Oil and Gas companies face some of the most pressing cyber security infrastructure challenges of the modern era. “There are two types of companies in this industry,” according to Corie Allemand, Global Lead of O&G at Stratus, “those who have been hacked, and those who know they have been hacked.”
The vulnerability of all systems to cyber attacks is verified by countless examples, from the notorious Stuxnet hack a decade ago to the recent Colonial Pipeline breach. Addressing the myriad cyber security infrastructure challenges is a tall order — one that is compounded by increasingly stringent regulatory requirements that can quickly become unmanageable within legacy industrial automation architectures and traditional OT networks. In a recent webinar with Xage Security, our experts unpack the new DHS directives for cyber security infrastructure in O&G, their real-world implications for operators, and the high-level Edge Computing concepts that make the digital transformation journey seem almost too easy.
How We Got Here — Learnings From the Stuxnet Worm
10 years ago, Stuxnet was the first hack of an industrial automation system, opening the world’s eyes to how hackers can access and control IA systems and spoof data within them, despite the airgap between the OT network and the web. At the time, this airgap approach was believed to create trusted networks that would only be vulnerable from the inside and impossible to access from the internet outside. Unfortunately, this assumption could not have been more wrong.
According to the 2015 book Industrial Network Security by Eric D. Knapp and Joel Thomas Langill, “Stuxnet proved many assumptions of industrial cyber threats to be wrong, and did so using malware that was far more sophisticated than anything seen before.” Six years later, as oil and gas companies embark further on their digitalization journeys, this statement continues to ring true.
The Stuxnet virus wormed its way into the so-called protected network that OT professionals everywhere relied on at the time. Despite the hackers’ intent to access one organization’s environment and complete one criminal mission, which they accomplished, their creation shook the world, mutating and devastating nations’ critical infrastructure one by one. “It spread all over the world,” Allemand states in the recent webinar, “the verbiage virus is very, very accurate.”
Stuxnet proved to the industry that no network, however far removed from the world wide web, can be trusted. This realization changed the course of industrial automation, hastening the digitalization of many sectors, including O&G. That digital transformation journey is ongoing, and especially critical for oil and gas companies to get right, as it can both increase organizations’ risk profiles and strengthen their security posture.
The Two Sides of Digitalization for Oil and Gas Companies
Bringing more digitalization into industrial automation environments is a catch-22 in several ways. While emerging technologies like Edge Computing introduce new tools and capabilities that improve decision making and protect the safety of operators and data, they also present pressing cyber security infrastructure demands. “As we bring these new technologies to bear in these new systems, we must ensure security is top of mind,” says Allemand.
With this in mind, O&G organizations should not shy away from digital transformation. In the recent webinar, Stratus expert Rudy de Anda reflects “in order to be competitive, you’ve got to connect and leverage your data.” There are countless success stories where organizations who get this right not only shore up their cyber security infrastructure, but also unlock benefits that increase their market share and further their business objectives. Experts from Xage and Stratus reveal how oil and gas companies can reap the promises of digitalization, while ensuring regulatory compliance and without ripping and replacing legacy hardware.
Inside the DHS Guidelines for Pipeline Cyber Security Infrastructure
In July, the DHS issued cyber security directives for pipelines “in a bid to prevent a repeat of the Colonial Pipeline shutdown that sparked massive fuel shortages and gasoline panic-buying,” according to the Washington Post. While these requirements answer an urgent need for a standardized cyber security playbook in the sector, they also present burdensome challenges that daunt operators and IT staff alike.
Just a few of the DHS requirements that Xage and Stratus experts discuss in the webinar include:
- A zero-trust methodology that avoids implicit trust of any network
- Mitigation measures for user credential rotation and asset access management
- Protocols for updating and patching software
According to Joe Blazeck, Sales and Business Development Leader at Xage Security, “we are really moving away from the concept of trusted networks, where organizations verify once at the perimeter, and we’re moving towards a security approach where organizations continually verify every user, every device, application, and transaction. We are avoiding implicit trust in devices and networks and we’re moving to this new principle of least privilege.”
While these directives may seem obvious, they present headaches in the field. A prime example is software updates that routinely cause unplanned downtime due to the sheer breadth of regions in which pipelines operate and the often disconnected groups of IT contractors that patch pipelines in a piecemeal fashion across these vast geographies. These computer-based deployments may seem like a simple task, both for the platform and the software, but when you think about that platform spread across North America, you understand the breadth of the challenge of that kind of update. Major challenges around software patching along with asset management control and the sheer number of individuals’ credentials to maintain are just a few headaches for operators responsible for securing critical infrastructure today.
Stratus and Xage Ease the Pain of DX for Pipelines, Unlocking Game-Changing Possibilities
Implementing a zero-trust methodology and other requisite mitigation strategies is simple and easy with the right Edge Computing and cyber security solution providers. According to Blazeck, “the foundational tenet of zero trust is that no actor, system, network, or service operating outside or inside the security perimeter is trusted. Instead, these organizations verify any and all requests to connect to any systems before granting access. You can almost imagine that the security tools in a zero-trust model assume that devices and users have malicious intentions, and they almost assume that a breach has already occurred.” What this means practically is administrators must answer the question of how to implement a successful set of rules to verify every transaction in their network, a challenge that can quickly become unmanageable in traditional OT networks that rely on granular one-to-one rulesets.
This is where Xage and Stratus come in. Blazeck continues, “We approach this by building identities for all of these different pieces. We build an identity for every user, device, and application and extend that to data points. We then control — by grouping and by policy, as opposed to opening and closing firewall ports — how these identities are permitted to interact with each other. Each identity, whether it’s a user or a thing, has its own perimeter, and every identity is able to interact with other identities based on policies administered in the central Xage system. This identity-centric zero-trust approach allows operators to maintain trusted connections with all remote end points.” These are just a couple of the capabilities Xage solutions offer. Running this kind of cutting-edge cyber security software on a fault-tolerant server like the Stratus ztC Edge also allows organizations to operate through outages, securely.
The beauty of the Xage and Stratus solutions is that they’re primarily software-based and can sit on top of legacy hardware, enabling capabilities like onsite access filtering for older PLCs with no sense of security baked in. “It almost seems a little easy, a little simple,” Allemand says, “but we can deploy this … doing all the things that digitalization promises. You’ve got a server running at the edge, capable of performing these heavy-lift tasks at the edge — including security — as you extend that network out to meet new requirements.”
The criticality of adopting a secure industrial computing solution cannot be understated. After all, if organizations are to use data from Edge Computing devices to make better business decisions, then it’s imperative to ensure the authenticity, accuracy, and privacy of that data, which hackers have a proven propensity to spoof in traditional IA architectures.
When the digital transformation journey is efficiently secured, however, the opportunities are endless. According to Stratus expert Rudy de Anda, “What we’re finding is that if you deploy those technologies, and you deploy them efficiently, it’s an opportunity to gain the bandwidth to deploy some of these really powerful connected and edge tools that leverage your data while also strengthening your security posture, rather than weakening it.”
To learn more, watch the full webinar, Actionable Insights to DHS Cybersecurity Requirements in Oil and Gas below.