Few industries have more to lose from a cybersecurity attack than the energy sector. While an attack in finance or retail can cost an organization millions of dollars, a targeted attack in the energy sector can cost lives.
When I made a career transition from the banking sector to the upstream oil and gas industry, the first major culture shock I experienced was the strong attention to safety in the corporate environment. I understood the focus on safety in the field, but was surprised when I was reprimanded for climbing the stairs in a corporate office with a cup of coffee that did not have a lid. This surprise was compounded when every meeting, on the phone or in the conference room, began with a safety moment and presentation.
One of the most important branches of an oil and gas company is the health, safety and environment department (HSE). Just like tech and ops, human resources and finance, HSE has its own budget, staff, and executives and is dedicated to classifying, tracking, reporting and responding to safety incidents and events.
But despite this focus on physical safety, I was shocked when I first found personal off-the-shelf devices attached to the network behind firewalls in the server room. There was a general lack of cybersecurity awareness that I had grown accustomed to experiencing in the banking and finance sector.
My first question to my new team was why cybersecurity risks were not treated as HSE incidents? It took some time to explain the potential cataclysmic effects of a cyberattack, even inside the corporate firewall. If some of the personal devices that I saw connected to the network contained a virus, cyber attackers could have stolen intellectual property, shut down plants and collapsed the organization.
At the time, the organization I was working with was also exploring the use of cutting edge technology such as automated sensors in the upstream environment, the segment of the oil and gas industry tasked with finding petrochemical reserves deep underground. This networking of IP-addressable sensors capable of machine-to-machine communication is called the Internet of Things, or IoT, and because these devices often are not regularly monitored or managed they can greatly expand an enterprise’s threat surface.
By 2020, the IoT market in the energy sector will be worth $22.34 billion USD
But despite this potential risk, the IoT is growing. A recent study from MarketResearch.com predicted that by 2020, the IoT market in the energy sector will be worth $22.34 billion USD.
The IoT is just part of the larger integration of information technology (IT) with industrial control systems (ICS) in the oil and gas industry. In many ways, the goals of IT and ICS are at odds with each other. IoT devices and ICS are designed under a data model called Accessible, Integrity, Confidentiality (AIC) where data is prioritized as accessible, data integrity is the second priority, and data confidentiality is the last priority in this model.
IoT devices and ICS are designed to have data accessibility and data integrity as priorities, with data confidentiality of third importance
IT is designed the opposite under what is classified as a Confidentiality, Accessibility and Integrity model (CAI). In this model, data confidentiality and data accessibility are the top two priorities, and data integrity is the third priority.
The AIC model makes sense from the physical safety point of view in ICS and oil and gas. If I am reading the flow of crude gas from a pipe, or a chemical mixture being introduced to gas at the refinery, it’s more important for the numbers on the valves to be accessible and as accurate as possible. Without this attention to accessibility and integrity, disasters can happen. The issue is that integrating these two models can cause gaps in security. These gaps can lead to a breach in the ICS from the IT side or vice versa. And without the ability to keep adversaries out of either system, the threats of a cyberattack are greatly increased.
In order to safely incorporate and get the full value of IoT, oil and gas companies must fully secure all technology—ICS as well as IT—and incorporate cybersecurity into their HSE organizations as a safety issue.
Securing technology requires:
- Mapping and documenting all networked devices
- Implementing policies to secure access to all systems
- Monitoring all networks continuously for activity and status
By incorporating these practices into their organizations, oil and gas companies can more securely, efficiently and effectively introduce new technologies into their current ICS and IT organizations.
How Tenable can help
The energy sector’s commitment to IoT is expanding along with the cybersecurity risks. Learn about how SecurityCenter Continuous View™ can help you take decisive action against risks by providing continuous visibility of all your assets and critical context surrounding threats.