Michael Porier, Managing Director
Technology Consulting – Security and Privacy
The realization is growing across the oil and gas industry that the major cybersecurity threats to upstream, midstream and downstream data and operations are often aimed at operational technology (OT) systems and equipment – usually older, legacy models – rather than at the information technology (IT) side. Those operational technologies typically include industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and other related technologies implemented at operational facilities, such as plants, pipelines, terminals and rigs.
A recent survey of more than 300 oil and gas companies found:
- More than 60 percent of companies have suffered a security compromise in the past year, which exposed confidential information and disrupted OT systems and operations
- Two-thirds of companies believe risks to OT systems have increased substantially in recent years, and 59 percent believe they face greater risks in OT than in IT
- Only one-third of companies report that OT and IT are fully aligned in their organizations
- Just 35 percent rate their readiness to address cyber threats as high
- Close to half of all attacks on OT are going undetected
These survey findings appear shocking – but they are also consistent with Protiviti’s experience in performing cybersecurity assessments for energy and utility clients, particularly evaluating their OT systems. We often find unprotected field terminals with inadequate physical security of connection points, live ports that lack deterrents, and an absence of intrusion detection capabilities. We also commonly see flat networks that are not segmented to appropriately segregate the OT systems from the corporate network environment, making it easier for potential hackers to exploit vulnerabilities across the organization.
Obviously, OT systems with any of these shortcomings present significant cybersecurity risks for the energy and utilities industry. The threat is multiplied by the fact that energy and utilities organizations are deemed critical infrastructure, whose exploitation can have devastating effects to broad geographic regions affecting multitudes of people.
More and more ICS/SCADA technologies allow for the capability to connect (via IP) to the broader corporate network infrastructure. While this provides for certain efficiencies, it can also expose oil and gas systems to unprecedented risks that occur when the previously isolated OT systems are linked to sophisticated IT networks so data can be shared, managed and analyzed.
Despite this newfound connectivity, the industry has remained stubbornly reluctant to challenge legacy OT systems from a vulnerability perspective, for fear of creating interruptions or process errors. This reluctance often leads to a failure to adequately test or update systems to optimize security and minimize cybersecurity risks.
The concerns are legitimate, but only up to a point. In our experience, there isn’t sufficient justification to hold OT systems “off limits” for cybersecurity evaluation and upgrades, given the high potential for targeting by sophisticated opponents and the alarming numbers cited in the survey. To this end, assessments should still be performed, but they must incorporate a series of precautions designed to assure both operational continuity and a complete threat risk review. These precautions include:
- Well-defined rules of engagement, including identification of the types of reports and system information to be compiled prior to conducting a vulnerability scan
- Performing security evaluations in a test, rather than production, environment
- Collaboration with both engineering and IT security personnel to define the scope of the review engagement
- Reasonable limitations on initial tests so sensitive systems can be excluded if needed to allow for the development of workarounds
- Establishment of clear lines of communications so any network or system irregularities are reported and evaluated during testing
Working within these parameters, the end goal of testing the security control environment of the ICS/SCADA environments should achieve the following:
- Evaluate the key security risks prevalent in the ICS/SCADA network architecture
- Identify the network vulnerabilities and test the connectivity to the enterprise network
- Assist with the development of a vulnerability management program specific to the ICS/SCADA infrastructure
Ideally, what energy and utilities companies want is to ensure they have an ICS/SCADA environment that can function in a secure and effective manner, and that they can be highly efficient in detecting and responding to breaches and attacks. This requires technical expertise, collaboration between departments, appropriate planning, and leveraging vulnerability assessments to periodically test security. Testing these systems requires more work, but it is not impossible, and it should not be considered “out of the question.” In fact, testing is an essential practice to preserving the integrity of any critical system.