Cyber Security: “A Marathon, Not a Sprint” – Permian Basin Oil and Gas Magazine

By Paul Wiseman

The great majority of successful hacks—for ransomware, spyware, information theft, or just plain chaos—come through human error. That is, someone opened a phishing email and entered a password or account number. But three oil and gas industry security experts said that, while education on that front is vital and ongoing, hackers are finding new ways to slip sideways into back doors and cracks. And artificial intelligence (AI) is expanding the ability of phishing campaigns to look more real than ever.

Michael Kosonog

The experts are: Michael Kosonog, Deloitte’s U.S. cybersecurity lead for energy resources and industrials; Leo Simonovich, V.P. and global head of industrial cyber and digital security at Siemens Energy; and Jason Christopher, certified instructor and director of cyber risk for Dragos. Christopher also teaches cyber security classes for SANS, a cybersecurity education company.

All agreed that because hackers never sleep, neither can security firms and teams—nor can any individual who has access to their company’s network at any level. That includes both the obvious—information technology (IT, the back office such as accounting)—and the less obvious—operational technology (OT, machine sensors and edge computers that send data back to the office).

That’s because the digital revolution is connecting the two formerly disparate elements, as companies increasingly want real-time data from the field, delivered through wireless networks. Kosonog pointed out that most OT and SCADA systems are based on older technology, “where security wasn’t planned into it. They create this extra attack surface, with more devices and more systems, where threat actors can get in.”

Leo Simonovich

In SCADA’s early days, pumpers would travel to a site and download data onto a thumb drive or a laptop, then deliver that to the office for uploading. There was an air gap with no remote attack point. While a threat actor could theoretically go to each site and steal some data, they could not use such a point to access the larger network, making that a very inefficient and mostly pointless process.

Today’s oil field—upstream, midstream, and downstream—uses wireless technology to give personnel real-time data and control. That’s all great if it’s secure. Added Simonovich, “Operational technology is the new risk frontier. It is now on par with safety as a top concern for oil and gas companies’ boards and CEOs and for Chief Information Security officers, who have to work with the business to figure out how to address the topic.”

Kosonog listed four main categories of threats in the sector: ransomware, phishing, systems, and supply chain attacks. “Think SolarWind—where a piece of software allows a threat to get into multiple, multiple systems,” he said.

The supply chain risk is one of the surprising but growing threats. Tulsa-based SolarWinds provides system management tools for monitoring networks and infrastructure—and it has thousands of clients, including the U.S. government. In late 2020, international hackers infiltrated its Orion software, allowing them to spread malware to many of those thousands of users. All of that was accomplished through a single hack.

Simonovich suggested oil and gas firms should take a threefold approach to dealing with supply chain hacks.

“First, think about having a dedicated OT program that you measure yourself against—something that tells you how well you’re doing. Second, put together a joint response plan with your OEM (original equipment manufacturer—the supplier).” He noted that smaller suppliers are the most likely to get hacked, because they often lack the resources to have robust cyber security systems themselves.

Third, he said, companies need a clear response plan for when something does happen because, even with extreme diligence, it only takes one hack to create havoc.

To that point, Simonovich said Siemens Energy had polled oil and gas operators about security issues and found a disturbing fact. “What we see is that the majority of the oil and gas entities that we surveyed had at least one major operational event that led to a shutdown or a safety issue.”

While that is far from encouraging, Simonovich pointed out that a successful hack does not need to be the end of the world. Resiliency, he said, is the key. It is “both about the speed to detect, and the speed to recover and get back up. Can you handle the volume of threats that are coming your way? Ultimately, do you have a plan for when a breach occurs? It’s not enough to monitor, you have to build contingency plans to be able to recover, as well.”

Diligence never ends, he warned. Companies must continue working jointly with suppliers to mature their programs. “Innovation is really key: building a roadmap, one that has visibility at the core. Then,” he added, “the main thing is “seeing it as a marathon, not a sprint.”

Safety Dance

Jason Christopher

Hackers specifically attacking safety systems began in 2017 with a limited attack from hackers known as XENOTIME. That year their Trisis/Triton software compromised safety systems in Saudi Arabia, said Dragos’ Christopher. Trisis/Triton attacked safety instrumented systems (SIS) in Saudi Arabia, specifically the Schneider Triconex SIS. While Schneider caught and stopped the attack with only a temporary shutdown of safety operations, the fact that hackers managed to get deep into the system before being caught was unsettling to the company and to safety managers at large. Christopher said that these are “things that are more concerning from an operational perspective than just ransomware.”

Simonovich said that “digital safety” is a common term that refers strictly to digital issues. But with new attacks, the lines between digital and safety are becoming blurred.

