Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Security Implications of Infrastructure Modernization

As oil and gas facilities face increasing pressure to improve production and minimize extraction and refining costs, modernization of sites and systems is inevitable.

The adoption of new technologies in oil and gas facilities is a dual-edged sword. 

On one side, there are obvious benefits of implementing industrial internet of things (IIoT) devices to improve efficiencies and reduce operational costs.

On the other, there are inherent risks associated with system upgrades. 

Case in point: the Columbia Gas incident in metropolitan Boston in 2018, which produced a series of explosions in Andover, North Andover and Lawrence, Massachusetts. The incident resulted in more than 70 fires, one death, dozens of injuries, 30,000 people evacuated and the destruction or damage of more than 100 structures. About 9,000 customers were left without power.

The New York Times reported that a system upgrade caused gauges that monitor pressure levels to go offline. Unchecked over-pressurization triggered the blasts.

While human error can cause incidents like the one for Columbia Gas, similar incidents could just as easily become the work of terrorists.

Oil and gas executives are acutely aware that once-isolated operational technology (OT) networks charged with refining, mixing and distributing petroleum are increasingly connected to the “outside world” via the industrial internet of things (IIoT).

In addition, modernization inevitably involves some degree of digital transformation, which exposes facilities to more security threats than ever before.

Attacks such as BlackEnergy, Industroyer, VPNFilter and Wannacry are just a few of the malware campaigns that have affected critical infrastructures. The actors in some cases were rogue factions, including nation states, that hacked into industrial networks and caused havoc.

However, the threat from within is also omnipresent and highly significant. Insiders have “the keys to the kingdom” or at least know how to find them.

The IIoT threat

The internet of things (IoT) and IIoT show tremendous promise for improving oil and gas operations. 

Increasingly, companies are investing in the cost saving and productivity enhancing benefits of networked smart devices, which can communicate and coordinate with one another via the internet.

The IIoT downside? Few vendors and customers have fully considered security risks associated with the technology. 

The introduction of new access points into your company’s network, plus the current lack of security standards for IoT devices, can create holes for punching through perimeter defenses.

how to secure OT networks during infrastructure modernization

However, the planned or (worst-case scenario) unplanned introduction of IIoT devices into your enterprise network creates opportunities for a host of external and internal threat actors, including:  

  • Terrorists acting alone, independent of an organization or group, or someone incited by an organization or group.
  • State-sponsored adversaries acting on behalf of a government, whose activities can span computer-based and physical attacks.
  • External cyberattacks caused by hacktivists to promote a political agenda or a social cause.
  • Internal attacks created by malicious insiders, such as a disgruntled employee or third-party contractor who is paid to exfiltrate information and/or cause damage to your organization.
  • Unintentional mistakes due to human error that cause damage and/or downtime because of incorrect changes to industrial processes or equipment.

Yet another variation — account compromise — resembles an insider attack since it occurs when an external attacker hijacks an authorized user’s account (employee, vendor, integrator, etc.). These are typically achieved using social engineering techniques such as phishing emails and or a “call from the IT department” requesting the user’s ID and password.

Three top security risks in industrial networks

Below are three of the top security risks facing industrial organizations today:

  1. Default passwords. IIoT manufacturers can pre-configure devices with a default password, which is a time-saver for IT staff. However, this benefit is also a major security flaw. When hundreds of thousands of devices share the same default passwords, attackers can easily compromise organizations that neglect or intentionally decide not to change them.
  2. Missing patches. Many IIoT devices cannot be patched or vendors do not issue patches for known vulnerabilities, so missing patches are another huge problem for organizations.   
  3. Too many devices to manage. Most organizations have endless IIoT device lists that extend beyond traditional OT to include alarm systems, cameras, thermostats, vending machines, etc. Even an apparently harmless device can pose a threat. For example, you should never connect an IoT coffeemaker to your IT or OT network, since the machine has no security features.

Regardless of the IIoT device type, attackers can use any or all of them as stepping stones to compromise your IT and OT networks. 

For example, many IIoT devices have exposed internet ports, which attackers can use to bypass your firewall. Once inside your network, a hacker can do extensive damage to IT and OT infrastructures and move laterally between them. Think data breaches, viruses, ransomware, sabotage and data exfiltration.

Three key defense measures

Protecting refining, petrochemical and distribution networks from insider and outsider threats involves the following three best practices:

  1. Asset management. Identify and map all devices in your OT environment to keep an up-to-date inventory of them — even of those that aren’t actively communicating over your network. Some software can collect granular information on each device, including firmware versions, PLC backplane configurations and serial numbers.
  2. Risk and vulnerability assessment. There are many potential attack vectors to defend, so it’s best to focus on your greatest sources of risks and vulnerabilities. This involves automating processes you use to identify and address new vulnerabilities. A vulnerability management system can generate periodic reports of risk levels for each asset in your industrial control system (ICS) network. When the system discovers new vulnerabilities (or when new vulnerabilities are disclosed) you should have a mechanism in place to identify affected devices, remediate threats and verify when your team successfully applies a fix.
  3. Device and configuration management. Monitor and manage changes in your ICS environment to ensure that device and system configurations are secure and well-documented. This requires maintaining a continuously updated list of version numbers of all installed software and firmware, which you should regularly compare against a list of known vulnerabilities.

Meanwhile, regular OT network scanning can detect unknown devices and unintended changes. 

The best solutions issue notifications whenever a new vulnerability appears. They also combine network monitoring with device queries to provide in-depth vulnerability assessments. For example, they provide information on current device firmware versions and associated CVEs, list open ports and calculate accurate, up-to-date risks.

You should also enforce security policies to control which devices can perform certain (privileged) actions, such as code or firmware downloads to industrial controllers. Additionally, policies should mandate that certain devices do not access the internet.

Unifying IT and OT security

With more pressure to increase production and minimize extraction and refining costs, sites and system modernization is inevitable. Meanwhile, it’s necessary to extend the life of mature sites to maintain supply levels, since developing new sources — as well as extraction, transportation, and refining infrastructure — are more costly and complex alternatives.

As a result, monitoring control systems and processes for unintended changes — whether they are the result of malicious attacks or human error — is central to preventing shutdowns. This is an important beneficial byproduct of implementing your OT security program.

In addition to these market pressures, the oil and gas sector must also comply with stringent environmental regulations and standards that cover production, extraction and distribution processes. Here again, active monitoring of OT networks, devices and activity can help detect and prevent problems before they lead to environmental incidents.

One way to combat the broader attack surface created  by modernization initiatives — and to mitigate the threat to production and environmental control systems posed by cyber incidents and human error — is to converge IT and OT security groups. While challenging, such collaboration can mitigate those risks and vulnerabilities which span these two infrastructures, simultaneously facilitating implementation of security best practices.

Learn more

Download the white paper, Mind the Gap: A Roadmap to IT/OT Alignment, for more insight into how to address the expanding cyberattack surface in industrial networks.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.