What electricity can teach oil & gas about critical-infrastructure protection
Gas prices aren’t the only thing to hit record-breaking highs in 2022. According to the Identity Theft Resource Center, ransomware attacks doubled in 2020, again in 2021, and are on pace to surpass phishing as the number one root cause of data breaches in 2022.
Now, more than ever, the oil-and-gas industry needs to be prepared for the eventuality of a destructive cyberattack. The North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) is a regulatory compliance framework for the electric industry, which can be applied to the oil-and-gas industry to share best practices and elevate the cybersecurity posture of adjacent industries.
A pipeline of attacks
The Colonial Pipeline ransomware attack was one of the most significant cyberattacks in the past two years, but a similar attack on the oil-and-gas industry today could be even more disruptive. When DarkSide, a Russian ransomware family, breached Colonial Pipeline, they actually entered through the IT side of the business. As a result of this IT breach, the company was forced to shut down its operational technology (OT) environment to prevent the attack from spreading. The fallout was a week-long gas crisis.
Who knows what a direct attack on the OT network could have done?
Russia has been widely criticized for providing a safe harbor to ransomware gangs. Recent leaks from Conti, the most profitable ransomware family in existence, revealed that Russian law enforcement officials have warned ransomware families of pending investigations. Although Russia engaged in the performative arrest of the REvil ransomware family in January 2022, that sort of appeasement is unlikely to continue in light of the ongoing conflict in Ukraine.
In fact, in February 2022, Conti threatened to use “all possible resources” to attack the critical infrastructure of any actor that engages in “cyberattacks or any war activities” against Russia. Furthermore, in March 2022, an FBI FLASH warned that RagnarLocker has compromised at least 52 organizations across 10 critical-infrastructure sectors, including energy. Beyond that, a 2015 cyberattack on Ukraine’s power grid seems more relevant now than ever.
Organizations need to learn from past events in order to better secure their infrastructure today and in the future.
Consider this from Forrester Senior Analyst Brian Kime, “In the past year, we have observed more ransomware designed to detect data historians and other types of technologies common in OT environments. Prior to that, most threats to industrial systems were from state-nexus actors. The threat landscape for critical infrastructure and industrial-asset owners is expanding every year.”
Blurred lines
Just as the lines have blurred between ransomware attacks and advanced persistent threats (APTs), the oil-and-gas industry has been challenged by the blurred lines between IT and OT environments. The inexorable tide of IT/OT convergence promises greater efficiencies, but it is not without risk.
Part of the challenge is that IT and OT environments have typically been managed by different teams with different priorities, but industrial-control systems are particularly vulnerable to exploits and attacks. Many of these traditional OT systems and environments were developed long ago and require legacy operating systems that are no longer supported. This leaves many OT environments vulnerable, with a broader attack surface due to the long list of known vulnerabilities.
Securing these systems is typically accomplished by physically isolating them with air-gapped networks and demilitarized zones (DMZ), but this can introduce its own challenges. Even as IIoT devices erode the IT/OT perimeter, it remains difficult to deploy and manage cybersecurity solutions on OT networks.
For example, updating anti-virus definitions and applying security patches to vulnerable legacy systems can require downloading updates to a dedicated host, verifying the source of the update and scanning it for malware, writing the updates to portable media, and using that media to update the patch server. But even portable media devices, such as USB keys, can be their own source of risk. Stuxnet, a malicious worm that destroyed nuclear centrifuges, was reportedly implanted by an infected USB key.
Oil & gas practitioners—What can we do?
With all of this known, oil-and-gas companies need to constantly reevaluate their OT-security posture. Cybersecurity planning and technology is not a “one and done” operation. Teams need to constantly look at the latest threats, vulnerabilities and challenges faced across not just the oil-and-gas space but all critical-infrastructure industries.
The best thing an organization can do is to formalize its cybersecurity policies, prioritizing compliance across sites. This will help to ensure that nothing slips through the cracks. Next, teams should evaluate current technology and practices, comparing them to the latest threats and vulnerabilities. Something as simple as analyzing how data enters and leaves your facility can go a long way. Formalizing how you scan data and content before it enters the secured critical network can help to prevent malware from entering your production environment.
The ability to enforce these policies with technology can provide some peace of mind to operators who need not worry if a policy is being complied with across sites. There are many simple changes we can make to our current practices that can go a long way in improving our cybersecurity posture. The important thing is to remember is that cybersecurity is a journey and we need to be always learning and improving our current program.
What about NERC CIP?
NERC CIP is a regulatory-compliance framework that spans a dozen standards for enforcement, from physical security to cybersecurity, personnel and training. Only bulk electric systems (BES) are required to comply with NERC CIP, but these standards could still provide valuable guidance for the closely related oil-and-gas industry.
For example, NERC CIP-010-3 (Cybersecurity—Configuration Change Management and Vulnerability Assessments) provides specific controls for the challenges around managing, authorizing and mitigating the risk of transient cyber-assets, such as USB keys. Software-vulnerability management should be accomplished through security patching. Malicious-code mitigation should be achieved through anti-virus software. A physical appliance should scan USB keys for malware before entering OT environments.
Looking ahead, NERC will be implementing three new supply chain standards on October 1, 2022. These new standards are intended to address the cybersecurity risks related to attacks such as the SolarWinds breach, the Kaseya ransomware attack, and the Log4J vulnerability. Implementing a security-operations center (SOC) and an incident-response (IR) team are the hallmarks of a mature cybersecurity program—both of which could also prove beneficial for the oil-and-gas sector.
By Benny Czarny, founder and CEO of OPSWAT