Already plagued by political agendas, market uncertainty and global struggles, the oil and gas industry’s downstream sector find itself in peril. With technical and digital dominance playing major roles in all aspects of life, the downstream market faces the additional threat of cybersecurity issues.
Due to impending cybersecurity threats, organizations have developed safeguards to help in this highly specialized support niche. One of the largest and most respected security consulting firms, NCC Group, offers its services as an FTSE 250-listed global expert in cybersecurity and risk mitigation. Concentrating on all areas of interest for potential threat bringers, the firm’s portfolio of services includes security assessments, penetration testing, attack simulations, vulnerability management, cryptography, security software applications, cloud environments and incident response programs.
According to Damon Small, MSc. IA, CISSP, technical director of security consulting for NCC Group, this very portfolio is utilized to protect the downstream sector in various ways.
“I’ve been a staffer at DEF CON for seven years and have been on the advisory board for the Oilcomm oil and gas conferences since 2017,” says Small. “I have often been the lone IT professional in conversations with OT professionals, but what we’ve learned is that solving the cybersecurity problem is very much a collaborative effort.”
When discussing downstream threat potential, Small indicates that confidentiality, integrity and availability are considered, in that specific order. Tending to focus on availability first, Small’s experience has led him to determine that information used to combat threats must be delivered on time within an industry that has little acceptance of delays.
“Any threat that would compromise industrial control systems (ICS) devices is of concern,” says Small. “Malicious software, including ransomware, viruses or exploitation of vulnerabilities in software or operating systems, are all of concern.”
Downstream can find itself victimized by a surplus of threat possibilities. Motivation surfaces in many different forms including theft, break in production, harm and even death. Small reveals that a past Texas refinery explosion originated largely due to monitoring systems that were not properly instrumented. This caused human operators with access to misread telemetry.
“Although not directly related to downstream, I have firsthand knowledge of an oil and gas company whose exploration projects were impacted by a non-government organization (NGO) attacking the networks and computer-based systems responsible for getting data from the field to the geologists,” says Small. “This delayed the project [to a] great extent.”
No apparent downstream threat directive can be classified as short term or long term. For those implementing the threat, disruption is the primary goal. Because refineries, for instance, are a multi-platform industry, the threat’s direct hit can target a smaller but important area and have a devastating effect.
“While still producing, a refinery in such a configuration is less efficient, costing the organization money – large sums of it,” says Small. Even though a cyberattack like ransomware does not completely shut down a plant, he continues, it can cause it to run at a less-than-ideal configuration.
As calculating as cybersecurity threats can be, specific reasoning exists as to why downstream is the preferred target over both midstream and upstream. With the ability to directly disrupt consumer goods like gas, adversaries can wreak more havoc with targeted attacks in the downstream sector. This is where the products go to consumers who need them.
“A refinery can be approaching 100 percent capacity, for example, but if the marketing terminal can’t load fuel into tankers, then it won’t reach the end-user,” says Small.
According to Small, some cybersecurity threats can tunnel entry through individual modes like company email, but additional and more developed avenues are ever changing. While targeted attacks such as email-based phishing are both popular and effective, companies have retaliated with robust employee training programs to recognize this heinous activity. Unfortunately, threat potential still exists. For example, several systems that are networked in refineries can remain online for extensive periods of time. The technology and vulnerabilities, however, have greatly advanced and result in unencrypted protocols, weak authentication and network structures that fail to be outfitted with risk countermeasures. These issues all serve as routes of attack.
When analyzing threat levels, consideration should be directed at the origination point and by whom. The ultimate goal of the threat can be driven by financial aspirations or even simply to cause havoc. Entity and motivation can vary.
“Once upon a time, threats to operations were largely physical in nature because the OT networks did not communicate outside of the refinery itself,” says Small. “Now, the threats are much more widespread because of the interconnected nature of OT and IT systems. This is not to say that these interconnects are, in and of themselves, a bad thing, but it means that the threat landscape is much larger than it used to be.”
Small continues his explanation with an example scenario. Attackers are indiscriminate where ransomware is the weapon of choice. Here, data is attacked and encrypted. It cannot be accessed until the ransom has been issued. When it comes to state-sponsored and other attacks like Stuxnet, the attacker’s motivation is to disrupt production.
Drawing on 25 years’ worth of knowledge and past experiences, Small has concluded that the downstream cybersecurity threat mirrors that of the healthcare industry. He identifies the similarity as both industries require purpose-built devices. Both refineries and hospitals require specialized support systems.
