4 minute read 29 Aug 2018
surveyor drone equipment hillside

How oil and gas companies can manage digitization and cyber disruption

By

Piotr Ciepiela

EY EMEIA Security & Critical Infrastructure Leader, Associate Partner, EY EMEIA Advisory Center

Critical infrastructure security and operational technology leader. Over 14 years of experience managing international, complex OT and IoT security projects. Team and thought leader. Strategy former.

4 minute read 29 Aug 2018

Today, cybersecurity risks are not being effectively identified, tracked or monitored. Discover how to minimize the risk of emerging technologies.

The oil and gas sector has always welcomed technology, but the collapse in oil prices internationally and competitive pressures have forced speedier recourse to technology. The adoption of the internet of Things (IoT) has helped the industry drastically cut costs and replace manpower.

However, most IoT devices lack appropriate means of security, making it easy for attacks to exploit the weaknesses of the systems operating the devices. Important corrective steps have been initiated in the US, as security companies, manufacturer associations and even government agencies have begun to cooperate, but these steps are far from constituting a sufficient defensive response.

Increasing digitization in the world of oil and gas may mean profits now, but could leave companies open to cybersecurity risks. We explore the changing landscape of cybersecurity, and what oil and gas companies can do to protect themselves.

Any potential incident that violates process data will have the biggest impact on the bottom line.

The changing world of oil and gas

Operational technology (OT) refers to computing systems used to manage industrial operations as opposed to administrative operations. Operational systems include production line management, mining operations control, and oil and gas monitoring. In the oil and gas sector, these systems are used to monitor and control operations across the entire value chain. OT systems are increasingly vulnerable to subversion.

Cybersecurity in the oil and gas sector has multiple dimensions, including latent ones and those not immediately discerned by the human eye. The risk-savvy security executives will base their investment decisions on clear understanding of what the critical business processes are, what are the risks of underlying technology and what is the impact of violation in availability, integrity or confidentiality of process data.

At the heart of oil and gas operations, where the extraction or production takes place, the availability of process and integrity of process data are the primary focuses for most security engineers in the field. Any potential incident that violates process data will have the biggest impact on the bottom line.

Importance of intelligence against cyber threat and integration in the oil and gas industry

Early warning and detection of breaches are essential for being in a state of readiness, indicating that the emphasis of cybersecurity has changed to threat intelligence. Oil and gas companies need to invest more in threat and vulnerability management systems. Organizations may not be able to control when information security incidents occur, but they can control how they respond to them — expanding detection capabilities is a good place to start.

A well-functioning security operations center (SOC) can form the heart of effective detection. By leveraging industry-leading practices and adopting strategies that are flexible and scalable, oil and gas organizations will be better equipped to deal with incoming (sometimes unforeseen) challenges to their security infrastructure. The industry has to change its perception about security investment as an obligatory cost and instead see it as business enabler

The industry has to change its perception about security investment as an obligatory cost and instead see it as business enabler.

Measures oil and gas organizations can take

Oil and gas organizations have the broad experience necessary to manage and support complex operations linked by large-scale networks, and with many points of ingress and egress. They should apply this experience to securing these environments by:

  • Implementing security monitoring capabilities
  • Enhancing response plans
  • Working more closely with public sector security bodies and security partners
  • Leveraging the strong health and safety culture that already exists to instill a true security culture

Technical measures to achieve the above would include, but are not limited to:

  • Segregate corporate and internet connection sharing (ICS) networks to reduce island-hopping attacks
  • Reduce and protect privileged users to detect and prevent lateral movement
  • Employ application whitelisting and file integrity monitoring to prevent execution by malicious codes
  • Reduce the attack surface by limiting workstation-to-workstation communication
  • Deploy robust network intrusion protection services (IPS), application-layer firewalls, forward proxies, and breach detection with sandboxing or other dynamic traffic and code analyzes
  • Use and monitor host and network logging
  • Implement pass-the-hash mitigations
  • Deploy anti-malware reputation services to augment traditional, signature-based antivirus services
  • Run host intrusion-prevention systems
  • Quickly shield and patch known operating system and software vulnerabilities

Effective measures can preserve operational integrity and harvest the real gains of the digital revolution while avoiding the pitfalls that come with the adoption of a new technological paradigm.

Working together is vital to building future protection from cyber threats.

Summary

The next phase of cybersecurity within the oil and gas sector needs to recognize the value of joining these resources together: using working groups to share and disseminate threat intelligence — using the experience and capability of consultancies to drive change and improvement programs, and leveraging security vendor technology to underpin different aspects of cyber threat monitoring, alerting, defense and response.

About this article

By

Piotr Ciepiela

EY EMEIA Security & Critical Infrastructure Leader, Associate Partner, EY EMEIA Advisory Center

Critical infrastructure security and operational technology leader. Over 14 years of experience managing international, complex OT and IoT security projects. Team and thought leader. Strategy former.