The chicken or the egg: Deciding between digital transformation and cybersecurity

The exploration, drilling, completion and production operations of offshore and onshore oil and gas are experiencing increased cyber incidents. Malicious actors are seeking to extort owners and operators for money and sensitive data, or distort physical processes and disrupt operations. Outdated OT systems, flat networks, insecure IoT devices, vulnerable control systems and porous IT environments are high-value targets. Despite this reality, technology is not the enemy.  

The evolution of operational technology (OT) and industrial control systems (ICS) in oil and gas operations have moved from on-premises connectivity between systems, often using ethernet, to connecting multiple sites and often remote locations, to the expansion of supervisory control and data acquisition (SCADA) architectures, and increasingly, the adoption of cloud technologies. 

As companies adopt new technologies to make business more effective and efficient, new risks emerge, and old risks evolve. Common risks, including copycat cyber criminals and disorganized dark web scammers, continue to look for low-hanging fruit and easy-to-target enterprises, Fig. 1. An emerging and more concerning cyber-physical risk has been the evolution of “killware”—malware focused on causing harm to workers or populations in close proximity to a targeted system or enterprise.  

Fig. 1. Cyber criminals continue to look for low-hanging fruit and easy targets. Image: Nozomi Networks. 

Complexity in IT security involves defending against the myriad of ways someone can exploit widespread IT systems. OT systems have known vulnerabilities and less-sophisticated designs, where the complexity for security is in the attack path or “kill chain,” targeting simplistic systems that can be configured in a myriad of ways specific to each operation’s many processes.  

Examples of traditional OT systems​. The following systems can be high-value targets: 

• Supervisory Control and Data Acquisition (SCADA)​ 
• Industrial control systems (ICS)​ 
• Programmable logic control (PLC)​ 
• Process control networks (PCN)—Including safety instrumented systems (SIS), engineer workstation and human machine interface (HMI)​ 
• Distributed control systems (DCS)​. 

Examples of OT-related cyber-physical systems. Here are some additional systems that are vulnerable:​ 

• Industrial robots​ 
• Self-optimizing press-bending and roll-forming machine​ 
• Adaptable production systems​ 
• Energy-efficient intralogistics systems​ 
• Smart grids. 

Asset owners may not know that some of these systems are connected to the internet in some way, have no way to detect unauthorized changes, face a mounting chain of custody and supply chain demands, and leave themselves at risk for remote takeover and control of assets. This can lead to unsafe conditions, manipulated products, equipment damage and/or unintended shutdowns.  

Meanwhile, many oil and gas companies and industry organizations continue to identify insider threat scenarios as their top concern. Insider threat scenarios can be broken down into three divergent categories: 

• A compromised insider threat scenario reveals known common vulnerabilities and exposures that go unchecked and unmitigated.  
• A malicious insider threat scenario involves an employee or third party with internal access that seeks to do harm or grant unauthorized changes and permissions to manipulate data, systems and processes.  
• A negligent insider threat scenario is a situation in which an employee or third party with internal access makes a change or overlooks an otherwise accidental change or event in the network communications and processes, which results in error, failure, vulnerability or damage. 

Prescriptive recommendations for improved security often overlook the realities of asset ownership, operation, transfer and custody. If a pipeline operator with distributed operations is unfamiliar with their network activity and a change occurs, how would they know if it is security-related or operations-related? Their tacit knowledge is all that is required to investigate any change or incident. The problem is knowing when, and where, to investigate an issue before it becomes unmanageable.  

Despite the benefit of cost-savings and outsourcing of SCADA expertise, the owners and operators of the SCADA system may not consider the cybersecurity of industrial components, the integrity of OT and ICS data, operational impacts and cybersecurity best practices. The pipeline operation may not have any way of recognizing equipment failure for nodes attached to and communicating with the SCADA system. The organization is in the dark, in terms of detecting and monitoring new connections and tie-ins. They ultimately cannot diagnose network performance issues, potential malware introduced and present on the industrial network, or potential equipment failure or damage. 

BURSTING THE IoT BUBBLE 

Many critical infrastructure sectors are moving to adopt new levels of connectivity between systems, networks and devices. Operating across distributed locations, they are simultaneously implementing increasingly complex SCADA architectures and IoT deployments to streamline operations. The propagation of automated hacking and botnets is a constant threat to the fidelity of IoT devices. This connectivity and its associated security concerns now extend to networked cyber-physical systems, IT/OT integrations, building automation and the push for software-defined performance indicators, efficiencies and investment. 

Juniper Research estimates that by 2025, there may be as many as 37 billion industrial IoT connections. CISOs are expected to safeguard the entire IT, IoT and OT landscape, including industrial control systems and processes, secure remote access and connectivity to the broader enterprise or corporate networks. Subscription models that allow customers to purchase and install technology up front, to be paid for over time, may relinquish network control and security visibility for those products, if cybersecurity of these technologies is not addressed in the contracts and deployments.  

These systems and variations tend to remain unpatched, long after a patch has been released. That’s because most IoT devices are “headless” and are not set up for automated updates without the owner or user agreeing to a risk-based statement within the end-user license agreements. Once an attacker has gained entry, he/she will check to determine the underlying operating system, to decide which payload to install on the system, most frequently to deploy a botnet attack. The server hosting the malware will likely be from a hardcoded IP address within the attacker’s script. 

