As the cybersecurity landscape shifts with an increasing number of successful hacktivist attacks, combining process, automation and network engineering tools can address operational security (OT) risks.
About 80% of the successful cyber-attacks on industrial operations in 2022 were ransomware-related and about 15% were led by hacktivist groups. The expectation is that future hacktivist efforts will continue to target high-profile targets and infrastructure, according to Andrew Ginter, vice president of industrial security at Waterfall Security Solutions.
While the oil and gas industry hasn’t borne the brunt of cyber-attacks, it has weathered a few onslaughts, including the 202 Colonial ransomware attack and a trio of early 2022 ransomware attacks on ports that delayed the loading and unloading of oil tankers.
But Ginter worries that might change.
“There are distressing trends, one of which is the trend towards increased hacktivist activity,” he said. “The thing about hacktivists is that they're politically motivated. They don't have a financial agenda and are politically motivated.”
And he believes hacktivists are “quite happy” to target critical infrastructure, and the bigger the better because of resulting impact. So if hacktivist activity continues to increase, it increases the likelihood of attacks on critical infrastructure.
“That's what activists go after. That's what politically motivated attacks go after,” Ginter said.
Fuzzy risk picture
With the low number of successful attacks on the oil and gas industry, he said, some might consider playing the odds when it comes to cybersecurity.
They might ask how likely they are to have nation-state grade ransomware attacking their pipeline or refinery in the coming year, he said.
“That’s the wrong question. I mean, imagine that the refinery goes down for 10 days. How much have you lost? Do the math? It’s a lot of money,” Ginter said. “If your answer is, ‘Hey, we knew that if this grade of ransomware attack came after us, we'd go down. We knew that. We just didn’t think they’d pick on us this year.’ That’s the wrong answer.”
(Source: Waterfall Security Solutions)
Even with the rise of hacktivist attacks, Ginter said the pervasive threat to critical oil and gas infrastructure is nation-state grade ransomware.
“We need to take really strong measures to protect our system against that network-based threat,” he said.
Part of designing cyber protection has been protecting against worst-case consequences, but there’s no consensus in the industry as to how to assess cyber risk, he said.
Ginter said the IEC 62443 standard for secure industrial automation and control systems touches on the process of risk assessment without spelling out step-by-step instruction on how to conduct one.
“All this thing talks about is the process. It says first you should do a preliminary and you should use the result of that to make a decision. And then you should talk about network segmentation and then decide if you need to do a detail. It doesn't actually tell you how to do the preliminary, it just says that you should do one. Yet we could not get anyone to agree on a methodology for connecting threats and consequence into risk. That's left to the reader,” he said.
Ginter also argues that worst-case consequences should determine the required strength of a system’s security program.
“But even that is controversial,” he said.
Defending OT systems
Yet the worst-case consequence in oil and gas is usually unacceptable, he said, due to the public safety threat involved.
Fortunately, he said, new approaches for addressing such threats are being created, such as the Idaho National Lab’s Cyber Informed Engineering approach, which uses engineering-style mitigations for cyber risk.
Mitigation tactics include placing a mechanical valve on a piece of equipment with the potential to explode if it overheats rather than strictly relying on a longer password on the computer controlling that equipment, he said.
“None of these cybersecurity standards mention the valve because it’s not a cybersecurity mitigation. It’s a safety mitigation. It’s a physical mitigation,” Ginter said.
Such mitigation strategies are what “cyber-informed engineering is all about,” he added.
“The new thinking is wherever practical put electro-mechanical safety in to eliminate the cyber threat to safety. Still use all the cyber stuff. You want a second and third line of defenders, but your last line of defense basically takes the threat off the table,” he said.
Recommended Reading
Midstream M&A Adjusts After E&Ps’ Rampant Permian Consolidation
2024-10-18 - Scott Brown, CEO of the Midland Basin’s Canes Midstream, said he believes the Permian Basin still has plenty of runway for growth and development.
Post Oak-backed Quantent Closes Haynesville Deal in North Louisiana
2024-09-09 - Quantent Energy Partners’ initial Haynesville Shale acquisition comes as Post Oak Energy Capital closes an equity commitment for the E&P.
Analyst: Is Jerry Jones Making a Run to Take Comstock Private?
2024-09-20 - After buying more than 13.4 million Comstock shares in August, analysts wonder if Dallas Cowboys owner Jerry Jones might split the tackles and run downhill toward a go-private buyout of the Haynesville Shale gas producer.
Aethon, Murphy Refinance Debt as Fed Slashes Interest Rates
2024-09-20 - The E&Ps expect to issue new notes toward redeeming a combined $1.6 billion of existing debt, while the debt-pricing guide—the Fed funds rate—was cut on Sept. 18 from 5.5% to 5%.
Dividends Declared Sept.16 through Sept. 26
2024-09-27 - Here is a compilation of dividends declared from select upstream, midstream and service and supply companies.
Comments
Add new comment
This conversation is moderated according to Hart Energy community rules. Please read the rules before joining the discussion. If you’re experiencing any technical problems, please contact our customer care team.