It is no secret that the oil and gas industry continues to face many challenges, one of which is establishing and maintaining cybersecurity. The list of consequences from a cyber attack on an oil and gas company is extensive, including national fuel shortages, economic repercussions, environmental impacts, damage to physical assets, and threats to human safety and security. Companies must take cybersecurity vulnerabilities seriously by addressing the array of factors that contribute to the inherent risks within midstream operations.
Industrial Control Systems (ICS) are crucial to pipelines and require expert knowledge and experience to effectively evaluate and secure. When it comes to industrial control and SCADA (Supervisory Control and Data Acquisition) networks, they are often constituted with a blend of proprietary hardware, software, and communication protocols. There is typically a mix of legacy and modern systems, a wide variety of old and new communication protocols, a lack of visibility for network monitoring and continuous threat detection, and sub-standard documentation. Furthermore, the lifecycle of an in-service ICS is relatively long and uninterrupted when compared to enterprise IT (Information Technology) systems. Control systems may go decades without change due to the engineering costs and production downtime required to take them offline for patching, upgrades, or modernization.
Technological advancement is necessary for remaining relevant, but companies are inadvertently putting themselves at risk for cyber intrusions when they digitalize operations. With more digitalization comes more connectivity, resulting in a lack of IDMZ (Industrial De-Militarized Zone) between enterprise IT and operational technology (OT) networks. Systems are no longer air gapped leading to ICS exposure on IT networks, which have more intrinsic vulnerabilities. Ransomware attacks on IT networks can interrupt critical OT systems resulting in complications when downtime occurs for any period. Such attacks are easy to perpetrate by hackers who reap high payouts for the minimal effort required to breach their targets.
Besides the proliferation of ransomware attacks on IT networks that put OT networks at risk, logistical challenges complicate cybersecurity issues for pipelines. Midstream oil and gas companies operate across a large geographic footprint with limited physical access to remote sites. This configuration creates many interconnections and typically requires reliance on third-party communication networks that creates yet another susceptibility. The challenges are overwhelming, and the question becomes how do midstream companies bolster cybersecurity and where do they look for guidance?
The ransomware attack on an east coast pipeline earlier this year added to the already building regulatory pressure to institute cybersecurity standards that protect our critical infrastructure. The Department of Homeland Security (DHS) and the Transportation Security Agency (TSA) announced a new security directive in May of 2021 that is applicable to oil and gas companies designated as “critical” and requires reporting confirmed and potential breaches, assigning a cybersecurity coordinator, conducting a cybersecurity gap analysis, and sharing results with the CISA (Cybersecurity and Infrastructure Security Agency). A second directive was distributed to critical companies in July that outlines more specific requirements for cybersecurity measures to protect against digital threats. Designated companies are required to develop and implement the appropriate contingency and recovery plans, in addition to conducting an annual review of cybersecurity architecture. Voluntary guidelines remain available for non-critical companies operating in the oil and gas industry and according to the TSA will be updated to address current digital security concerns.
Whether adhering to the new security directives or following voluntary guidelines, the burden remains on oil and gas companies to effectively evaluate and fortify against cyber threats. It is important to enlist the assistance of a qualified expert to ensure proper attention is given to OT networks and ICS when addressing cybersecurity review and remediation. Experienced systems integrators can facilitate every phase of the process and may begin by assessing current resource utilization and creating or validating OT system inventory and documentation. They can deploy OT-specific network assessment tools and coordinate site visits to gather field data used to develop a digital model of active systems, architecture, segmentation, and device-level data. Once documentation of current systems and practices is established, the risk assessment continues with a gap study to detail threat and vulnerability analysis.
Training and remediation can occur once next steps have been determined, addressing the highest priority threats first. OT hardening may include modernization of legacy systems, IDMZ between enterprise and OT zones, micro-segmentation, end-device protection, virtualization and back-up systems, maintenance of OT network visibility, and patch management. A vital component includes continuous threat detection with real-time visibility and network activity detection to quickly identify and evaluate potential threats specific to OT. Training is a necessary focus of cybersecurity and encompasses everyone in the organization from executives, operators, technicians, IT, and control room staff. Final steps should include developing an OT incident response plan that can be enacted by IT and a strategy for continuous improvement for all cybersecurity procedures.
The right maneuvers are required to establish protection against malicious cyber attacks and should be conducted with the help of a qualified systems integrator. The best practices used for IT cybersecurity may not apply to OT systems, creating vulnerabilities at the virtual jugular of pipeline infrastructure. EN Automation is the trusted name in midstream systems integration with automation engineers who have extensive experience in pipeline and facilities operations. With field veterans who work with OT networks and long-term industry partnerships across a variety of platforms, EN Automation is the perfect partner for the cybersecurity maturity journey.