Oil and gas plants have increased their cyber risk profile as they modernise plants and close the ‘air gap’ between IT networks and operational technology (OT) networks.
This is according to Phil Neray, VP of Industrial Cybersecurity at global security specialists CyberX, who notes that many oil and gas facilities are still using equipment that is 15 to 20 years old and designed before industrial cybersecurity was a primary consideration. In addition, many oil and gas facilities still run their IT and OT networks in siloes, with plant engineers – not cyber security experts – responsible for cyber security in the plants.
However, attacks such as last year’s high-profile TRITON attack on a petrochemical facility in Saudi Arabia, where hackers compromised the plant’s safety devices, highlight the cyber risks facing oil & gas infrastructures today.
CyberX’s recent 2019 Global ICS & IIoT Risk Report, which assessed vulnerabilities across over 850 industrial control networks around the world, found several common vulnerabilities: 53% of industrial sites used outdated Windows systems, 57% were not running anti-virus that updated signatures automatically, 69% have passwords traversing the network in plain-text, and the ‘air gap’ is a myth – as 40% of industrial sites have at least one direct connection to the Internet. In addition, 84% have at least one remotely accessible device and 16% of sites have at least one wireless access point.
“There are no compliance regulations obliging oil and gas facilities to report breaches, but we can assume there have been many more breaches than the TRITON attack,” said Neray.
“There could be various motivations for attacks on such infrastructure – nation state attacks carried out for political considerations; ransomware attacks; hacktivists objecting to policies or drilling activities; or even attacks designed to steal intellectual property.”
With oil and gas installations a significant and potentially lucrative target, attackers are likely to increasingly turn their attention to these facilities, particularly as plants modernise their infrastructures with new, connected IoT and automation systems.
While basic cybersecurity approaches such as patching, encryption and up-to-date AV are necessary in the OT environment, standard out-of-the-box IT network security devices are not effective in industrial facilities, according to Neray.
“Industrial cybersecurity requires specialised solutions, since OT systems use unique protocols and non-standard operating systems,” he said.
“Industrial cybersecurity systems also need embedded machine learning and behavioural analytics to understand routine M2M traffic patterns and detect suspicious activity.”
Neray says oil and gas organisations are taking the increased cyber risk seriously, and are now moving to address vulnerabilities, but that more urgency is needed.
“Cyber risk at OT level is a business risk,” added Neray.
“A danger for management teams is that some tend to think of cyber crime as a technical issue rather than as a business risk issue. But cyber crime has the potential to cause millions of dollars in losses, environmental damage, human safety risk, as well as downtime, brand impact, compliance issues and loss of intellectual property.
CyberX is available in Southern Africa through GECI, an international tactical cybersecurity specialist now launching a portfolio of cyber security innovations in the region.
“Cyber war and cyber crime could happen to anyone – it’s a pandemic and critical infrastructure is at risk,” said South African GECI representative Mike Bergen.