The era of connectivity has exposed legacy oil and gas infrastructure to possible cyberattacks, but not all equipment carries equivalent risks.

Cybersecurity in operational technology (OT) can be low priority for owners of older equipment, particularly if they are working in low-margin sectors of the industry, Blake Benson, senior director of cybersecurity at ABS Consulting, told Hart Energy.

As older equipment is increasingly connected to or at least touching the internet, companies have to find ways to protect what’s critical and cybersecurity experts need to communicate to management the potential fallout in the event of an attack.

Cybersecurity and Legacy Equipment: Protect ‘Ponds, not Ocean,’ Expert says
Blake Benson, senior director of cybersecurity at ABS Consulting. (Source: ABS Consulting)

That means adding more scrutiny to vulnerabilities even as E&Ps prioritize worker safety.

 “Legacy equipment is all equipment, for the most part, in the OT space,” he said.

Owners of companies in critical infrastructure sectors typically spend more on maintaining than upgrading equipment, he said.

“Safety is a bigger part of their budget. They're almost always more concerned about operational risk and ensuring someone doesn't die than upgrading equipment,” Benson said.

Federal agencies often put out security directives and threat advisories that can’t be implemented for myriad reasons, including lack of support by the original equipment manufacturer (OEM) and IT-based recommendations such as patching.

Putting those suggestions into place typically “break the systems,” he said.

“That presents a whole new dynamic that's not only unique to OT, but can be unique to that specific environment or that specific critical infrastructure sector at large. And that's a really important distinction to make,” he said.

Assessing risk

When considering cybersecurity among other needs, OT managers need to assess what is most critical to operations, he said.

“What do I need to care about, and how do I invest in the things that are most critical, or most important to the availability and safety of this operation as a whole” are the questions OT managers should keep in mind, Benson said.

Protecting infrastructure means first identifying critical assets and determining which ones have cyber dependencies, he said. 

That cyber terrain and those systems “are the ones that you should probably start to invest in. When you talk about integrating controls, those are the ones you want to harden. Those are the systems you want to ensure are more protected. That's the architecture you want to focus on,” he said.

One reason: it’s not possible to upgrade everything. 

“It's a fool's errand. A lot of it can't be upgraded. The OEMs don't even make it to where it can be upgraded. It's impossible,” Benson said.

Historically, when the National Institute of Standards and Technology (NIST) or other groups create guidance and recommendations, an inability to patch software commonly causes stumbling blocks, he said.

“It falls on deaf ears because the plant managers and the people responsible for maintaining this equipment know that the last time this thing had an update was in 1998,” he said.

Benson said it’s important to approach cybersecurity for OT systems differently than for IT. For instance, he said, a typical IT approach recommends active scanning of networks.

“But these systems weren't designed to even ingest that type of info on that network,” he said.

Deploying an IT scanning tool into the OT environment is like “setting a 10-pound, large-mouth bass loose on the network. You wouldn’t put a 10-pound bass in a 20-gallon aquarium, just like you shouldn’t use IT tools in an OT environment” that typically deals with something more the size and speed of minnows, he said.

“This ecosystem wasn't built for this bass. You're going to run into everything. You're going to break everything… It doesn't work.”

What does work, he said, is hardening critical parts of the OT network and isolating that equipment from the internet as much as possible.

“Ultimately, that's the name of the game,” Benson said. “Instead of defending the ocean, you really want to identify these little ponds of criticality. And then you want to segment those as far away from the internet as possible and from each other to prevent lateral movement while still being able to maintain visibility and management over that network.” 

Translating risk to dollars

One of the biggest barriers to achieving cybersecurity is budgets, he said. 

“Cybersecurity experts don't know how to effectively communicate risk,” he said, and they tend to hyperfocus “on their slice of the pie.”

The most effective path forward is for cybersecurity experts to communicate risk by explaining how much revenue is at stake, he said.

“How much revenue would an outage cause in this facility? What is our liability if we got ransomware and an insurer held us liable for that?” Benson said. “What causes us the biggest headache if this goes down?”

Cybersecurity and Legacy Equipment: Protect ‘Ponds, not Ocean,’ Expert says
ABS Group Industrial Security Operations Center. (Source: ABS Consulting)

Not all risks are created equal. In the past, for example, well inspections required someone to physically drive to well sites. With the advent of the Internet of Things, sensors can transmit info to the office, which means fewer trips to the well sites.

But that also introduces risk.

With those sensors, “you're introducing connectivity into an environment that was never engineered to be connected. When you do that, you intentionally or unintentionally, are exposing these assets to the larger threat landscape of the internet,” he said. 

He said it’s important to contextualize that risk back to operations.

“At the end of the day, it may not be a big deal if that system were to be compromised,” he said. “What are the worst case scenarios?”

For a wellhead, it might be an incorrect payment, or it might be a spill because the sensor said it was empty when it was actually full.

“Contextualizing the cyber risk back to operations … is something people really don't know how to do very well and is really, really hard. That process requires a lot of subjective experience in the field, requires a lot of knowledge of operations people need to be doing. People need to be doing that better,” Benson said.