This paper related to cyber security oil and gas industries, is available as a part of the Abhisam Industrial Cybersecurity report, which can be downloaded now.
Author: H Sreedhar.
Recent History of Automation in Oil & Gas
The Oil and Gas industry (O & G for short) has been a pioneer in embracing digital technology. It was one of the first industrial sectors to transition to Distributed Control Systems(DCS), from analog electronic control equipment and pneumatic instruments. This transition started in a big way, about 35 years ago, when DCS were a “hi-tech” thing.
The development of digital control systems and the networking, particularly with the internet, has led to increased risk of cyber-attacks which are engineered by isolated hackers, criminal organizations or state services. The ensuing disruptions, can result in untenable stoppages in production and danger to people, property and the environment, leading to potential disaster scenarios in sensitive installations of energy production and other similar major infrastructure.
Industrial Cyber security Oil and Gas – challenges
In the context of the fourth industrial revolution, which involves an increased degree of connected systems and integration of digital technologies into the manufacturing process, cyber-security is a major issue today.
The industrial systems are heterogenous and built on commercial off the shelf (COTS for short) generic components. The selection of the components are made for their functionality, not security. Authentication management at the equipment level is difficult and updating software, firmware or hardware is difficult and not done regularly. Although we consider these existing DCS, PLC and SCADA systems as “modern”, the reality is that at the time when these control system technologies and protocols were developed, cyber-attacks did not exist (or were not considered as a credible threat). Thus DCS security, SCADA security or PLC Security were not considered at all.
Hence these systems are insecure and very vulnerable. There are many installations which still use them. In cases where the most recent installations are implemented around the Industrial internet of things (IIoT), the complexity and (ironically) the flexibility of these networks, makes them very vulnerable.
Cyber attacks are evolving in sophistication and complexity from the simple viruses in 1980’s to the malicious software today capable of communicating with outside entities, capable of growing to become widespread and attacking remote installations.
Instances of attacks on industry installations like the WannaCry , Stuxnet attack (Falliere,2011) aimed at Uranium production which led to Plant shutdown and operating losses or the Triton attack which rendered even Safety Instrumented Systems inoperative, are warning examples of the need to treat this issue with the prioritized urgency that it deserves.
The rapid evolution of technology had led to the Industrial control systems (ICS) being connected to other networks for transfer of production data to the Company IT systems for remote download or auto download of updates. There is an increasing convergence of protocols towards common protocols increasing the vulnerability of control systems. It is unrealistic to expect the control systems to be stand-alone and not connected to any other systems.
A cyber-attack can be in myriad ways eg. the USB key as In the Stuxnet case; or if the industrial network is connected to the IT corporate network the IT system can be attacked with malicious programs that infect the industrial network, where the industrial network is connected to the internet(albeit temporarily), for maintenance or configuration, thereby exposing the network to potential attacks. Many organizations are migrating to the Cloud, to upload the data to enable system updates from the manufacturer’s site with remote access, thereby increasing the system’s attack surface and increasing its vulnerability.
Functional safety as per IEC 61508 does not focus on computer security, as it was not identified as a credible or important hazard, at the time the standard was originally written.
(Note: There are SIS related security clauses in the latest edition, but they are sparse and direct the reader towards other standards such as IEC 62443)
Information security and operational safety are managed by different approaches: ISS risk management process is covered in ISO 27000 Security of information standards and PHA, HAZOP, FMEA or LOPA are the risk analysis methods for industrial processes. IEC 62443 aims to transcribe number of functional safety concepts (like SIL levels) for cybersecurity, to align approaches. Unified approaches for risk analysis are being proposed with the concept of SLs (Security Levels).
Depending on the issues and context, the industrial cyber security solutions will be different. The crisis management plan, recovery and business continuity plan, need to be in place, based on the detection system and the alert chain. This will be based on the cost-benefit ratio.
Problems in preventing ICS cyber attacks in the O & G world
Probable economic consequences, with detailed cost-benefit analysis, is required to determine the level of cyber-security measures required to be taken. With oil prices in a steady decline, all costs are being controlled with an eagle eye and spending on cybersecurity is not an exception.
Anti-virus software is not effective on many devices that run on proprietary software, or real time operating systems. Common Firewall problems include limits related to filtering rules not being configured properly and even if data flows are limited, it does not prevent all attacks passing through, as evident in the Ukraine electrical energy management attack of 2015.
Virtual private networks(VPN’s) have their own limitations, as many VPN’s use outdated technology or even if one of the Workstations connected to VPN is infected, it risks the entire network getting infected. The Information Security system (ISS) limits efficiency and is expensive.
Cybersecurity status of Oil and Gas industries in the year 2020
The culture of “production first” and not changing something that works, is deeply entrenched in Oil & Gas. It is imperative to enforce a culture, where the authentication management is rigorous, and updates are not always made on a regular basis. There is need to have an ICS security management policy including management of sub-contractors, subject to specific measures, a user rights management policy defining possibilities of action and prohibiting access to outsiders.
In the Oil and Gas Industry, increasingly the challenge of potential targeted cyber-attacks is now on the operating technology (OT) side of the network. The increased focus in 2020 of the Oil and Gas Industry was to secure the OT segment of their digital infrastructure. This need has arisen due to the increased cases in the cyber-attacks on OT peripheral devices. In the Oil and Gas industry the levels of connectivity between the IT and OT networks are increasing.
What lies ahead in 2021 and beyond for cybersecurity in Oil and Gas?
The next focus in Oil and Gas increasingly in 2021 is the threat to supply chains including Contractors, Sub-contractors and Vendors that tie-in to the Company’s databases/IT environment during project execution and potentially bring threats/vulnerabilities. Hence supply chain cyber security will be in focus.
Now I would like to highlight another aspect of Industrial cybersecurity. Today the focus on Industrial Cybersecurity is mainly ICS Security (which can be considered a subset of the broader domain of Industrial Cybersecurity) and you will see a lot many developments related to it. However we should also consider other allied engineering activities, which are now done “in the cloud” and can affect industrial operations.
Due to the COVID 19 crisis, a lot of design and detail engineering work is being done increasingly in the cloud, with many stakeholders connecting to it including EPC contractors & sub contractors. Although strictly speaking, this is not considered as part of “Industrial” cybersecurity, yet any attacks on these systems can affect industrial operations too, especially for brownfield development projects, where time is critical and budgets are low.
Imagine nightmares like data corruption of as built drawings, or damage to old P & IDs (with no hard copies available). Recovering from these incidents will not be a pleasant experience and can set back urgent modernization projects by years.
The need is to set up Cyber-security processes in place so that all the third party entities are fully aware and adhere to the Cyber-security policies of the Company.
For an effective cyber-security solution, it is imperative to think in terms of protection, prevention and early intrusion detection, by means such as abnormal traffic suggesting a preparatory attack.
The Cyber-security solution must be implemented in consultation with the user, taking into account ground-realities supporting new operating modes, without limiting the user’s operating possibilities excessively.
That is the challenge that is being addressed in 2020 and in 2021 will further require concentrated attention from various stakeholders, increased budget allocations for cybersecurity and increased collaboration from both cyber-security solution providers and the users.