In oil and gas, cybersecurity in ICS is also about safety, Christopher explained, even if the attack does not specifically attack safety operations. “If I don’t have a cyber-secure system, do I really have a safe system? We now have demonstration that hackers are going after safety systems. And if I don’t have the right level of security—nobody wants to go to a site where they know they’re not going to be safe, and that’s really the thing we need to understand from a cultural perspective.”

Off the Shelf and AI Hackers’ Assistance

Like an Amazon for hackers, said Kosonog, “There are ransomware-as-a-service sites where these threat actors and cyber criminals pay a monthly charge to get a service to launch ransomware attacks on targets that they want.”

That anyone can start hacking as almost a hobby, with little training, is one thing. But another threat, AI, is looming even bigger. You may have heard of Chat-GPT, a virtual writer service that uses AI to write emails, sales materials, and other things. It’s considered bad news for some writers but not for many others.

Now, think of a system like that, accessing massive amounts of data from the web, assembling strategies for realistic-looking phishing campaigns. Kosonog continued, “There’s been a lot of discussion lately around AI. The real next layer around some of the phishing is leveraging more and more of the newer Chat-GPT’s generative AI solutions for the threat actors, and continuing to create more and more realistic phishing attacks. With some of this AI we’ve been talking about in the last few years, we’re beginning to see the threat actors using it to further the realistic nature of some of these campaigns. For us it’s more to think about on a daily basis.”

Prevention

As stated, there is no way to ensure complete safety. But human instruction, along with systems designs that include safety measures, are becoming more and more critical. Training workers to recognize and avoid phishing emails would be an obvious first step, as it’s one of the main sources of hacks.

Kosonog said, “A lot of times it really comes back to making sure your organization is educated—not opening, not clicking on emails you don’t know where they come from, having a programmer on your security awareness team, where the human side…. that needs to be one of the most basic things that we do. Along with that, making sure that you’re looking for vulnerabilities in your systems, that you’re monitoring for threats in both your IT and OT environments—basic hygiene. Training for things that don’t look right—a copyright that’s a year off, a company logo that doesn’t quite look like the logo. It starts off with not knowing who this is.”

He also suggested companies conduct phishing campaigns internally to test their people’s responses. Would they click on a link? If so, it’s time to retrain.

Simonovich pointed out how safety issues vary. “The difference between physical safety and digital safety is that with physical safety you can box the environment [with occasional exceptions for weather or unexpected outside forces]. In the digital safety world, it’s threatened by machines all the time. They’re constantly looking for new techniques to get in. Digital safety is about continuous training and vigilance.”

For Christopher, more formal training, even certification for IT professionals, would go a long way toward securing systems. “One of the things we do recommend is that there is some sort of security training before you grant that employee access to your system.”

The kind of training depends on where the person will be working. On the rig or at the refinery, training is different than in the office. “I would more want the person that’s on the rig or at the refinery to understand how an attacker may target them and go after safety systems or after production systems, topics that don’t normally come top-of-mind now,” Christopher said.

And for IT professionals, he noted that certification does exist for cyber security. The Global Information Assurance Certification (GIAC) organization offers that option, and SANS trains in achieving it.

On the systems side, said Christopher, “If we’re just enabling features, but you’re not putting in the security controls, to make sure that the bad guys can’t also have access, that can lead to some catastrophic scenarios. Those are the types of things folks need to have at the forefront of any upgrade decision or digital transformation decision. It’s not either-or, it’s what I would call a yes-and.”

Older systems were more trusting of who they were working with. He continued, “Most systems were designed thinking a trained, knowledgeable engineer was operating it. If it’s told to reverse flow, it will do that even if it breaks the system because it trusts the input. Non-accessible fail-safes, such as a valve that releases when overpressured, which only works manually—that’s part of your cybersecurity priorities.”

Christopher noted that SANS has issued a white paper (find it here: https://sansorg.egnyte.com/dl/4hgxqaIF7N) entitled, “The Five ICS Cybersecurity Critical Controls.” Those five are:

ICS INCIDENT RESPONSE: Operations-informed IR plan with focused system integrity and recovery capabilities during an attack. Exercises designed to reinforce risk scenarios and use cases tailored to the ICS environment
DEFENSIBLE ARCHITECTURE: Architectures that support visibility, log collection, asset identification, segmentation, industrial DMZs, process-communication enforcement
ICS NETWORK VISIBILITY MONITORING: Continuous network security monitoring of the ICS environment with protocol-aware toolsets and system of systems interaction analysis capabilities used to inform operations of potential risks to control
SECURE REMOTE ACCESS: Identification and inventory of all remote access points and allowed destination environments, on-demand access and MFA where possible, jump host environments to provide control and monitor points within secure segment
RISK-BASED VULNERABILITY MANAGEMENT: Understanding of cyber digital controls in place and device operating conditions that aid in risk-based vulnerability management decisions to patch for the vulnerability, mitigate the impact, or monitor for possible exploitation

In sum, said Simonovich, “This should be a top issue that we focus on. It should not just be treated as a cost. It should be treated as a strategic imperative that enables digitalization, and that enables companies to get more competitive.”

