Defending OT from Cybersecurity Attacks in Oil and Gas

HOUSTON—As oil and gas companies embrace the Internet of Things (IoT), they must step up their security practices.

Equipment and sensors deployed in the field were not originally designed with cybersecurity in mind, which complicates operational technology (OT) cybersecurity, especially for an industry as ripe for attack as the oil industry. A complete and current inventory of all devices, along with cross-functional exercises that include OT, IT and an auditor help companies understand where potential threats and weaknesses exist. But it’s not enough to fight the most recent attack method, as cyber threats are always evolving, experts said during the IoT in Oil & Gas Conference on Sept. 12

Yasser Alsaied, vice president of IoT at Amazon Web Services, said the number of IoT connections is growing daily, with 14 billion IoT connections globally at the end of 2021 and expected IoT spending to exceed $1 trillion in 2024.

“When you digitize, you make things better, and you don’t have to rip things apart to do it,” he said.

According to Jeff Bennett, Azure IoT partner executive at Microsoft, the reasons to connect equipment to the internet is just going to increase because of the enormous value real-time operational information brings to businesses. But in the past the sensors and equipment that provided operational information was air-gapped, which provided a level of safety.

“We didn’t have to worry about hackers, but now it’s connected,” and the addition of more sensors that provide additional data present “an even greater threat surface for hackers to get in,” he said.

One recent trend is that the people who write the virus are not the ones who attack the target network.

“The people that implement the virus into the target network don’t have the technical expertise to write it,” he said.

Many hacking groups are supported by nation-state intelligence services, making them a “powerful, resourceful enemy,” Bennett said. “The offense is more advanced, and thus the defense has to get better.”

In short, he said, companies should assume an intruder is in the network.

“The question becomes not how do I build my walls higher, how do I build my moat deeper. The question is how do I respond to threats as they arise?” Bennett said.

“The offense is more advanced, and thus the defense has to get better.” – Jeff Bennett, Microsoft.

Todd Anslinger, IIoT and automation specialist at Chevron, said his company has millions of devices linked to the Industrial IoT (IIoT).

“Being a large company, we get attacked every day,” he said.

One of Chevron’s strategies for avoiding cybersecurity risk is to run its own IoT hub and only use third-party IoT hubs when absolutely necessary, he said. The supermajor also standardizes on qualified sensors and gateways, he said.

“This keeps us out of cybersecurity risk,” Anslinger said.

Asif Effendi, Baker Hughes’ global director of product security, said a 2020 analysis by Mandiant of cybersecurity attacks revealed that the majority of attacks entered through IT and pivoted to OT because of the weakness of security associated with OT equipment.

“These bring in malicious possibilities that did not exist before,” he said.

As such, companies turned to a risk-based security approach that focused on avoiding fines, loss of reputation or income and safety issues, he said. A programmatic approach that covers risk; has accountability; and is transparent, accelerated, consistent and collaborative is a better path, he said.

And a start on that path is having a real-time inventory map of every device connected to the company’s IoT, Bennet said.

“You need to be able to identify the state of all the devices and networks in one place,” he said. “You need to be able to go from an old spreadsheet with lists of that equipment and these sensors, and they’re all connected to a real-time device inventory map.”

John Taplett, Ceritas’ founder, said creating an OT cybersecurity strategy shouldn’t default to all IT solutions. Such an approach would “leave a lot of gaps,” he said. Instead, the strategy can draw on IT learnings, but should start with a clean sheet of paper.

And once a strategy is devised in place, the work doesn’t stop.

Kevin Kumpf, chief OT strategist at Cyolo, said it’s critical for companies to hold cross functional exercises that involve IT, OT and an auditor.

Taplett said companies should not always look to the past for what to guard against.

“We’re defending against what happened last time. It’s generally not going to be what happens next,” he said, noting the requirement that air travelers remove shoes at airport security because of one attack that involved shoes. “We always fight the last war all over again.”

In order to win, always being aware of the company’s scope for threat is crucial, Kumpf said.

“It’s really about knowing your baselines. If you know your baselines, you can get your declines. If you know your baselines, you can know your threats. If you know this, you can go to management and say, ‘Here is what we think are the most important things’” to protect against, he said.