Securing Energy Assets: Focus on Zero Trust Architecture to Address Cyber Risks

The Colonial pipeline ransomware attack this past spring was a wake-up call for many in the energy industry. While oil and gas production has long been defined as a core part of the nation’s critical infrastructure, many continue to think that they are immune from such events, or that they can simply rely on traditional methods of security to protect their business assets. Executives and board leaders are called to take responsible, proactive measures to protect operations and stay ahead of cyber criminals. Integrating a zero-trust approach is key to reducing risk exposure.

Today, many cybersecurity architectures are inherently flawed, built around a traditional “castle and moat” paradigm view that the best defense to outside attacks is a strong perimeter. Once inside the wall, however, one can access business systems and data networks almost unchecked. In testimony before a U.S. Congressional Panel, Colonial Pipeline CEO Joseph Blount shared that their security firewall was breached with the use of a single legacy network system password that did not have multi-factor authentication in place. That means it could be accessed without a second check, such as security question, pin code or text verification, common safeguards employed today.

Moreover, traditional protection systems depended on physical access controls as well as data system security protocols to manage access to important business information. With more and more information being moved to the cloud and the unavoidable shift to remote work resulting from the pandemic, ensuring that only the right people have access to critical information has never been more challenging.