“The oil and gas industry has a head start in solving the cybersecurity problem, if for no other reason than the economics of each industry,” says Small. “In terms of defense-in-depth and network architectures, healthcare organizations can learn a lot from how oil and gas have responded to these issues.”
Not immune to cybersecurity threat, service companies working within the downstream sector can find themselves at risk. That high risk level is not limited solely to the operator such as the refinery itself. Because third party entities are so tightly integrated with the operator, Small reveals that those issuing the existential threat have difficulty identifying where the target, like the refineries, begins and ends. Because they are intertwined, the contractor can be the victim of collateral damage.
“The problem is in determining which entity is in control of each part of the supply chain and the information that supports it,” explains Small. “In other words, any kind of cyberattack can pivot from an operator-controlled subsystem to a contractor- or service company-controlled subsystem. The complexity introduced by integrating these subsystems can make it difficult to protect them.”
With the threat potential being so extensive and far-reaching, the downstream sector must be vigilant in identifying threat potential. According to Small, companies should adhere to a simple protective measure: they should verify everything and trust nothing. Strong authentication methods and effective firewalls are key methods of protection.
“A mature threat response plan should also assume that vulnerabilities may exist at multiple points within the enterprise, and incident response capabilities should account for this fact. One way to help prepare is to host tabletop exercises where a hypothetical cybersecurity incident takes place, and each stakeholder within the organization talks through [its] plan of action in response,” says Small. “This is sort of a “Dungeons and Dragons” type of activity but can be very useful in measuring the efficacy of those response plans.”
The cybersecurity threat response must be proactive and group participation is the best way to increase the odds of thwarting an attack. Employees can assist in the fight on an individual basis. Small says that a high level of situational awareness must be incorporated into the workplace by employees, who should pay attention to how they use computers and interact with information assets.
“As the saying goes, ‘If you see something, say something,’” says Small. “Not to be glib, but operators know far better than anyone else what normal looks like.”
When discussing business financials, cybersecurity protection is just another service or product with a cost. Like anything else, validation must be made to justify its budgetary directives. According to Small, measuring cybersecurity protection costs is not necessarily a simple act. He indicates that part of the problem is that various technical control and network architecture that his firm recommends require implementation dependent upon downtime. Taking issue with this concept, downstream deems downtime as expensive and, as a result, it is typically rare. Small feels that while the costs might be considered high, they are less expensive than initiating an incident response.
“An ounce of prevention is worth a pound of cure,” says Small. “Preparing for an incident is always less expensive than recovering from one.”
Considering opposing views, Small understands businesses must be fiscally conservative. He recognizes the concept of questioning why money was spent, if nothing happens. He offers the counter that it is not a technical issue but instead one of validation and importance. He says that it is more an understanding of the value of information assets and the worth that is attached to them. Although his firm is an industry leader in the service it provides, it lacks the actuarial data to assist in that decision making process.
“Insurance companies are really good at figuring out how much it costs to protect something based on all the data points they have related to a particular asset,” explains Small. “We don’t have that in cybersecurity yet, but I’m certain we will, and actuaries will become a part of the solution.”
Justifying costs and reactive responses are well known within the oil and gas industry. The downstream sector is not immune to these concepts and thought processes. Much like company HSE departments within the oil and gas sector, cybersecurity teams, services and budgets do not earn or yield revenue. In fact, on the upfront basis, they cost companies money. Their proactive nature, however, saves companies vital sums of money on the tail end. That worth and understanding must be marketed for all to understand.
If a company HSE program costs $250,000 annually and provides a safe work culture, then that cost far outweighs both the financial and emotional costs to loss of life. In the same fashion, cybersecurity departments or outsourcing must be understood by the downstream market and their value recognized for the proactive response that it is.
Small offers simplicity in understanding, saying that companies must ask the question how much is the information asset worth and compare it to the value lost, if it is unavailable.
“Now, I’m not talking about the computers, routers and switches,” says Small. “Those are commodities that can be easily replaced. I’m talking about the information that you consume to keep your business running.”
Like anything in business, costs must be justified. Some items might be an easier sell. While new technology might come with a hefty price tag, it might double production. On the other hand, new computers with updated software might get put on the backburner. Everything has a price. Instead of businesses asking themselves if they want to spend the money, perhaps the better approach would be to ask themselves if they can live without it.