Like all industries, the oil and gas sector is increasingly facing cyberattacks. We spoke with Edgardo Moreno, industry consultant for cybersecurity at Hexagon, about threats targeting the oil industry, the sector’s peculiarities, and how oil and gas companies can better secure their facilities. .
Like many industries, the oil sector is immune to cyberattacks, especially ransomware and supply chain attacks. But unlike other plants, oil and gas facilities are what we call critical infrastructure. Attacks against them therefore, by definition, have serious consequences. This means that proper protection of equipment is required.
What are the main attacks facing the oil and gas sector?
Edgardo Moreno: There have obviously been some attacks, but the most notorious is ransomware. They are currently the biggest concern in the industry. One of the most famous ransomware attacks in the oil and gas industry was colonial pipeline attack The oil and gas industry is part of what we call critical infrastructure. Critical infrastructure is essential to the functioning of society and the economy of a country. This Colonial Pipeline supplies the East Coast of the United States with nearly half of the gasoline and fuel. As such, the impact of such an attack is so high that it can really block our society.
supply chain attack is also very important. I think he remembers the SolarWinds attack in 2020. This attack has made it clear how important it is to protect his chain of supply. Attacks on the supply chain are very attractive to hackers. Because by compromising one component of the supply chain (such as software), he can affect a large number of companies using this software.
What was the impact of the Colonial Pipeline attack?
Edgardo Moreno: The attack itself affected the billing system rather than the facility’s control system. Blocked the ability for customers to issue invoices. However, just by compromising this billing system, the attackers were able to force the company to stop operations because the scope of the attack was not known at the time.
What did this attack reveal?
Edgardo Moreno: The attack revealed that the company lacked an adequate incident response plan. If they had a proper recovery strategy, they wouldn’t have paid the ransom. If the company pays the ransom, it means the data cannot be recovered as there is no recovery strategy. So we can improve here.
Also, shortly after the attack, the US government set new requirements for the industry. They have published a compliance guide for all customers working in areas critical to energy supply and distribution, such as the pipeline industry. Customers must follow these new guidelines and demonstrate that they are diligently securing their systems. I believe similar efforts will be made in other industries and other countries that are considered critical infrastructure. Unfortunately, you always have to wait until an incident occurs to take this kind of action.
Oil and gas is going digital. What are the current threats?
Edgardo Moreno: The need for digital transformation and further digitization means opening operational systems in IT networks. And this exposes those systems. The oil and gas sector is the industry that benefits the most from ransomware. And hackers know it.
And I think the war in Ukraine will increase cyberattacks on critical infrastructure. Whether they succeed is another story. But the trend is an increase in attacks.
What’s special about the oil and gas sector and what does that mean for attacks?
Edgardo Moreno: The oil and gas industry is truly unique. Facilities are often huge. For example, a single refinery can supply 20-30% of the energy used by an entire state or much of the country. As such, impacting just one giant oil refinery can wreak havoc, putting part of the country on lockdown. It differs from other industries such as universities and hospitals. Even if the hospital is hacked, there are other people taking care of the patients. But if a giant refinery were hacked, it could cause more chaos. Imagine a cyberattack leading to power outages statewide during the winter months. This happened in Ukraine in December 2016. Malware suspected of Russian origin caused him an hour-long blackout in western Russia. Since it was winter, I had to turn on emergency mode. So just cutting off the energy supply can cause a lot of damage. This makes cyberattacks more attractive to hackers as the damage can be devastating.
How should the energy sector prepare to protect assets in the event of a cyber-attack like ransomware?
Edgardo Moreno: The first step in identifying risk is a comprehensive inventory of industrial assets and critical systems from Level 3.5 to Level 0 of the Purdue model, including hardware, software/firmware versions, and communication module data. to get. It may look very simple, but it is complicated in the oil sector. The more the system stacks on his Purdue model, the harder it is to get stock. Therefore, this is one of the major challenges of the industry.
After you’ve inventoried your system, you need to start managing your weaknesses. This includes patch management, risk management and analytics. Risk management tells us what technologies we need to implement to protect our systems.
We also need to track changes in the system and new devices. Change management is nothing new. The sector has long done that for physical assets. However, it is more difficult for cyber assets because there are more operational changes, and it is difficult to distinguish between normal operational changes and changes that may impact security. You can then add threat detection and anomaly detection.
These are preventive measures. But you also need a good recovery plan after an attack. You should know that you will end up in danger. Therefore, you need backups and a good recovery strategy. Otherwise, you have no choice but to pay the ransom.
Are oil and gas facilities more difficult to protect than facilities in other industries?
Edgardo Moreno: A very old system is in operation in this sector. Some stores have been in business for 10 or 20 years. Upgrades cannot happen as frequently as they do in other industrial sectors. It is definitely a challenge for the industry. Also, the technology is developed by many different vendors, each with their own patching processes, legacy systems, and unique configurations. There are no standard protocols. So if you want to do an upgrade, the facility will have to be shut down for 3-5 months. This means that you will not be able to produce and you will lose money.
What in Hexagon’s portfolio can help companies upgrade their systems?
Edgardo Moreno: Hexagon’s PAS Cyber Integrity® enables you to inventory critical systems. This also includes inventories of orphaned and transient assets common in OT/ICS environments. Compare your derived OT/ICS asset inventory to known vulnerabilities and map your attack surface.
With Cyber Integrity, you get a centralized, detailed and comprehensive vulnerability management solution that is the trusted resource for vulnerability assessment, patch planning and risk assessment activities. Once you know which vulnerabilities are most important to remediate or mitigate first, you can adjust your security posture by considering the likelihood and consequences of vulnerability exploitation in your environment. You’ll be able to calculate a risk score that tells you where to focus your resources to mitigate risk.
It also provides the ability to track and manage changes as you power down your facility and begin making changes to physical systems (pipes, cables, etc.) and cyber assets. Customers can take a snapshot of their network configuration before any changes are made and review these changes after the work is complete.