An article by Stratus.

Oil and gas companies face some of the most pressing cybersecurity infrastructure challenges of the modern era. “There are two types of companies in this industry,” according to Corie Allemand, Global Lead of O&G at Stratus, “those that have been hacked and those who know they have been hacked.”

The vulnerability of all systems to cyberattacks is verified by countless examples, from the infamous Stuxnet hack a decade ago to the recent Colonial Pipeline breach. Addressing the myriad of cybersecurity infrastructure challenges is a daunting task – made even more burdensome by increasingly stringent regulatory requirements that can quickly become unmanageable within legacy industrial automation architectures and traditional OT networks. In a recent webinar with Xage Security, our experts outlined the new DHS guidelines for cyber security infrastructure in the O&G sector, the implications for operators and some concepts related to Edge Computing that make the digital transformation journey easier.

How we got here – Learning from the Stuxnet worm

10 years ago, Stuxnet was the first hack of an industrial automation system, which highlighted how hackers can access and control AI systems and spoof the data within them, despite the airgap between the OT network and the web. At the time, this airgap approach was believed to create reliable networks that were only vulnerable from the inside and inaccessible through the internet from the outside. Unfortunately this assumption has proven to be deeply flawed.

As highlighted in the 2015 book Industrial Network Security by Eric D. Knapp and Joel Thomas Langill, “Stuxnet demonstrated that many assumptions of industrial cyber threats they were wrong, and he did it using malware that was far more sophisticated than anything seen before." Six years later, as oil and gas companies continue their digitalization process, this statement still rings true.

The Stuxnet virus crept into the so-called secure network that OT professionals relied on at the time. The hackers' intent was to access an organization's environment and complete a criminal act but their attack then involved the whole world, mutating and devastating the critical infrastructures of nations one by one. “It has spread all over the world,” Allemand says in the recent webinar, “because the virus is very, very precise.”

Stuxnet has proven to the industry that no network, however remote from the world wide web, can be trusted. This awareness has changed the course of industrial automation, accelerating the digitization of many sectors, including O&G. That digital transformation journey is ongoing, and especially critical for oil and gas companies, as it can increase organizations' risk profiles but also strengthen their security posture.

The two faces of digitization for oil and gas companies

Bringing more digitization to industrial automation environments is a complicated conundrum. Emerging technologies such as Edge Computing introduce new tools and capabilities that improve decision making and protect operator and data security, but at the same time present pressing demands on information security infrastructures. “As we introduce these new technologies into these new systems, we have to make sure that safety comes first,” says Allemand.

With these considerations in mind, O&G organizations should not shy away from digital transformation. In the recent webinar promoted by Stratus, the expert Rudy de Anda reflects: "to be competitive, you must connect and take full advantage of your data". There are countless success stories where organizations that take up this challenge not only strengthen their cybersecurity infrastructure, but reap numerous benefits that increase their market share and further their business goals. Xage and Stratus experts point out how oil and gas companies can reap the benefits of digitization, while ensuring regulatory compliance, without having to modify or replace legacy architecture.

DHS guidelines for pipeline cybersecurity infrastructure up close

In July, DHS issued cybersecurity directives for pipelines "in an effort to prevent a repeat ofshutdown of the Colonial Pipeline which has resulted in massive fuel shortages and a rush to buy gas,” according to the Washington Post. These requirements address an urgent need for a standardized cybersecurity playbook across the industry but present onerous challenges that daunt both operators and IT staff.

Just a few of the DHS requirements that Xage and Stratus experts discuss in the webinar include:

  • A zero-trust methodology that avoids implicit trust of any network
  • Mitigation measures for user credential rotation and resource access management
  • Protocols for updating and patching software

According to Joe Blazeck, Sales and Business Development Leader of Xage Security, “We are really moving away from the concept of trusted networks, where organizations verify once at the perimeter, and we are moving towards a security approach where organizations continuously verify every user , every device, application and transaction. We are avoiding implicit trust in devices and networks and are moving towards this new principle of least privilege.”

While these directives may seem obvious, they present problems on the ground. A first problem is software updates, which routinely cause unplanned downtime due to the vastness of the regions in which the pipelines operate and the often disjointed groups of IT contractors who repair the pipelines piecemeal across these vast geographic areas. These computer-based implementations may seem like a simple task, both for the platform and the software, but when you think of that platform spread across North America, you understand the scale of the challenge of that type of upgrade. The great challenges around software patching coupled with resource management control and the sheer number of individual credentials to maintain are just some of the headaches for operators responsible for critical infrastructure security today.

Stratus and Xage facilitate DX for pipelines and envisage a new scenario

Implementing a zero-trust methodology and other required mitigation strategies is made easier with the careful selection of the ideal Edge Computing platform and cybersecurity solution providers. According to Blazeck, “The fundamental principle of zero trust is that no actor, system, network or service operating inside or outside the security perimeter is trusted. Organizations, however, must verify any request to connect to any system before granting access. One can almost imagine that security tools in a zero-trust model assume that devices and users have malicious intent, and almost assume that a breach has already occurred.” This means that, in practice, administrators must answer the question of how to implement a successful rule set to verify every transaction in their network, a challenge that can quickly become unmanageable in traditional OT networks that rely on granular rule sets. -to-one.

This is where Xage and Stratus come into play. Blazeck continues, “We approach this by building identities for all these different entities. We build an identity for every user, device and application and extend it across data points. We then control – through grouping and policy, rather than opening and closing firewall ports – how these identities are allowed to interact with each other. Each identity, be it a user or a thing, has its own perimeter, and each identity is able to interact with other identities according to the policies administered in the central Xage system. This identity-centric zero-trust approach allows operators to maintain trusted connections with all remote endpoints. These are just some of the capabilities offered by Xage solutions. Running this type of cutting-edge cybersecurity software on a fault tolerant Edge server like Stratus ztC Edge also allows organizations to operate through outages, safely.

The plus of the Xage and Stratus solutions is that they are primarily software-based and, therefore, also work on legacy hardware, allowing features such as on-site access filtering for older PLCs that lack built-in security. “So it becomes simple,” Allemand says, “and we can implement this, doing all the things digitization promises. You have a server running on the edge, capable of doing these heavy-duty tasks on the edge – including security – as you extend that network to meet new requirements.”

The criticality of adopting a secure industrial IT solution cannot be underestimated. After all, if organizations are to use data from edge computing devices to make better business decisions, then it's imperative to ensure the authenticity, accuracy and privacy of that data, which hackers can spoof in traditional AI architectures, such as history teaches us.

When the digital transformation journey is efficiently secured, however, the opportunities are endless. According to Stratus expert Rudy de Anda, “What we're finding is that if you deploy these technologies, and deploy them efficiently, we have an opportunity to get the bandwidth to deploy some of these really connected and edge tools. powerful people who exploit data, while also strengthening the security position, rather than weakening it”.

To know more: Sign Up