Far beyond compliance—how to develop a robust cybersecurity stance
By Willi Nelson, field CISO for OT, Fortinet
As one of the 16 areas designed by the US Cybersecurity and Infrastructure Security Agency (CISA) as critical, the oil-and-gas (O&G) industry is under the microscope when it comes to cybersecurity. There’s no doubt that the risk is growing. The sector quickly becoming a bigger target for sophisticated cyber-attacks as attackers see the gaps in O-security infrastructure.
A new report from the US Government Accountability Office notes that the offshore oil-and-gas infrastructure, in particular, faces cybersecurity risks that the Dept. of the Interior needs to address immediately. The report specifically called out offshore oil and gas as needing a better security strategy. And the Transportation Security Administration has recently introduced newly revised cybersecurity requirements.
But it’s not just the public sector that needs to take these matters to heart; the private O&G sector must also address them, and organizations need to move beyond mere compliance.
Moving past the legacy infrastructure problem
Much like other OT industries, this sector is struggling with legacy technology.
OT systems frequently use older operating systems, making it more challenging to secure them using conventional endpoint security solutions.
Thus far, many organizations have attempted to cover new risk exposures by introducing a wide range of point-security products. Yet, this strategy adds complexity and creates chinks in the security armor. In a recent poll, 60% of participants said that their biggest problem in safeguarding OT technologies and processes was the technical integration of outdated OT technology with newer IT systems.
Convergence is the other key factor here. Infrastructures for an increasing number of organizations’ OT and IT are converging. The security of industrial-control system (ICS) assets is now acknowledged by businesses as being essential to their operations. The top priority, in fact, for ICS organizations is assuring the dependability and accessibility of control systems.
How the TSA’s new pipeline-security guidelines will impact the industry
After the May 2021 ransomware attack against a major pipeline, the TSA issued several security directives requiring owners and operators of pipelines to implement numerous urgent cybersecurity measures.
The latest version of these directives require that TSA-specified oil-and-gas operators prevent disruption and degradation to their infrastructure to maintain strong cybersecurity. Pipeline owners and operators must:
- Create and implement a cybersecurity-implementation plan that has been approved by the TSA and outlines the exact cybersecurity measures being used to meet the security objectives outlined in the directive.
- Create and maintain a cybersecurity incident-response plan that details the actions pipeline owners and operators will take if a cybersecurity incident results in operational disruption or severe business degradation.
- Create a cybersecurity-assessment program to test in advance and routinely audit the efficacy of cybersecurity safeguards, as well as to find and fix vulnerabilities in hardware, software and networks.
Best practices for leaders
OT leaders should implement two strategies that will help them not only meet but exceed TSA directives. One is zero-trust access (ZTA). Now that the OT air gap is essentially gone, leaders can set up ZTA to prevent access to any user, device or application without proper credentials. By doing so, organizations can mitigate threats both inside and outside the network, thereby preventing data breaches.
Applying a consistent "never trust, always verify" policy to each wired and wireless network node is the first step in ZTA. In a complicated environment, this is not always easy to execute, but applying well-known best practices can greatly advance the strategy. By giving individuals and devices only the access they need, the principle of least privilege can be used to reduce threats in both internal and external network communications.
Microsegmentation is a second important strategy. Network segmentation enhances security by blocking breaches from propagating throughout a network and entering vulnerable devices. But given the possibility of unintentionally affecting a manufacturing process during the segmentation process, it might be particularly challenging in an OT context. With the appropriate procedures and tools, you can segment your network and further divides it into microsegments.
Security architects can further segment an environment with microsegmentation to provide a lateral view of all assets. Granularity is attained by logically segmenting the network environment into unique security areas all the way down to the level of a single task. Microsegmentation provides improved attack resistance and, in the event of a breach, restricts a hacker’s ability to migrate between compromised apps because restrictions are applied to particular workloads.
The time to act is now
It’s critical for oil-and-gas companies to comply with all security requirements put forth by their governing bodies. But organizations can go beyond mere compliance and into a robust cybersecurity stance by following today’s best practices. This includes implementing zero-trust access and microsegmentation across your network. These actions will help safeguard the critical sector you belong to.