Among the growing concerns about cybersecurity and the IoT, the industrial sector stands out. Industrial IoT applications are in some ways more at risk than others. Control networks traditionally safeguarded through complete isolation are now seen as sources for valuable data for companies to tap. But connecting plant data to outside networks or the Internet must be done securely. The consequences of a hack can cost thousands or millions of dollars, and possible loss of life. Nowhere is this more evident than in the oil and gas sector.
In a recent report, Countering the Threat of Cyberattacks in Oil and Gas, the Boston Consulting Group (BCG) enumerates the concerns in that sector for cybersecurity. They pointed in particular to upstream systems, such as remote data acquisition systems, gateways, transmission bridges, and controllers in exploratory rigs and drilling control systems. This equipment and these networks are spread across vast areas, and are responsible for tracking and controlling the extraction and production of the oil and gas resources in the field. Once considered too remote to worry about, as these systems come online, they should be considered possible targets for an attack.
“Until recently, the industry considered the traditional upstream systems in the oil and gas sector to be relatively safe because they were, in most cases, isolated,” the report said. “But the industry’s growing use of connected industrial systems and networking technology—coupled with the ever-increasing need for real-time data and analytics—has introduced new risks.”
The BCG report outlines several specific areas of risk, and recommends a number of steps for CIOs and other executives to take. These fall into three categories:
- Boundary protection – The exploding popularity of mobile devices has driven operators and others to request or expect the same convenience they get at home or anywhere else in the world at their workplace. Each device adds to the potential attack surface. Wherever possible, remote users in the oil and gas sector should be given access to the data only, and not to the control system itself.
- Remote access – This is essential to monitoring and controlling a wide-spread enterprise like oil and gas production. Strong control over remote access points includes both physical access and software-based safeguards. On the software side, we would recommend a secure-by-design, outbound-only architecture wherever possible for remote equipment or devices.
- Information flows – If a malicious agent is able to interrupt, alter, or redirect the flow of information through the system, it could cause significant problems. Firewalls, reverse proxies, DMZ technology and hardware solutions like data diodes can reduce or eliminate unauthorized access, while employing network-monitoring equipment and network-use rules can help identify any intrusions that do occur.
In all of these, there are both human and technical factors. On the human side, operators and managers need to be trained and supervised to ensure that they are keeping security as a top priority, and adhering to the relevant policies. The technology, for its part, should support those efforts by being as convenient and unobtrusive as possible, while still providing the highest possible level of security.
The BCG report concludes, “To protect themselves, their shareholders, and their customers adequately, industry players must make cybersecurity a highest priority and an ongoing consideration at the executive level.” We agree. And we would add that starting from there, this attitude should spread throughout the organization, and be present in each of its members, and the tools they use.