Operational technology can benefit from adopting efficiencies already applied to IT environments. Wurldtech’s Alvin Ng writes.
Image from iStock.
Oil and gas organizations are making important strides to address cyber security issues today. While many organizations are confident in the programs they have in place to secure the IT side of the business, oil and gas companies continue to expose operational technology (OT) to cyber threats, and often without knowing it.
To combat increased risk, oil and gas companies and executives need to establish an independent OT security program to effectively mitigate threats targeting operational infrastructure and assets. This begins with acknowledging the differences between OT and IT.
In OT environments, the objective with cyber security is to ensure equipment and systems continue to operate safely—protecting control systems, and the people and critical assets with which they interact. Attackers are motivated by disruption or destruction of operations and even physical harm to assets and people.
Control networks use different hardware, software, protocols, applications and commands than IT networks - meaning one size or approach across the two areas is not the solution to combatting attacks. And unlike typical computer systems, embedded devices used in industrial environments are not replaced or refreshed every two to three years.
Instead, many devices may be 10 to 20 years old and were built in the days when security was not a major concern. Without appropriate security updates, or mitigation controls, a successful attack can impact production, leading to costly downtime. Because of these unique conditions, OT security solutions must be tailored to the environment and understand how the assets on the network behave.
Similar to OT, the oil and gas industry comes with its own unique set of challenges.
According to a 2014 poll conducted by Frost & Sullivan of cyber security purchase decision makers in the petroleum industry, the most critical challenges they face include - lack of cyber security-focused workforce; outdated technology; multiple networks and diversified assets; disparate communication channels and systems support; lack of mandatory regulations; cyber security implementation costs; harsh operating environments; and remote access.
Given the attention OT typically receives, it is not surprising that a general lack of cyber security awareness or understanding and outdated technology/systems infrastructure is a challenge for oil and gas executives. Spear phishing, compromised data transmission, and insider threats - both malicious and accidental - are just some of the attacks aimed at critical infrastructure everyday.
OpShield. Photo from Wurldtech.
The OT solution
Fortunately, news stories about cyber attacks and groups targeting the oil and gas industry are helping to drive cyber security adoption. In fact, according to Frost & Sullivan, the annual budget spend on cyber security ranges from 5-10%, but is expected to grow in the coming years for oil and gas companies.
So, what can oil and gas companies do to address cyber security concerns and improve security across the entire company? For starters, they can align themselves with the right partners and technology. Technology that meets, and even sets, industry standards, as well as integrates easily into the company’s existing systems is critical for success.
Vendors should be capable of assisting companies in the implementation and maintenance of tailored solutions to ensure compliance and real-time detection and blocking of threats. Wurldtech’s OpShield product, for example, recognizes known vulnerabilities and signatures in OT environments, and looks to understand how the industrial system behaves and quickly identifies any unusual or dangerous changes in that behavior.
In extremely sophisticated attacks that perpetrate the network beyond initial security measures, OpShield will flag an anomaly in network performance and alert operators to in order to mitigate the impact of the attack and improve overall safety and asset reliability.
Other additional practices include layering security solutions; greater awareness of risk; governance; focusing on fundamentals; education; and penetration testing. IT security protects data on the network, while OT security keeps equipment online and operating safely.
When both OT and IT environments are protected, an organization increases its cyber readiness to defend and react appropriately to every threat. OT can benefit from adopting efficiencies already applied to IT environments, but to be truly secure it requires its own set of tools and procedures to protect against the unique and sophisticated threats aimed at industrial assets.
Alvin Ng is the Asia Pacific general manager of Wurldtech, a fully-owned subsidiary of GE. Before joining GE Digital, Ng was the regional vice president, banking products and solutions, for Wincor Nixdorf. He received his Bachelor of Science in mechanical engineering from the Nanyang Technological University.
AOG Digital E-News is the subsea industry's largest circulation and most authoritative ENews Service, delivered to your Email three times per week