Refining & Petrochemicals Middle East
WHY IMPROVING SECURITY INSIDE INDUSTRIAL ORGANISATIONS HAS BECOME AN URGENT REQUIREMENT
Industrial organisations are beginning to see the benefits of digital transformation in their control systems and assets but are unprepared to manage the challenges of cybersecurity explains Danielle Jablanski, OT security strategist at Nozomi Networks
The evolution of operational technology and industrial control systems in oil and gas operations began with on-premises connectivity between systems, often using Ethernet. Since then, it has progressed to connecting multiple sites and remote locations, expansion of supervisory control and data acquisition architectures, and an increase in cloud technologies. The energy industry continues to explore and adopt digital transformation plans. This is driven by the demand for clean energy, greenfield investments, microgrids, distributed energy resources, and analytics, with the expectation of increased efficiency and productivity. This has led to the adoption of internet of things, predictive maintenance, digital twin solutions and more. Adoption of new technologies in such industries continue to outpace cybersecurity and risk mitigation concerns, with insufficient documentation and data for monitoring and visibility. Limited resources, lack of technical competency, talent and expertise gaps, and siloed communications are notable hurdles to the adoption of more robust and resilient
security capabilities. Threat actors view industrial targets as highly lucrative due to their inability to tolerate any downtime. It is not surprising to find oil and gas companies amongst the most likely to pay ransomware to retrieve data and operations.
Prescriptive recommendations for improved security often overlook the realities of asset ownership, operation, transfer, and custody. If a pipeline operator with distributed operations is unfamiliar with their network and sub-network activity, and a change occurs, how would they know if it is a security-related or operations-related event?
Was it on purpose, accidental, or nefarious?
With the advancement of digital transformation inside industrial organisations, asset managers sometimes may not realise their control systems are connected to the Internet in some way. They may have no way of detecting unauthorised entry and changes, with the risk of remote takeover and control of assets, leading to unsafe conditions, equipment damage, and unintended shut down.
Threat actors continue to probe industrial networks, particularly targeting the energy sector at large. Industrial organisations have realised they may have blind spots in their networks and are short staffed in terms of cybersecurity personnel to protect operations and control system assets.
Inside the energy sector and across critical infrastructure there are many assets and systems deemed to be crown jewels or “mission-critical” assets. This reality is impacting every organisation and facility across the oil and gas industry, as owners and operators continue to try to do more with less. Users of SCADA systems may continue to focus on the benefits of these large-scale systems without being aware of the importance of protecting the operational data being generated.
Cybersecurity decision makers manage data at rest or data in motion, data integrity, confidentiality, loss of control, loss of visibility, and operational disruptions. The crux of the issue is using data to pinpoint where to investigate an issue before it becomes unmanageable.
There is limited access to the full scope of data being generated or visibility into the networks that connect them. Other than the primary industrial vendors and OEMS setting up large-scale systems, there are also third-party equipment and technologies to support the primary platforms, adding further complexity. For these reasons, many cybersecurity incidents in these industries go undetected, with estimates suggesting as many as half of all incidents go undetected.
However, technology is evolving to centrally aggregate what to investigate and why, with enriched data based on threat intelligence and environment-specific data, to alleviate resource and personnel gaps. Owners and operators must learn to assume that they will be breached and focus on reducing the severity of the impacts. This can be done by customising detections and prevention methods for the asset owners.
Pipelines, pumping and compressor stations, and production wells in remote geographic locations, amongst others, all use some type of connected SCADA technology.
At this stage, asset managers may be able to see benefits emerging from the application of digital transformation but may be unable to distinguish failure in the integrity of data, network performance issues, potential malware being introduced or already resident on the industrial network, and potential equipment failure or damage.
OT/ICS cybersecurity and visibility solutions can help to identify anomalies within networks and between assets and distinguish between malicious and benign behaviours. This is required for root cause analysis to determine whether an incident is being caused by an ongoing threat campaign, asset malfunction, asset misconfiguration, ransomware, or just an equipment drift.
The more efficient we become at correlating threat intelligence and environment-specific contextual data, the more capable our security solutions are to augment cybersecurity best practices and overall security postures. It is more efficient to spend resources on a scalable purposebuilt solution than prioritising visibility only after an incident occurs. With preparation and monitoring, impacts can be limited by building in intuition and bolstering situational awareness.
Industrial cybersecurity is not a journey or a destination, but a dynamic interaction between external and internal situational awareness. This constant relay race requires trust and verified solutions from partners for customers to stay ahead of the curve.