According to a recent PwC information security survey, the number of cyber incidents has increased at a compound annual rate of 66% since 2009. As the frequency has risen, so too have the reported costs of managing and mitigating the cyber threats.
Given the recent proliferation of connected devices, driven by trends like digitization and the Industrial Internet of Things (IIoT), the Oil & Gas industry finds itself in a position of having to reassess the levels of cybersecurity risk that it can tolerate. The influx of connected devices, if not properly managed from a cybersecurity perspective, could introduce a new and unacceptable level of threats.
Although most of the new connected devices being installed are not part of the critical infrastructure of the facility or plant, the mere fact that the volume of connection points is increasing means that the risk of potential cybersecurity attacks could grow. Therefore, many Oil & Gas plant executives are facing a dilemma: either risk losing competitive advantage by failing to “go digital,” or invest more in better managing the growing level of cybersecurity risk.
What to do to calibrate the risk
Digitization and cybersecurity are 100% linked, therefore one should not move forward without the other. It’s up to each organization in the industry to understand where vulnerabilities lie within their particular operations. After all, a refinery could lose $1 million a day in revenue should a cyberattack succeed in shutting down a core system. New systems coming into the facility have to be evaluated for secure hardware and firmware and should not be assessed only as standalone pieces. The strategy needs to encompass the site-wide cybersecurity view. Vendors contributing new technologies should also offer IIoT (Industrial Internet of Things) compliant architectures that incorporate cybersecurity at the product, edge control, apps, analytics, and services layers.
A thorough assessment of risks and vulnerabilities in the current environment is an important starting point, best performed by knowledgeable experts who fully understand OT cybersecurity . An approach found effective in helping Oil & Gas companies to shore up their plant cybersecurity protection schemes include the following steps:
- Evaluate the plant environment to determine how cybersecurity is currently managed.
- Identify exposed systems and their security protocols. Determine what firewalls are in place, and how the site’s active directory (the files that store information about network components) is managed and accessed.
- Assess the process for how 3rd party systems are validated (i.e., is tight version control on software happening, and is close attention being paid to 3rd party software release updates?).
- Determine the location of the connection points and assess how those points are being managed (if this piece is not well managed, it’s a problem for introducing digitalization).
A successful Cyber security plan is dependent on people, process and technology. We are focusing a lot on technology as we should. All of us in the industry must do our part to ensure our technology is secure. To do this, we must have a three-pronged approach:
- Ensuring our technology and processes of development are secure and up to current expectations and standards
- All in this industry, providers and customers, must collaborate together to ensure our collective eco-systems are always safe
- We all need to participate in developing standards we can all abide to ensure interoperability and security
Manufacturers like Schneider Electric, for example, apply a Secure Development Life Cycle (SDL) approach to all of their core control and safety products. Within the context of SDL, secure architecture reviews are performed, threat modeling of the conceptual security design takes place, secure coding rules are followed, specialized tools are utilized to analyze code, and security testing of the product is performed. These actions help to “harden” products, making them more resilient against cyberattacks. In this way, as new products replace old, entire systems evolve to become more cyber secure.
It is also very important not to lose sight of the other parts of the equation – people and process. To ensure security we need to educate and train every person on their responsibilities and implications of their actions. Many actions inadvertently create cyber security issues. In fact, cybersecurity is a joint responsibility to be shared by both the Oil & Gas enterprises themselves, the employees with access to the critical systems, and the technology partners that provide both traditional and digitalized solutions.
Schneider Electric will be driving/leading efforts to engage industry forums/entities and other competitors and customer in the process industry to work on openness and standards. We believe we are in a very strong position to drive this and are committed to Cyber Security for our industry, not just our business or systems.
To learn more about how your organization can minimize cybersecurity risk while enjoying the business benefits of digitization, visit the Schneider Electric cybersecurity services web site.
Visit us at CERAWeek where Schneider Electric is a proud Industry Partner Sponsor.