By Dennis Hackney, Head of Industrial Cybersecurity Services Development, ABS Group.

For the foreseeable future, our global economy will continue to rely on fossil fuels as our primary energy source and it touches every aspect of the supply chain. This is why the oil and gas sector continues to be a target for cyber attacks, from state and non-state actors alike, looking to cripple infrastructure, hold systems for ransom, or infiltrate and gain access to new technologies. Although the industry is aware of these escalating threats, there is much that can still be done to increase the safety and security of cyber operations in the global oil and gas industry.

Why is the Energy Industry Prepared for Physical Threats, but Not Cyber?

Most facilities know how to handle physical emergencies. Physical events pose immediate threats to the safety and well-being of workers and the environment, pushing organizations to have clear procedures in place for shutting down and opening up operations. But, despite cyber attacks having real world consequences, do these facilities have the processes and procedures needed to detect an attack? Yes and no. Even though some companies have robust Operational Technology (OT) cybersecurity programs in place, many just meet the minimum criteria of industry’s guidelines and regulations. But being compliant is not the same as being secure. For many refineries and petrochemical facilities, the lack of OT cybersecurity could result in huge losses and a ripple effect felt across the supply chain.

A Year in Review: What We’ve Learned from Cyber Attacks on Critical Infrastructure

This type of ripple effect was felt strongly in May of 2021 when the 5,500-mile Colonial Pipeline shut down for 6 days following a cyber attack. The attack originated on the Information Technology (IT) side of the business (in its billing department) but ended up disrupting the OT environment. This resulted in huge losses to the company, including a ransom payment of around $4.4 million, and had a direct impact on consumers around the U.S. Five days after the initial shut down, 16% of gas stations in North Carolina had run out of fuel. Gas prices surged across the country and even states not connected to the pipeline saw consumers rushing to the pump in a panic to secure gasoline.

Another attack in February of 2021 targeted a water treatment plant in Oldsmar Florida. During this attack, hackers gained access to a computer that controls the balance of chemicals in the water supply for a town of a little over 15,000 people. The intruder was able to raise the level of sodium hydroxide in the water to lethal levels. While this attack was caught by the plant operator and no one was hurt, the message was clear – cyber threats on critical infrastructure are more than capable of bridging the IT/OT gap resulting in a cyber-physical event.

How Threat-Actors Penetrate and Disrupt the Supply Chain

Often malware programs are installed years before they are detected. Night Dragon, one of the first cyber attacks of its kind, targeted 71 different organizations in the U.S. with a specific focus on global oil, energy, and petrochemical facilities. The program used relatively simple methods for infiltration and went almost entirely unnoticed until McAfee security began releasing information about it nearly five years later. Industrial organizations and their vendors may not even be aware of threats already lurking in their systems. Breaches that begin as simple malware programs in IT environments are having real world impacts on OT systems. Organizations should start thinking beyond compliance and begin implementing OT cyber programs that can detect, respond to, and mitigate the impacts of these threats to themselves, their suppliers, and customers.

Vendors may be inadvertently passing on security risk to organizations that build and monitor critical infrastructure, creating new vulnerabilities. As equipment becomes increasingly digitized and the need to update and monitor the software running the physical OT equipment grows, original equipment manufacturers (OEMs) are retaining a higher level of connectivity with their equipment even after it is installed at a new location. This means monitoring software run by a third-party is now an integral part of technology inside an organization’s operations. Threat actors are aware of these new vulnerabilities and are constantly monitoring for new ways to exploit them. The SolarWinds attack in 2019, illustrates how this style of attack happens. The company’s monitoring software, Orion, was compromised by the Russian foreign intelligence service, SVR.

Taking Control: How to Manage OT Systems and Vulnerabilities

Securing critical infrastructure comes down to visibility and control. Do I have visibility into my critical OT systems and do I have control over them? Securing OT environments is very different than IT and requires a different approach with different technologies and skills. In fact, IT cyber solutions can break OT systems leading to operational disruption. Many cybersecurity programs are driven by compliance, however protecting the nation’s critical infrastructure will require private industry to look well beyond government regulation. Currently, 85% of the United States critical infrastructure is run by privately owned companies and the regulatory framework that exists seems to be causing turbulence rather than helping organizations become more secure. The latest U.S. Transportation Security Administration (TSA) requirements for pipeline cybersecurity have more directives aimed at personal computers than pipeline control systems, leaving companies confused on how to comply. Between staffing shortages and requirements that are either based in IT systems rather than OT, or requirements that can’t be applied across all industrial settings, compliance alone is no longer enough. Companies have to take responsibility for protecting the nation’s infrastructure into their own hands by first controlling what they can control. To address the threats of supply chain attacks, offshore platforms, refineries, pipelines, and petrochemical facilities can start with a few key actions.

• Update vendor monitoring processes. When equipment is installed and monitored remotely, how many people from the OEM have access to it? A dozen, a thousand? Organizations need to update their processes to account for how authorization is granted to control access to their equipment.

• Implement passive monitoring systems. Passive monitoring systems generally utilize mirroring technology to replicate data moving through the system and analyze it for irregularities without communicating with or impacting the flow of the data through the system itself. This type of monitoring, when properly implemented, can identify threat actors lurking in IT environments before they bridge the gap to OT – like Colonial Pipeline or the Oldsmar water treatment facility – and avoid the potential for shutdowns.

• Keep systems up to date. This is easier said than done. With vulnerabilities coming out daily and software patches coming out monthly, it is nearly impossible to keep all software fully up to date all the time. Furthermore, whenever something is altered in the security of a system, it needs to go through rigorous testing to ensure new gaps aren’t opened and industrial control settings are still functioning. In oil and gas environments specifically, shutting down operations for any length of time is not an option, so updates to critical systems need to be handled delicately. Allowing equipment to fall out of date and not taking the time to patch key software vulnerabilities can lead to serious consequences, so these updates need to be implemented consistently and carefully.

• Train staff on best cyber practices. Training. Many of the most devastating cyber attacks start with human error – like an employee giving away a bit of personal information that allows for a password to be breached or the wrong .exe file being opened and unleashed on a secure system. Ensuring the entire staff is aware of and trained on good cyber practices will go a long way in stopping some of the easiest access points for threat actors to gain access to your OT environment.

• Cybersecurity budgetary prioritization. Refineries, petrochemical facilities, and other critical infrastructure sites are commonly dealing in hundreds of millions of dollars (if not more) in equipment. And yet their cybersecurity budget allocation is geared towards compliance and falls well short of what is required to best secure these valuable assets from an attack. According to a recent survey from the SANS Institute, 47% of industrial control system (ICS) organizations do not have internal dedicated 24/7 ICS security response resources to manage ICS incidents. Refineries and petrochemical facilities need to move beyond a compliance-driven mindset and make the business case for protecting their most valuable resources.

Critical infrastructure is being targeted with increasing regularity and global oil, energy, and petrochemical facilities are appealing targets for cyber attackers. The leaders in these industries, including CEOs and executives, have been warned to prepare for an imminent attack focused on disrupting the flow of oil, gas, and reliable electricity as a consequence of the Russian invasion of Ukraine. Shutting down these sites has widespread effects on organizations, national defense, and the economy. In the U.S., it can take regulators years to develop guidelines and rules that address industry needs. Why wait when organizations can implement best practices now? By isolating what can and cannot be controlled in settings like refineries and petrochemical facilities, these industries can protect themselves, their equipment, and the lives of their workers.