I recently had the pleasure of speaking at the API 13th Annual Cybersecurity Conference in Houston. API is the national association for the oil and gas industry, and this is a unique event that focuses exclusively on the state of cybersecurity in oil and gas.
Personally, I find these types of events intensely interesting. They provide an opportunity to check the temperature of the industry from the people on the front lines in this case, oil and gas CISOs. One of the more intriguing sessions I attended was the CISO panel, which included representatives from leading industry players such as Chevon, Schlumberger, Devon Energy and CenterPoint Energy.
The intersection of IT and OTThe group touched on a number of topics one might expect the industrial internet of things (IIOT), security architecture and strategy, emerging technologies and so on. The most prevalent theme, however, was the security challenges brought on by the convergence of information technology (IT) and operations technology (OT) networks. Or, put another way, the traditional corporate and industrial networks (oh, and don’t forget the cloud!).
Historically, IT and OT networks have been separate entities. Each has evolved in its own way, focused on its own priorities. The top priority of IT networks is confidentiality, followed by integrity and availability. The top priority for OT, however, is iron-clad 24x7 availability, followed by integrity and confidentiality. In other words, the order of the “big three” priorities of the IT network is the exact reverse of the OT network.Industry 4.0 and data
Companies are seeking to converge these two networks as part of the “Industry 4.0” trend. Industrial environments are transitioning from largely manual operations supported by “dumb” electronic controls to data-driven organizations that use robotic and automated operations to drive efficiency and bottom-line performance. As one CISO said, “We have become a data company that just happens to produce oil and gas.”
What this means is that industrial control systems, initially deployed in isolation, have become IIoT endpoints on the converged IT/OT network. This makes them rich targets for compromise, not only for the traditional reasons (industrial sabotage, critical infrastructure attacks, etc.), but also because a penetration of either network can open the possibility to move laterally to compromise assets on the other. In other words, a compromise of the IT network can lead to an attack on the industrial control systems, or a penetration of a control system can lead to a corporate data breach.
Securing assets retroactivelyThis leaves oil and gas CISOs in a depressingly familiar position trying to secure assets that were deployed without security in mind. Part of this challenge is technical; part is organizational. According to one CISO, IT and OT network operations need to be consolidated into one group, so they can take a consolidated approach to enterprise security. Some of the key challenges the CISOs cited included: Dramatically expanded attack surfaces and vulnerabilities due to IT/OT convergence and cloud adoption The need to reduce infrastructure complexity so that there are fewer tools to manage Adopting more sophisticated security strategies that prioritize assets based on risk, rather than treating all assets as equal Hardening endpoints and end users to reduce adversary points-of-entry across both networks Using network segmentation to protect both sensitive data and automated control systems
Back to security basicsAs one CISO observed, practicing basic security hygiene remains one of the most effective security precautions any organization can take. “Good basic hygiene can improve security posture by 80 percent,” he said. Part of this hygiene is visibility understanding every endpoint and asset that is attached across IT, OT and cloud infrastructure, so everything can be brought under security policy.
Every industry today has its challenges regulations, cloud adoption, digital transformation, and on it goes. Oil and gas is a particularly challenging market due to the need to marry historically “smart” and “dumb” infrastructure. It will be interesting to see how things evolve and to play a role in helping the industry manage this important evolution.
As VP of Customer Technology, Tim Woods has more than two decades of experience in information security and data technology. With a proven track record of leading sales teams to success and deep domain expertise in security and technology, he is a driving force of many thriving companies