Al Lindseth (Plains All American Pipeline) gave a recap of the 2019 US National Petroleum Council’s Dynamic Delivery study of cybersecurity across America’s oil and natural gas transportation infrastructure. The report traced the convergence of information technology networks with operations technology and the consequent heightened cyber risk to operations. The push for more data from the operating environment for analysis led to the breakdown of traditional defenses and the need for a ‘defense in depth approach’ for IT networks. Twenty years ago this meant a ‘moat’ i.e. a completely isolated network*. But over time, a breach became an inevitability and the focus moved to detection and threat intelligence. This is now happening with operations technology which also relied on isolation and network segmentation. A year ago the feeling was that there was no need to overreact to the ‘hype factory’, there were relatively few cyber events in the US. The thinking was that OT had more natural defenses. The NPC report recommended that IT and OT groups needed to work together, although ‘this was not happening’. Another recommendation was for a cyber process hazard analysis to evaluate the risks of potential attacks and establish an appropriate level of protection. The NPC report came forward with a prescriptive approach to cyber security but a risk-based approach may be better. With finite resources, if one risk is brought down to zero, other risks will inevitably rise. How sustainable are more regulations atop other regulations? The risk-based approach is preferable although ‘when there is an incident, we need regulators with teeth’!
* The moat a.k.a. the perimeter of a plant has been a popular topic of cyber security since The Open Group’s Jericho Forum introduced the ‘deperimeterization’ concept back in 2002.
Jason Howard-Grau (KPMG) presented on the risk of supply chain threats, an area where the risk is great and increasing as the OT landscape gets more complex. ‘Attackers will wait patiently to exploit the weakest link in the supply chain’. Some have posed as visiting engineers and lured site personnel. Also it is time to modernize your old kit. KPMG recommends that operators mandate SOC Type 2 compliance which ‘was not happening’. Covid means that there is less reliance on on-site personnel and now folk dial in from home. There is a movement to keep this new way of working. Ransomware is on the rise and the extended supply chain means that ‘your risk is my risk’. Howard-Grau recommends that those oil and gas companies that the DHS considers critical infrastructure should adopt industry-specific cyber security standards and that these should be audited by DHS and other ‘government-sanctioned’ entities. The results of such audits should inform new regulations, in particular where these may demonstrate the limitations of today’s voluntary framework. Howard-Grau also recommended that existing cyber security standards, notably API 1164, better integrate cyber security that spans IT and OT. The skills sets are different and the two ‘will not meet’. Standards need to be updated as do the ‘rules of engagement’. Industry needs guidance. ‘All struggle with the organizational structure. Engineers think differently from cyber geeks and this will never change without better new governance. Every organization says that the asset inventory is crucial, but in reality even this can be hard achieve. You can’t secure what you can’t see!’. There is too much inside engineers’ heads, folks don’t write it down. Configuration files may be hard to locate. Monitoring OT can be hard. KPMG found that one supplier has installed its own its own router inside a client’s site, unbeknown to the client! These are process and people issues. The Colonial Pipeline attack was not a full-frontal system attack. Companies need to revisit their plans and understand how to act post event, building-out industry standards appropriately.
Angela Haun presented the work done at the Oil and Natural Gas information sharing and analysis center (ONG-ISAC), which ‘serves as a central point of coordination and communication to aid in the protection of exploration and production, transportation, refining, and delivery systems of the ONG industry, through the analysis and sharing of trusted and timely cyber threat information, including vulnerability and threat activity specific to ICS and SCADA systems’. The OT/IT merge is still work in progress. Learning how to recover from a breach is key. ISAC helps you filter and prioritize available information. Join one of the 27 ISACs that meet regularly.
More from IQPC.
© Oil IT Journal - all rights reserved.