Energy infrastructure plays a critical role in both local and global stability, putting the oil and gas industry under considerable pressure to ensure everything runs smoothly. At the same time, this essential role makes it an appealing target for malicious actors seeking to disrupt operations, cause real-world harm or get hefty ransomware payouts. However, operators in this industry face complex cybersecurity challenges due to the convergence of information technology (IT) and operational technology (OT), a complex supply chain, increasing regulatory requirements, legacy OT systems, and removable media risks. Yet managing today’s challenging industrial control systems (ICS) threat landscape is far from optional, so how can organizations improve cybersecurity and safeguard energy infrastructure?
Energy Cybersecurity Challenges
The oil and gas industry faces multiple cybersecurity challenges that are different from those commonly faced by other sectors, including:
- Interconnectedness of IT and OT: There is a blurring line between IT and OT infrastructure, and who owns the security responsibilities. This is creating new attack surfaces and potentially exposing OT to more threats. OT systems often run on legacy platforms that have a weaker security posture. These now-exposed systems may be more difficult to access and update.
- Supply Chain Complexity: Oil and gas companies work with numerous vendors and partners, adding integrations and software dependencies that open multiple possible entry points for attackers. Compromise of a single partner may result in impact to the entire environment.
- Rigorous Regulatory Landscape: The oil and gas industry is subject to many regulations, including the Pipeline Security Act from the Transportation Security Administration (TSA) for pipelines and critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) guidelines for the energy sector, the overarching National Cybersecurity Strategy and related initiatives, many state regulatory agencies, and international standards.
- Physical and Digital Convergence: In the oil and gas industry, cyberattacks from nation-state and other malicious actors can have real-world consequences, beyond loss of data and ransomware payments, including operational disruptions, environmental damage and safety hazards.
Adding to the problem, many organizations in the oil and gas industry have been around for quite some time, which means both stability and outdated platforms. Legacy OT systems are more difficult to patch, making them increasingly vulnerable to modern cyber threats through new IT integrations. To make updates, apply patches or collect logs, many rely on removable media, which in turn can introduce malware and data infiltration risks.
The 2021 Colonial Pipeline ransomware attack highlighted many of these issues, disrupting fuel supply chains, inflicting significant financial losses, and focusing attention on the potential national security ramifications. This incident brought home the importance of effective cybersecurity measures to the industry as a whole and the average American concerned about fuel shortages, lines at the gas pump, and the impact on their daily lives.
Bridge the IT-OT Divide
As IT and OT become increasingly interconnected, organizations must shift from siloed operations and adopt a collaborative cybersecurity approach. This requires IT and OT teams to align their goals and priorities, conduct regular joint assessments of the entire digital and physical landscape, and identify and mitigate vulnerabilities across IT and OT systems. The organization must also invest in security solutions designed for both IT and OT environments, covering network segmentation, access control and threat detection, among others.
Secure OT Environments
OT systems pose different cybersecurity challenges than traditional IT infrastructure, where threats primarily impact information confidentiality and privacy. Frequently, these systems operate on legacy platforms, have limited patching capabilities, and rely on air gaps and isolation, which are becoming less effective as connectivity between systems increases. To address these challenges, organizations must upgrade outdated OT systems and implement robust patching procedures for known vulnerabilities. In addition, it’s important to segment OT networks, implement access controls, monitor network traffic for unusual activity, and deploy threat detection systems designed for OT environments. Taking these measures will help security teams identify and respond to malicious activity quickly and effectively.
Assess Removable Media
Due to air gaps, limited network connectivity, and rugged environments, OT systems frequently rely on removable media, such as USB drives, CDs, SD and flash cards, and even vendor laptops. These devices enable teams to apply software updates and patches; transfer, back up, or restore configuration files or settings; transfer, store, and analyze data, such as logs, historical data, and diagnostic information; and load programs required for maintenance or troubleshooting. In fact, some older OT systems may not support modern network protocols or there may be compatibility issues with newer software delivery methods, in which case removable media becomes the only option to make updates and transfer data.
Unfortunately, removable media can be infected, introducing malware into critical systems. An attacker might also use such devices to exfiltrate data, resulting in intellectual property theft or financial losses. So, while removable media remains critical to maintaining both the security and operations of this critical infrastructure, addressing the risk these devices can introduce is essential to keeping systems up and running reliably.
Mitigate the Risks of Removable Media
Effectively managing removable media risk for OT requires organizations to limit the usage of removable media to essential tasks and authorized personnel. While undoubtedly vital to maintaining and using these systems effectively, excessive and unmanaged use of these media types can introduce confusion and reduce compliance with rules requiring that media be scanned.
To minimize risk, security teams should implement dedicated kiosks or scanning stations that provide media scanning to check files on the device against many anti-malware engines, assess file vulnerability, and provide a detailed report on findings. Selecting kiosks and other removable media scanning stations that work well in a variety of operating environments ensures that teams are scanning media before allowing access to critical systems.
The key to successful implementation is to design a security process that aligns with your organization’s workflow and needs, not simply checking a box for the point of it. Analyze how and why teams use removable media, where they need to use these devices, and how you can enforce the scanning policy to ensure compliance with the new technology.
Improving Cybersecurity in the Oil and Gas Industry
Ensuring reliable, secure operations demands a combination of technologies and strategies for organizations in this critical industry. The complexity of converging information and operational technologies and an increasingly complex supply chain makes protecting these systems and complying with a wide range of regulations a significant challenge. However, this industry cannot afford downtime; therefore, IT and OT teams must work together to secure these environments by addressing the potential threats posed by portable media and taking a comprehensive approach to protecting the environment as a whole.
Matt Wiseman is the Director of Product Marketing at OPSWAT managing the OT product line. His focus is on product, engineering, product marketing and cybersecurity strategy. Wiseman has experience working in large industrial organizations and has worked to provide comprehensive cybersecurity solutions for all key critical infrastructure industries. Prior to joining OPSWAT, he served in various cybersecurity strategy and global marketing leadership roles at Honeywell. Wiseman holds a bachelor’s degree in business management from Western University and an MBA from Laurentian University. In addition, he has obtained a variety of cyber related certifications from the Department of Homeland Security, a GISF and is a member of the GIAC Advisory Board. Based in Canada, Wiseman enjoys traveling, spending time outdoors, and playing sports and card games with friends and family.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.
