of these shortcomings present significant cybersecurity risks for the energy and utilities industry. The threat is multiplied by the fact that energy and utilities organizations are deemed critical infrastructure, whose exploitation can have devastating effects to broad geographic regions affecting multitudes of people.

More and more ICS/SCADA technologies allow for the capability to connect (via IP) to the broader corporate network infrastructure. While this provides for certain efficiencies, it can also expose oil and gas systems to unprecedented risks that occur when the previously isolated OT systems are linked to sophisticated IT networks so data can be shared, managed and analyzed.

Despite this newfound connectivity, the industry has remained stubbornly reluctant to challenge legacy OT systems from a vulnerability perspective, for fear of creating interruptions or process errors. This reluctance often leads to a failure to adequately test or update systems to optimize security and minimize cybersecurity risks.

The concerns are legitimate, but only up to a point. In our experience, there isn’t sufficient justification to hold OT systems “off limits” for cybersecurity evaluation and upgrades, given the high potential for targeting by sophisticated opponents and the alarming numbers cited in the survey. To this end, assessments should still be performed, but they must incorporate a series of precautions designed to assure both operational continuity and a complete threat risk review. These precautions include:

  • Well-defined rules of engagement, including identification of the types of reports and system information to be compiled prior to conducting a vulnerability scan
  • Performing security evaluations in a test, rather than production, environment
  • Collaboration with both engineering and IT security personnel to define the scope of the review engagement
  • Reasonable limitations on initial tests so sensitive systems can be excluded if needed to allow for the development of workarounds
  • Establishment of clear lines of communications so any network or system irregularities are reported and evaluated during testing

Working within these parameters, the end goal of testing the security control environment of the ICS/SCADA environments should achieve the following:

  • Evaluate the key security risks prevalent in the ICS/SCADA network architecture
  • Identify the network vulnerabilities and test the connectivity to the enterprise network
  • Assist with the development of a vulnerability management program specific to the ICS/SCADA infrastructure

Ideally, what energy and utilities companies want is to ensure they have an ICS/SCADA environment that can function in a secure and effective manner, and that they can be highly efficient in detecting and responding to breaches and attacks. This requires technical expertise, collaboration between departments, appropriate planning, and leveraging vulnerability assessments to periodically test security.  Testing these systems requires more work, but it is not impossible, and it should not be considered “out of the question.” In fact, testing is an essential practice to preserving the integrity of any critical system.

Will Hiring Hackers Help Energy’s Cybersecurity Efforts?

 

Tyler Chase

cal-slempBy Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Cal Slemp, Managing Director
IT Security and Privacy Practice Leader

 

The chief cybersecurity engineer for a major industrial process company advocated not long ago that oil and gas companies hire hackers to improve their cybersecurity defenses. At an annual European-Middle East-Africa user group conference in The Hague last October, Eric Knapp urged attendees to drop their negative perceptions and put hackers to work on their teams.

Knapp’s advice followed a presentation of survey findings stating that 82 percent of oil and gas industry respondents have experienced an increase in successful cyberattacks over the past 12 months. Executives of European petrochemical companies SARAS and SABIC estimated that cyberattacks cost businesses up to $400 billion per year.

Several weeks earlier, the World Energy Council (WEC) issued a report that, among other conclusions, found that the demand for cyber specialists is growing twice as fast as for all other IT jobs. The WEC cited research linking recent high-profile security breaches to a shortage of almost one million skilled cybersecurity professionals.

Our perspective:

The idea of leveraging “hackers” needs to be put into context. Many organizations have resources (internally or through consulting firms) who mimic the activity that various types of real hackers execute to illegally break into a company’s IT infrastructure. These “white hat” penetration testers are excellent at testing infrastructures, applications, networks and databases. The use of trained personnel who act as hackers but have written agreements and rules of engagement can make a lot of sense for an organization and is worth considering.

However, cybersecurity, much like other strategic initiatives, cannot be addressed with technology resources or tools alone. It requires a joint effort among departments and employees of all levels. In the same way that police cannot solve all crimes by themselves (despite being the “experts”), cybersecurity professionals need the knowledge and assistance of everyone in the organization. Employees who have been educated on matters of cybersecurity become empowered and thus an extension of the security program.

Finding the similarities between cyber risks and existing risks (e.g., safety) can help translate this subject to nontechnical resources. Many of the lessons learned with regard to overall risk management through more traditional departments, such as internal audit or compliance, can be applied to cybersecurity. Sharing data points that are already being collected by these departments can add value to analyzing security threats. At an even higher level, sharing information across the industry in cyber intelligence groups (CIGs) can allow firms to collaborate on specific threats and solutions, and share data that can add value to their overall threat analyses.

Is hiring “hackers” the answer to the cybersecurity challenge? It’s not quite that simple. White hat hackers certainly have a key skill set organizations need to face the growing threat of cyber crime, but the ultimate success of an organization lies in how well the leadership empowers the overall enterprise to combat cyber risks together.

Luis Castillo of Protiviti Technology Consulting contributed to the development of this content.