As the cybersecurity landscape shifts with an increasing number of successful hacktivist attacks, combining process, automation and network engineering tools can address operational security (OT) risks.

About 80% of the successful cyber-attacks on industrial operations in 2022 were ransomware-related and about 15% were led by hacktivist groups. The expectation is that future hacktivist efforts will continue to target high-profile targets and infrastructure, according to Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. 

While the oil and gas industry hasn’t borne the brunt of cyber-attacks, it has weathered a few onslaughts, including the 202 Colonial ransomware attack and a trio of early 2022 ransomware attacks on ports that delayed the loading and unloading of oil tankers. 

But Ginter worries that might change. 

“There are distressing trends, one of which is the trend towards increased hacktivist activity,” he said. “The thing about hacktivists is that they're politically motivated. They don't have a financial agenda and are politically motivated.”

And he believes hacktivists are “quite happy” to target critical infrastructure, and the bigger the better because of resulting impact. So if hacktivist activity continues to increase, it increases the likelihood of attacks on critical infrastructure.

“That's what activists go after. That's what politically motivated attacks go after,” Ginter said.

Fuzzy risk picture

With the low number of successful attacks on the oil and gas industry, he said, some might consider playing the odds when it comes to cybersecurity.

They might ask how likely they are to have nation-state grade ransomware attacking their pipeline or refinery in the coming year, he said.

“That’s the wrong question. I mean, imagine that the refinery goes down for 10 days. How much have you lost? Do the math? It’s a lot of money,” Ginter said. “If your answer is, ‘Hey, we knew that if this grade of ransomware attack came after us, we'd go down. We knew that. We just didn’t think they’d pick on us this year.’ That’s the wrong answer.”

Andrew Ginter
“The thing about hacktivists is that they're politically motivated. They don't have a financial agenda and are politically motivated.”
(Source: Waterfall Security Solutions)

Even with the rise of hacktivist attacks, Ginter said the pervasive threat to critical oil and gas infrastructure is nation-state grade ransomware. 

“We need to take really strong measures to protect our system against that network-based threat,” he said.

Part of designing cyber protection has been protecting against worst-case consequences, but there’s no consensus in the industry as to how to assess cyber risk, he said.

Ginter said the IEC 62443 standard for secure industrial automation and control systems touches on the process of risk assessment without spelling out step-by-step instruction on how to conduct one.

“All this thing talks about is the process. It says first you should do a preliminary and you should use the result of that to make a decision. And then you should talk about network segmentation and then decide if you need to do a detail. It doesn't actually tell you how to do the preliminary, it just says that you should do one. Yet we could not get anyone to agree on a methodology for connecting threats and consequence into risk. That's left to the reader,” he said.

Ginter also argues that worst-case consequences should determine the required strength of a system’s security program. 

“But even that is controversial,” he said.

Defending OT systems

Yet the worst-case consequence in oil and gas is usually unacceptable, he said, due to the public safety threat involved.

Fortunately, he said, new approaches for addressing such threats are being created, such as the Idaho National Lab’s Cyber Informed Engineering approach, which uses engineering-style mitigations for cyber risk.

Mitigation tactics include placing a mechanical valve on a piece of equipment with the potential to explode if it overheats rather than strictly relying on a longer password on the computer controlling that equipment, he said. 

“None of these cybersecurity standards mention the valve because it’s not a cybersecurity mitigation. It’s a safety mitigation. It’s a physical mitigation,” Ginter said.

Such mitigation strategies are what “cyber-informed engineering is all about,” he added.

“The new thinking is wherever practical put electro-mechanical safety in to eliminate the cyber threat to safety. Still use all the cyber stuff. You want a second and third line of defenders, but your last line of defense basically takes the threat off the table,” he said.