The convergence of information and operations technologies (IT/OT) is opening new vectors of disruption. As a result, security has become a high-priority item in the boardroom and across the C-suite. An eight-step framework can strengthen defenses against cyber-attacks, industrial espionage and sabotage in the oil and gas sectors.
Energy industry is a target
More than a decade ago, the US Department of Homeland Security and a handful of oil and gas majors formed Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC), in support of research, development, testing and evaluation to improve cybersecurity in digital control systems. Even with additional programs and tighter standards established in other parts of the world, the industry remains vulnerable:
•
A recent poll of cybersecurity professionals found that a majority expected a major cyberterrorism event in the next year. A plurality of attendees at the 2014 Information Systems Security Association Conference predicted the attack would focus on the energy industry.
•
Nearly half (47 percent) of energy organizations in the Americas reported cyber-attacks in 2014 – the highest among all corporate sectors, surpassed only by governments, according to Trend Micro.
•
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported 245 cyber-attacks in the United States against control systems from October 2013 to September 2014, with the highest percentage (32 percent) focused on systems governing energy production and distribution.
Digital innovation has fueled the Industrial Internet of Things (IIoT), which encompasses everything from controlled assembly lines to precise systems that automate processes. High-velocity operations are possible through the integration of IIoT devices that enable analytics-powered insight and faster decision-making.
While unleashing higher productivity, the rise of Internet-connected assets has also created new virtual avenues for attacks. An underworld business model of “designer attacks as service” has emerged. Cyber-attacks can be commissioned by third parties with minimal knowledge of software coding. Hostile nation-states fund some intrusions; others are mounted by hacktivists trying to embarrass companies. In addition, disgruntled insiders can wreak havoc by exploiting old controls not designed to repel intrusions via information systems and networks.
Developing a security framework
Strengthening the immune systems of digitally powered businesses is crucial to achieving high-performance business objectives. Improved security programs typically emerge after thorough risk assessments, and by reaching consensus on the right balance between getting work done efficiently while protecting assets.
A broad array of people and teams need to collaborate to support secure operations. Intelligent, proactive approaches are needed at speed and at scale, which is why Accenture recommends a comprehensive framework with eight interrelated components.
1. Establish effective governance: Without setting clear targets, the entire security ship is in danger of becoming rudderless. Governance sets direction for end-to-end planning and execution, from security strategy to ongoing operations. By setting standards and policies in conjunction with clear priorities and allocating roles and responsibilities, governance builds bridges between IT and OT – for example, opening doors to operating units when IT is not allowed by local or regional OT engineers to perform program activities.
2. Build a common IT/OT risk framework: The convergence of IT and OT gives business leaders the ability to leverage more operational data, deriving insight into better ways of working. The Cybersecurity Risk Management Process Guideline – prepared by the US Department of Energy in cooperation with North American Electric Reliability Corporation and National Institute of Standards and Technology – recognizes that IT and OT share similar inputs and purposes of delivering value with
continuous operations.
The European Programme for Critical Infrastructure Protection has also cited that, to become well-integrated digital businesses, IT and OT convergence is needed. IT security, however, typically uses a model based on enterprise security rather than a framework based on production risk. Accenture suggests developing a hybrid IT/OT model to calculate risk, adopting the production risk framework and terminology to articulate the risks to IT and production.
When OT, IT and the business act in a truly integrated way, oil and gas companies are better prepared to manage cyber threats while reaping the benefits of highly automated operations.
3. Balance risk and cost: Achieving appropriate balance is a sign of a mature approach to risk management. For example, if an operating-system security patch cycle of one month is desired by production maintenance, the cost – including staff and vendor time, choppers, beds on platforms, transport to sites – needs to be calculated against the risk of an event occurring. Ideally, a holistically designed program is aligned with routines with manufacturing execution systems. Advanced planning makes the most of allocated resources. For example, if an internal control system (ICS) vendor already has a maintenance cycle of three months, perhaps an extra day to perform ICS operating system patching could be added to the vendor contract.
4. Develop a hybrid skill set: Finding talent experienced in both project delivery and OT security is a challenge. Due to the combination of skills, candidates could be sourced from business operations and maintenance, as well as the pool of OT security professionals. Companies should consider a detailed program of training and staff augmentation until they obtain a strong mix of skills. Some companies outsource facets to trusted third parties with well-trained resources. For example, an ICS security assist desk operating 24/7 (which would be costly for companies to create and operate internally) could be a service provided by an experienced service provider.
5. Upgrade training: Given the number of cyber-threats aimed at oil and gas firms, security teams need to train with a vigorous sparring partner, preferably one who can simulate sophisticated attacks. An initial assessment can determine some of the greatest threats facing each organization, with exercises designed to simulate adversarial tactics, techniques and procedures.
In addition, oil and gas companies need to develop stronger cultures of process safety, information security and asset integrity. Classroom-led instructors can raise awareness among IT and OT teams (e.g., once a week for five weeks, including staff from all shifts and platforms).
For people based at headquarters, training could be shaped as an all-day program, including videos, information booths, giveaways and a forum with management leaders. Another level of training could include offshore personnel at major facilities. In addition, IT personnel who are to sustain the environment will also need training on procedures a month before facilities begin operating. When threats lurk undetected for weeks or months, the costs can balloon to tens or hundreds of millions of dollars – far more than the expense of maintaining strong defenses.
6. Leverage experience across IT and OT: Sharing skills and reusing licenses and technology are cost-efficient practices aligned with standardizing the install base. Accenture’s experience is that it takes twice as long to train an IT specialist to comply with engineering
requirements than to train a process-control engineer to perform IT duties.
By leveraging IT skills, managers in OT are able to focus their resources more intently on issues relevant to production. Consider tapping skills in office IT security (e.g., Windows OS hardening, vulnerability assessments, updating, patching and remote troubleshooting) that are relatively new and less frequent in OT.
Organizations can also leverage virtualization – which has boosted the efficiency of corporate IT environments – to transform the ways they operate assets. Flexible and scalable virtualized platforms can shorten the time-to-site for updates and new systems, reduce site operating costs and improve cyber-resilience.
7. Cover the entire OT domain: Maintaining a strong fence without protecting the vulnerable interior has been proven wrong across industries. The defense-in-depth philosophy translates into treating perimeter security and building secure enclaves as key steps for securing the OT domain. Further steps must extend to hosts and device protection at the level of the respective operating systems and applications. Improvements are critically important for the control-systems layer.
8. Look beyond basic controls: Situational awareness, incident response and cyber-forensics are needed in OT as well as in IT. Implementing a monitoring solution such as a Security Information and Event Management (SIEM), which is common in IT environments, can be challenging in OT. Situational awareness and the capability to respond and recover need to mature together so that learning and regulatory follow-up become embedded in core processes.
Secure operations at high velocity
Success in tomorrow’s digitally powered energy industry depends on security decisions made today. Devising the right strategy and strengthening cyber-defense constitute a core of resilience and brand-trust essential in an interconnected business world.
The challenge is achieving that delicate balance: managing high-velocity operations while maintaining highly effective security. Agile responses from IT and OT, working together in a well-governed security program, can mean the difference between intrusions contained and high-loss disasters.
Holistic, intelligent solutions are needed, which establish comprehensive protection. An end-to-end approach – from security strategy to operations – can help oil and gas organizations strengthen their resilience, thereby helping achieve business objectives for reliability, innovation and profitable growth.
The post Oil and gas companies need to step up cyber-resilience appeared first on .