An attack on the supervisory control and data acquisition (SCADA) system that operates an offshore rig, oil well, pipeline or refinery—or against enabled Internet-of-Things (IoT) devices that deliver monitoring data to such systems—can have devastating consequences.
Successful Cybersecurity in Transmission and Distribution/Oil & Gas
Rick Peters, CISO, Operational Technology, North America | Fortinet
Mission-critical operational technology in the transmission/distribution and oil and gas sectors is rapidly becoming digitized. This has dual results: it’s expanding business potential but also increasing cybersecurity risks. In fact, the cyber threats that the oil and gas industry face are significant. An attack on the supervisory control and data acquisition (SCADA) system that operates an offshore rig, oil well, pipeline or refinery—or against enabled Internet-of-Things (IoT) devices that deliver monitoring data to such systems—can have devastating consequences.
Consequences could include expensive damage to facilities, lengthy supply disruptions and even injury and loss of life for employees, bystanders and nearby residents. Such attacks on corporate infrastructure could compromise intellectual property such as exploration data surveys, as well as pose data security risks for business and personnel information.
The cybersecurity landscape
Oil and gas companies own and manage large and important sections of critical infrastructure that are vital not only to company operations but also to the nation’s economic and military well-being. Upstream, midstream and downstream operations are valuable targets for cyber threats from adversaries with a variety of motives—from personal profit to industrial espionage to economic disruption. Due to the critical nature of these facilities, oil and gas companies also face stringent cybersecurity regulations.
Understanding the challenges
There are three primary cybersecurity challenges these industries face. First, cybersecurity risk is increasing in these sectors. In fact, according to a recent study by Fortinet, 86% of responding companies said they’d experienced one or more types of cybersecurity incidents in the past 12 months.
Second, potential attack vectors are expanding. Industrial IoT (IIoT) devices have undermined the security of SCADA systems used to manage drilling sites, pipelines and refineries. It’s well-known that internet-connected sensors and connected controller devices eliminate the air gap from the internet that historically kept SCADA systems relatively safe from cyberattacks. Clearly, this convergence of infrastructure expands a company’s threat landscape.
Third, staffing is an issue. Many companies have multiple components of infrastructure challenged by the kinds of vulnerabilities just noted, putting a greater burden on cybersecurity team members. Complicating matters, the cybersecurity skills gap is widening, with an estimated shortage of more than 4 million workers, compared with 2.8 million currently working in the field. This means hiring additional team members to address these issues is costly, and it may be impossible to find some specific skills in the labor market at any price. In any event, adding more staff does not address the core problem: manual security processes are insufficient to deal with threats that move at machine speed.
Balancing costs, productivity and the right security
The right security solution must be designed in such a way that it does not impede operations. Costs are of particular concern, making it harder to replace legacy systems. This is partly because petroleum markets are notorious for their wild price fluctuations. This volatility means that a company can easily go from significant profitability to an operating loss in a matter of days.
Consequently, minimizing cost is always a priority for oil and gas companies as they try to structure operations to survive periods of low prices. In this scenario, replacing expensive, older equipment due to security vulnerabilities is sometimes out of the question. Instead, they must find creative approaches to keeping the equipment secure.
Such resourcefulness must be applied in constructing an effective cybersecurity strategy. While a disaggregated security architecture and mobile users impede both operational efficiency and security, centralized control and single-pane-of-glass visibility enhance both. End-to-end integration of the security infrastructure unlocks automation of threat detection, response and reporting, freeing up time for highly paid security professionals to focus on strategic tasks.
Aggregate to dominate
In today’s digital reality, opportunities also bring threats. The promise of greater efficiencies and business possibilities in the transmission/distribution and oil and gas industries carries the trade-off of heightened cybersecurity risk – risk that extends beyond the organization to critical infrastructure and even to individual consumers. Cybercriminals only have to be right once to carry out a successful attack, while defenders have to be right 100% of the time to be considered successful. And the press doesn’t cover the 99% of successful preventions, detections and mitigations that occur. Corporate reputations are on the line every day.
The highest level of security available is typically the top of mind goal, but productivity and cost must factor into the overall design. When legacy systems can’t be replaced, organizations must find creative ways to aggregate their security architecture for greater visibility, control, efficiency and security. Integrating security solutions in this way reduces the need for additional, hard-to-find staff, as well. Armed with the knowledge of the security trade space and knowledge of smart cybersecurity investment enables positioning of a strong, flexible and proactive strategy for OT business resilience.
About Rick Peters
Rick Peters is the CISO for Operational Technology, North America for Fortinet Inc., delivering cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments. Mr. Peters is a repeatedly published OT security thought leader and a frequent speaker at global industry events.
The content & opinions in this article are the author’s and do not necessarily represent the views of AltEnergyMag
This post does not have any comments. Be the first to leave a comment below.
Post A Comment
You must be logged in before you can post a comment. Login now.