Claroty is the global leader in in­dus­trial cy­ber­se­cu­rity, bridg­ing the gap be­tween in­for­ma­tion tech­nol­ogy and op­er­a­tional tech­nol­ogy en­vi­ron­ments.


The oil and gas in­dus­try presents a unique and com­plex cy­ber se­cu­rity pro­file. A se­ri­ous at­tack dis­abling off­shore drilling rigs car­ries dev­as­tat­ing con­se­quences not just for the or­gan­i­sa­tions that own the in­fra­struc­ture, but for wider global economies as sup­ply is dis­rupted.

Due to the of­ten pre­car­i­ous and iso­lated na­ture of off­shore fa­cil­i­ties, such at­tacks could eas­ily go be­yond the dig­i­tal to di­rectly en­dan­ger real hu­man lives.

At the same time, the In­dus­trial Con­trol Sys­tems (ICS) and Su­per­vi­sory Con­trol And Data Ac­qui­si­tion (SCADA) sys­tems at the heart of the in­dus­try are no­to­ri­ously chal­leng­ing to se­cure in the dig­i­tal age.

As or­gan­i­sa­tions face pres­sure to keep up with the wider busi­ness world by digi­tis­ing and au­tomat­ing their op­er­a­tional tech­nol­ogy (OT) sys­tems, they are at risk of pro­vid­ing threat ac­tors with ad­di­tional at­tack sur­faces to ex­ploit.

Thank­fully, a large-scale cy­ber at­tack on off­shore in­fra­struc­ture has thank­fully yet to oc­cur and would likely only take place as part of the high­est level of of­fen­sive na­tion state ac­tiv­ity.

How­ever, these sys­tems still re­main vul­ner­a­ble as a point of en­try for crim­i­nals seek­ing en­try into com­pany net­works and valu­able data such as fi­nan­cial in­for­ma­tion and in­tel­lec­tual prop­erty.


One of the big­gest is­sues around off­shore tech­nol­ogy is its frag­mented na­ture. As­sets and in­fra­struc­ture of­ten use mul­ti­ple dif­fer­ent sys­tems pro­vided by dif­fer­ent ex­ter­nal con­trac­tors.

Look­ing at floater as­sets for ex­am­ple, stan­dard drilling ships and semisub­mersibles typ­i­cally in­clude four ma­jor in­de­pen­dent OT net­works.

Each of these dif­fer­ent el­e­ments will gen­er­ally be fol­low­ing its own com­mu­ni­ca­tion pro­to­cols and us­ing dif­fer­ent au­to­ma­tion equip­ment, mak­ing it ex­tremely dif­fi­cult to gain a sin­gle uni­fied view of the net­work as a whole.

This frag­mented ap­proach in­tro­duces mul­ti­ple dif­fer­ent po­ten­tial vul­ner­a­bil­i­ties that can be ex­ploited by threat ac­tors.

For ex­am­ple, the con­trac­tors re­spon­si­ble for main­tain­ing the sys­tems will typ­i­cally be us­ing re­mote ac­cess to carry out their du­ties.

At­tack­ers can com­pro­mise these priv­i­leged third par­ties to gain ac­cess to the sys­tems.

Com­pound­ing this, a drilling ship’s OT net­work is rarely air-gapped and is in­stead con­nected di­rectly to the rig con­trac­tor’s main IT net­work, which is in turn con­nected to the iIn­ter­net.

This means that, in ad­di­tion to the risk of the ship it­self be­ing dis­abled, off­shore as­sets can eas­ily be used as a step­ping stone to ex­e­cute at­tacks on the main IT net­work of the par­ent or­gan­i­sa­tion.

De­spite the sig­nif­i­cant threat posed by these com­mon op­er­a­tional prac­tices how­ever, it is ap­par­ent that the risk can­not be eas­ily man­aged by the rig con­trac­tors.