To obfuscate the payload, many IoT botnets use naming conventions for their payloads that are common processes, such as “ntpd” (the network time protocol daemon), in combination with using packers and cryptors to thwart deep packet inspection engines. Once the system is infected, it immediately changes the default credentials before setting out on its intended objective to infect other machines. These IoT botnets can grow to have hundreds of thousands of controlled devices under their helm, and their primary focus is to perform DDoS attacks against targets, to great effect. 

More connectivity, centralized data and management tools offer data-rich but information-poor operations in new business models. However, their implementation is often accompanied by weak passwords, authentication and encryption protocols, insecure update mechanisms and mundane privacy protections. A novice threat actor can find internet-connected devices on the website Shodan, learn how to circumvent network segmentation and penetrate isolated IoT networks using open-source tools, such as Nmap and Ncrack.  

Reliance on third-party technologies and software adds another layer of complexity to the cybersecurity conversation. In 2021, PwC’s Third-Party Risk Management Digital Trust Survey Snapshot revealed that 47% of organizations suffered from a third-party software supply chain disruption to their business and 41% experienced third-party platform exposures, outages and downtime. At the same time, according to a 2022 Helpnet Security survey of more than 400 global institutions, 30% plan to heavily outsource security, 44% are looking to enable turnkey solutions and 67% need to augment staff/resource abilities. 

Cloud technologies also have entered the chat, despite concerns that cloud-based assets are not located within the enterprise-owned network, Fig. 2. A 2022 CS2AI survey of more than 580 OT/ICS organizations indicated that virtual/cloud SOC operations/services were the fourth most important spending priority, with control system cybersecurity technology solutions taking the lead. Managing intrusions will be a constant battle between detection and response, with little attention left for addressing underlying issues after IoT products are bought and deployed from vendors. 

Fig. 2. Despite concerns about cloud-based assets not being located within enterprise-owned networks, a survey of more than 580 organizations found that virtual/cloud SOC operations/services were the fourth most important spending priority. Image: Reddit r/ProgrammerHumor. 

Given this landscape, decision-makers should never be put in a place where they need to choose between a digital transformation project and cybersecurity achievements. Continuous drive for innovation and efficiency, increased regulation, cloud capabilities and a dynamic and evolving cyber threat landscape have led to the realization that digital transformation and coherent cybersecurity can be one and the same.  

A WAY FORWARD  

Today, we can say that using “X method” against “adversary Y” is a valid approach, but by the time the ink dries, “adversary Y” has evolved. While OT monitoring solutions are not end-to-end security solutions, the platforms that were born in OT security are purpose-built for these operations and capable of doing deep, sector-specific packet inspection to understand the parameters of process controls, physical equipment, and machinery.  

To have great cybersecurity overall requires tools and processes built to adapt to change with minimal but dedicated effort. Having a solid foundation of tools and technologies, based on some well-known tenets of cybersecurity, can go a long way, but they cannot solve the inherent need for an intimate understanding of oil and gas operations. This requires knowing the nature and behavior of the assets within the environment, monitoring for threats and having a measurable way to track, report and reduce risk. If operators need a more categorical approach, there are many that exist, like the ISA/IEC 62443 standards. 

The ISA/IEC 62443 series of standards was crafted by leaders in the IT/OT space from across the globe, through the formation of the Global Cybersecurity Alliance under the International Society of Automation (ISA). ISA/IEC 62443 can help you manage cyber risks consistently, setting a foundation for your company’s success at the industrial level. 

With an “assume breach mentality,” the focus for security products must be on reducing the severity of potential impacts, not on responding to worst case scenarios only after they unfold. Instead of providing limited services that hunt for bad actors, malicious activities and known threat detections, based on known and categorized intelligence, building intuition into security for purpose-built operations requires customizing detections and prevention methods for the operation or end-user. 

Monitoring and visibility are key today to reduce the dwell time for threat actors and the level of damage they can do in mission-critical systems, networks and environments. It is also necessary for root cause analysis to determine whether an issue is caused by a cyber threat actor, equipment malfunction, misconfiguration or a ransomware situation. It may even be necessary to monitor process functionality and prevent things like ghost drifting, when a process or device slips out of scope incrementally over time. 

At a high level, network monitoring includes signature matching to identify known attacks. A layer deeper, industrial control system protocols can be inspected for signs of reconnaissance activity, like parameter scanning or requesting non-existent variables. Another layer deeper, into packet inspection, the actual ICS payloads can be monitored for anomalous values being set or values being set at anomalous frequencies. Most importantly, leveraging anomaly detection technologies to monitor the network can identify novel attacks that don’t yet have signatures. 

This type of network analysis is 24/7-scalable, reliable situational awareness, not derived from fear, uncertainty and doubt. Beyond vulnerability analysis and intrusion detection, anomaly detection technologies offer sophisticated baseline understanding for normal operations and look for and alert on deviations from the norm. Investigating those deviations could make the difference between avoiding catastrophe or becoming the latest victim. 

To learn more about ISA/IEC 62443, visit https://isaautomation.isa.org/cybersecurity-alliance/.  

About the Authors

Danielle Jablanski

Nozomi Networks

Danielle Jablanski DANIELLE JABLANSKI is an OT cybersecurity strategist at Nozomi Networks, responsible for researching global cybersecurity topics and promoting operational technology (OT) and industrial control systems (ICS) cybersecurity awareness throughout the industry. She is also a nonresident fellow at the Cyber Statecraft Initiative of the Atlantic Council’s Scowcroft Center for Strategy and Security. Ms. Jablanski holds a BA degree in political science from the University of Missouri, as well as a Masters degree in International Security from the University of Denver.