The Digital Canterbury Tales: Part Nine – Secure by Design View of Chief Security Officer

The world today is a different place than it was 20 years ago with constant advances in technology, science and engineering. Unfortunately, those same advances can also provide new ways to cause harm. The good news is that we are connected. But the bad news is that we are connected and some bad actors know where the back doors are. The oil-and-gas sectors have been rapidly digitizing their businesses. While this has brought significant value from analysis, process optimization, and automation, it has also broadened access to previously isolated process control and SCADA systems by users of the corporate IT network and third parties with physical and/or remote access to the operations network. In many cases these legacy control systems were not designed for this new degree of collaboration.

So, here lies the tale of Allan, our chief of cybersecurity. Allen’s company is a globally integrated oil-and-gas company facing frequent cyberattacks, even as it was undertaking a digital transformation that increased the exposure of its critical information systems. A successful attack on its assets would harm the economy of host nations as well as the enterprise value for shareholders, customers and employees.

Just to cite one example, in June 2017, the NotPetya computer virus affected many global companies, including the Russian oil giant, Rosneft. In the same year, another report stated the almost three quarters of US oil and gas companies had a cyber incident, yet only a handful cited cyber risk as a major concern in their annual reports. Allan has a challenge on his hands. His executives are pushing for more digitization and connectivity but at the same time they are worried about the bad publicity they would get if they got hacked.

The traditional focus of cybersecurity has been on home office IT systems. Allan came from the IT department and knows the challenges of this environment very well. But now Allan’s attention also has to address the growing trend for operations networks on production sites that are being connected to wider corporate networks. The business purpose of this greater connectivity is obvious. By allowing remote monitoring and even remote control, his company gains greater insight into their operations, maximizing scarce domain expertise and improves logistics for oil field equipment. But with this connectivity comes a new vulnerability.

To quote from a recent McKinsey report, “In many cases, this digitization has allowed access to these OT devices from the wider internet, as well. According to analysis of production OT networks by CyberX, an industrial cybersecurity company, 40 percent of industrial sites have at least one direct connection to the public internet, and 84 percent of industrial sites have at least one remotely accessible device. In response to the danger, ICS manufacturers can analyze USB-born threats to detect and neutralize those that could seriously disrupt operations.”

Allan and his small team have the dual challenge of protecting against new digital threats while maintaining a largely legacy OT environment. Most companies still operate with their founding cybersecurity initiatives like patch management and asset compliance. More than half of OT environments tested in one study had versions of Windows for which Microsoft is no longer providing security patches. Fully 69 percent had passwords traversing OT networks in plain text. Allan’s team has completed a company wide “threat assessment” and critical systems inventory and he knows his current situation is not good. His fingers are crossed that a malware attack on his infrastructure won’t bring the damage (both economic and safety) and the headlines his executives won’t want to read.

His company operates across the full industry value chain, upstream, midstream, and downstream. It had suffered attacks on both its IT and operational technology (OT) systems, which, as in most companies, were siloed from each other. Attacks hit IT network security and the supervisory control and data-acquisition (SCADA) systems. The company suffered a ransomware attack, email phishing campaigns, and defacement of its website. As the company was digitizing many systems, including critical controllers, massive amounts of data were exposed to potential manipulation that could trigger disastrous accidents.

So, what is Alan supposed to do? His security strategy focuses on three important steps.

First, Alan’s company has to define and protect its “crown jewels”: its most important assets. But first It had to comprehensively mapped its business assets and identified the most critical, from automated tank gauges that manage pressure and oil levels on oil rigs to employee health records and customer credit-card information. His company has created an asset registry, a library of controls, to protect these crown-jewel assets, which are now being brought on line.

Second, Alan’s team focuses on rapidly building capabilities. To address siloed IT and OT operations, it created an integrated cybersecurity organization under Alan (the new chief security officer) aligned with the risk management matrix they developed. The company also tailored industrial security standards to the oil-and-gas industry and its regional context.

There are several good security standards available to follow (including ones from the US National Institute of Standards and Technology (NIST) at the US Department of Commerce and from the European DNV-GL organization based on the IEC 62443 cybersecurity standard for industrial automation and control systems). The challenge is to get the budget and resources from his company to implement the appropriate standards into their normal operations.

Third, Alan has outlined a three-year plan for a holistic cybersecurity transformation. HIs program has prioritized initiatives, estimated budget, and provisions to integrate cybersecurity into the digitization effort. The full plan was approved but he is still working to get the needed resources and most importantly, the attention of the Chief Operations Officer (Michelle) and her staff. They are saying the right things but there are always priority and resource conflicts and the plan never gets implemented as fast as Alan would like.

The key issue is to get security concerns (both physical and cyber) in the initial requirement for new facilities or major upgrades and not have to bolt them on to completed designs after-the-fact. Alan’s company has to create future new digital systems that are “secure by design.”

The digital transformation is not just about technology. It is about changing the way companies work. Digital transformation requires a new digital engineering and operations mindset. Connectivity enables new ways of working between field and office and between operator and supply chain partners. But that new way of working has to be safe from external and internal threats and build trust between all the players. Allan’s team is looking for a few new members. Are you interested in joining?

References

Dickinson, Ben (ABB) and Mario Chiock (Schlumberger), Countering Security Issues in the Digital World, JPT, June 2019

McKinsey & Company, Critical infrastructure companies and the global cybersecurity threat, April 2019