Like all sectors of critical infrastructure, the oil and gas industry has emerged as a top target for cyberattack, yet most companies are not doing nearly enough to mitigate the risks.
Demand for business insight and device monitoring has led many oil and gas companies to merge OT (Operational Technology), such as their control systems, with enterprise IT systems. While the digitization of operational processes offers cost savings and improved productivity, the convergence of these two disparate business units has opened the door to a variety of risks upstream, downstream, across pipelines and throughout the supply chain.
Traditionally, oil and gas companies have implemented cybersecurity measures that focus on detecting symptoms of attacks. They use external network and perimeter technologies such as gateways, firewalls, intrusion prevention and anti-virus agents, as well as static and dynamic analysis to try to detect vulnerabilities. But as threats evolve in frequency and sophistication, a more proactive set of defenses, along with an elevated sense of urgency, must prevail.
Legacy Equipment and Systems Vulnerable to Attack
Many oil and gas companies still operate with legacy equipment and systems that were never designed for connectivity, nor to withstand today’s attacks. While components that manage processes like extraction controls, blowout prevention, and metering systems have been retrofitted with internet-connected features, most retain vulnerabilities and lack effective security controls. Furthermore, because field-level personnel often make decisions about industrial control systems (ICS) software, many oil and gas companies have multiple solutions, all with varying levels of security. To make matters worse, many facilities operate on outdated networks. like Windows XP, or even OS systems from the ‘90s.
Additionally, as oil and gas networks become more dependent on sensor data, they also become more vulnerable to spoofing attacks, denial of service, or social engineering. This can lead to production shutdown if the signal or energy source to an actuator is interrupted during a cyberattack. Attackers can also breach a critical access point to gain control of operations and weaken machinery or cause overheating. Malware attacks can not only result in a loss of data, but also interfere with control system operability, such as interrupting air conditioning or heat, which could put refinery operations out of commission.
The risks are already well-known. The Ponemon Institute surveyed 377 U.S. oil and gas cybersecurity risk managers in 2017, and nearly 70 percent said their operations have had at least one security compromise in the past year.
New Technologies Needed to Protect Against New Threats
Some oil and gas companies are trying to meet the threats, but their efforts aren’t enough. Roughly 60 percent of those surveyed by Ponemon said they have difficulty managing risks across the supply chain. While there are effective security technologies available, such as user behavior analytics, hardened endpoints and encryption of data in motion, less than half said they would deploy any of these technologies in the next twelve months.
Most importantly, traditional cybersecurity measures aren’t built to prevent malware from propagating because they mainly rely on network and perimeter solutions. In other words, these tools focus on identifying underlying symptoms rather than causes. Detection offers no protection in cases where the supply chain itself is compromised, such as in file-less attacks like memory corruption exploits, stack and heap attacks, zero-day attacks or ROP (Return Oriented Programming) chain attacks.
While detection monitoring is important, it isn’t an end-all solution, and it also requires time, investment and expertise to implement. Re-engineering code can also help enhance security, but to do so requires significant resources, and can trigger compliance risks, especially when the software stack can be hundreds of thousands or millions of lines long.
Hardening Systems with Runtime Application Self-Protection
One of the latest and most effective means to reduce risk is to cyberharden systems using RASP (Runtime Application Self-Protection) technology, which reduces risk by preventing exploits from spreading across multiple devices and networks. RASP hardens software binaries by using techniques such as binary stirring, control flow integrity and a priori optimization.
RASP techniques harden software binaries so that attackers can’t calculate in advance how to successfully execute their code. This can prevent an entire class of malware attacks related to buffer overflows.
There have already been several high-profile incidents in the oil and gas industry where RASP and randomization could have prevented the attack. In August 2017, Schneider Electric’s Triconex SIS (Safety Instrumented Systems) controllers were infected with Triton malware at a Saudi Aramco facility in the Middle East. Attackers gained access to the SIS engineering workstation to plant first stage malware, then downloaded new malicious code. Some controllers entered a failsafe state which automatically shut down the industrial process and prompted the owner to begin an investigation. In a case like this, cyberhardened SIS controllers could have completely prevented the attack, because the malware would not have been able to replicate.
RASP is easy to implement and requires no new additional investments, software, services or hardware and only a one-time transformation with limited overhead. No access to source code complier, or operating systems is needed. Finally, RASP doesn’t require alerts to monitor, and it is remotely deployable, as binary code can be cyberhardened via API.
Because of all the benefits, RASP adoption is increasing. According to a report by MarketsandMarkets, the RASP market is expected to grow at a compound annual growth rate of 33 percent to $1.24 billion by 2022.
The cyberthreats against the oil and gas industry are more complex than ever before. Moving from traditional security defenses to cyberhardening binaries can reduce risk by stopping attacks before they can execute.