Addressing OT cybersecurity issues in oil and gas
Source: William Pao, a&s International
More and more, IIoT solutions
are deployed in various vertical markets. Oil and gas is no exemption. However the industry is as susceptible to cyber threats
as any other sector, and proper measures needs to be taken to prevent cyberattacks.
Increasingly, oil and gas operators are turning to IIoT for further automation and efficiency, leveraging connected devices that generate and transmit data over wired or wireless networks. A report by Research and Markets points out the installed base of wireless IoT devices in the oil and gas industry is forecasted to grow at a compound annual growth rate of 6.8 percent, from 1.3 million units at the end of 2018 to 1.9 million units by 2023.
Yet, despite this increased usage of IIoT, the issue of cybersecurity is often neglected by oil and gas operators, as evidenced by findings in a Ponemon Institute survey, titled “The State of Cybersecurity in the Oil & Gas Industry: United States,” which suggests the following: 66 percent of respondents believe while oil and gas companies are benefiting from digitalization, it has significantly increased cyber risks; 68 percent of respondents say their organization experienced at least one cyber compromise, yet many organizations lack awareness of the OT cyber risk
criticality or have a strategy to address it; and 61 percent of respondents say their organization’s ICS protection and security is not adequate.
Need for cybersecurity
Needless to say, once happened, a cybersecurity event may cause serious consequences to oil and gas companies. One incident of note took place in 2017, when a malware called TRITON found its way into a Middle East oil and gas facility, causing it to shut down. Specifically, the malware targets process safety systems, which are heavily deployed in oil and gas facilities, according to the Society of Petroleum Engineers.
“The oil and gas industry … has the largest installed base of process safety systems,” the organization said. “Suddenly, the relatively obscure world of process safety systems, which had never seriously been considered a cyber vulnerability, was in the spotlight.”
Indeed, an event like this underscores the need for cybersecurity. “The point is that the IIoT and OT systems/components need to be secure and have security built in and implemented. A single weakness can be the downfall of an entire facility,” said Ernie Hayden, Founder and Principal of 443 Consulting
According to Robert Kuo, Product Marketing Manager for IIoT Solutions at Moxa
, OT devices and equipment used by oil and gas operators tend to vary by application. In midstream applications where oil or gas is delivered over pipelines thousands of kilometers in length, operators tend to set up an end point every few kilometers to detect leaks or collect other types of data, which is then transmitted to a central command office over the Internet. This introduces cybersecurity risks. Choosing the proper equipment that is secure by design and complies with certain industry standards for security, then, becomes essential.
Again, Kuo mentions that the IEC-62443-4-2 standard, which requires that OT devices and equipment be equipped with certain security features, for example user authentication, data integrity and confidentiality, network access and authentication and vulnerability management. “This way, you can rest assured that your production and operations are supported with secure equipment, and that data acquisition is secure as data is encrypted,” he said.
For the more upstream applications, for example oil and gas excavation in oilfields or offshore platforms, equipment should be cyber-secure as well as robust against extreme conditions. In this regard, Moxa has cybersecurity solutions that are explosion-proof, as certified by EU’s ATEX and UL’s Class I Division 2 certifications, Kuo said.