Each net­work is man­aged in a com­plete silo by its re­spec­tive con­trac­tor, which means there is no co­he­sive vis­i­bil­ity of the as­sets across the OT en­vi­ron­ment.

Fur­ther, tra­di­tional IT se­cu­rity mon­i­tor­ing prod­ucts are not equipped to deal with the pro­pri­etary na­ture of the OT pro­to­cols be­ing used by dif­fer­ent as­sets through­out the floater’s net­work.

This dis­jointed ap­proach is an ad­di­tional boon to cy­ber at­tack­ers, mak­ing it much more likely that any sus­pi­cious net­work ac­tiv­ity will go un­de­tected.

How­ever, while this frag­mented en­vi­ron­ment presents sig­nif­i­cant se­cu­rity chal­lenges, it is pos­si­ble for rig con­trac­tors to re­gain con­trol and over­sight with the right ap­proach and tools.

THE IM­POR­TANCE OF A CLEAR VIEW At­tain­ing vis­i­bil­ity of all of the dis­parate OT sys­tems is es­sen­tial to se­cur­ing off­shore in­fra­struc­ture against ma­li­cious cy­ber ac­tiv­ity.

This is most ef­fec­tively achieved with the use of a sin­gle, ven­dor ag­nos­tic se­cu­rity plat­form that is able to in­te­grate with the dif­fer­ent sys­tems be­ing used by each rig con­trac­tor in­volved.

As men­tioned pre­vi­ously, tra­di­tional IT man­age­ment tools usu­ally strug­gle with OT sys­tems be­cause of the num­ber of dif­fer­ent pro­pri­etary tech­nolo­gies, each with its own par­tic­u­lar pro­to­cols. There­fore, suc­cess­fully in­te­grat­ing with mul­ti­ple OT sys­tems de­mands a spe­cialised so­lu­tion that has been de­signed with the oil and gas in­dus­try in mind.

The main ob­jec­tive is to be able to mon­i­tor all traf­fic across the net­work, but how this is achieved will de­pend on the spe­cific con­fig­u­ra­tion be­ing used. A net­work that fea­tures a main switch that ag­gre­gates all the traf­fic can be mon­i­tored from this sin­gle point.

Mean­while, a net­work that is more seg­mented, or fea­tures in­de­pen­dent level-one clus­ters can be mon­i­tored by port-mir­ror­ing each of the rel­e­vant switches and send­ing copies of the data pack­ets to an­other main switch.

Here, a bal­ance needs to be struck be­tween achiev­ing max­i­mum cov­er­age with a min­i­mal foot­print on the net­work.

PRI­ORI­TIS­ING THREAT DE­TEC­TION Be­cause the im­pact of a suc­cess­ful at­tack on the in­fra­struc­ture it­self has such dev­as­tat­ing con­se­quences, the pri­or­ity should be repli­cat­ing and mon­i­tor­ing all traf­fic that di­rectly im­pacts phys­i­cal pro­cesses.

Fol­low­ing this, the next ob­jec­tive is to iden­tify and mon­i­tor strate­gic switches such as in­ter­sec­tion points be­tween net­work seg­ments and work­ing zones.

This in­cludes, for ex­am­ple, the in­ter­sec­tion be­tween IT and OT net­works, which present op­por­tu­ni­ties for lat­eral move­ment by threat ac­tors. Once the key switches are iden­ti­fied and con­nected, the most ef­fec­tive ap­proach is to use threat mon­i­tor­ing pow­ered by ma­chine learn­ing to fully au­to­mate the process.

The ma­chine learn­ing tool can be trained to recog­nise nor­mal net­work be­hav­iour for the rig, en­abling it to in­stantly de­tect and flag any anom­alies.

By con­nect­ing their en­tire fleet of rigs to a sin­gle plat­form, con­trac­tors will be able to cut through the opaque com­plex­ity of the typ­i­cal rig OT ar­range­ment and fi­nally gain vis­i­bil­ity of any po­ten­tial threats, re­gard­less of where they emerge.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.