#bwg_container1_0 { display: table; /*visibility: hidden;*/ } #bwg_container1_0 * { -moz-user-select: none; -khtml-user-select: none; -webkit-user-select: none; -ms-user-select: none; user-select: none; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_image_wrap_0 { background-color: #000000; width: 800px; height: 500px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_image_0 { max-width: 800px; max-height: 410px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_embed_0 { width: 800px; height: 410px; } #bwg_container1_0 #bwg_container2_0 #bwg_slideshow_play_pause_0 { background: transparent url(“http://pboilandgasmagazine.com/wp-content/plugins/photo-gallery/images/blank.gif”) repeat scroll 0 0; } #bwg_container1_0 #bwg_container2_0 #bwg_slideshow_play_pause-ico_0 { color: #FFFFFF; font-size: 60px; } #bwg_container1_0 #bwg_container2_0 #bwg_slideshow_play_pause-ico_0:hover { color: #CCCCCC; } #bwg_container1_0 #bwg_container2_0 #spider_slideshow_left_0, #bwg_container1_0 #bwg_container2_0 #spider_slideshow_right_0 { background: transparent url(“http://pboilandgasmagazine.com/wp-content/plugins/photo-gallery/images/blank.gif”) repeat scroll 0 0; } #bwg_container1_0 #bwg_container2_0 #spider_slideshow_left-ico_0, #bwg_container1_0 #bwg_container2_0 #spider_slideshow_right-ico_0 { background-color: #000000; border-radius: 20px; border: 0px none #FFFFFF; box-shadow: 0px 0px 0px #000000; color: #FFFFFF; height: 40px; font-size: 20px; width: 40px; opacity: 1.00; } #bwg_container1_0 #bwg_container2_0 #spider_slideshow_left-ico_0:hover, #bwg_container1_0 #bwg_container2_0 #spider_slideshow_right-ico_0:hover { color: #CCCCCC; } #spider_slideshow_left-ico_0{ left: -9999px; } #spider_slideshow_right-ico_0{ left: -9999px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_image_container_0 { top: 90px; width: 800px; height: 500px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_container_0 { display: table; height: 90px; width: 800px; top: 0; } /* Filmstrip dimension */ #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_0 { left: 20px; width: 760px; /*z-index: 10106;*/ } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_thumbnails_0 { left: 0px; width: 109928px; height: 90px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_thumbnail_0 { width: 180px; height: 90px; margin: 0 1px; border: 1px solid #000000; border-radius: 0; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_thumb_active_0 { border: 0px solid #FFFFFF; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_thumb_deactive_0 { opacity: 0.80; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_left_0, #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_left_disabled_0 { background-color: #3B3B3B; display: table-cell; width: 20px; left: 0; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_right_0, #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_right_disabled_0 { background-color: #3B3B3B; display: table-cell; right: 0; width: 20px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_left_0 i, #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_right_0 i, #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_left_disabled_0 i, #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_right_disabled_0 i { color: #FFFFFF; font-size: 20px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_left_0 { display: none; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_left_disabled_0, #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_right_disabled_0 { display: none; opacity: 0.3; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_filmstrip_left_disabled_0 { display: table-cell; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_watermark_spun_0 { text-align: left; vertical-align: bottom; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_title_spun_0 { text-align: right; vertical-align: top; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_description_spun_0 { text-align: right; vertical-align: bottom; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_watermark_image_0 { max-height: 90px; max-width: 90px; opacity: 0.30; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_watermark_text_0, #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_watermark_text_0:hover { text-decoration: none; margin: 4px; position: relative; z-index: 15; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_title_text_0 { font-size: 16px; font-family: segoe ui; color: #FFFFFF !important; opacity: 0.70; border-radius: 5px; background-color: #000000; padding: 0 0 0 0; margin: 5px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_description_text_0 { font-size: 14px; font-family: segoe ui; color: #FFFFFF !important; opacity: 0.70; border-radius: 0; background-color: #000000; padding: 5px 10px 5px 10px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_description_text_0 * { text-decoration: none; color: #FFFFFF !important; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_dots_0 { width: 12px; height: 12px; border-radius: 5px; background: #F2D22E; margin: 3px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_dots_container_0 { width: 800px; top: 0; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_dots_thumbnails_0 { height: 18px; width: 10872px; } #bwg_container1_0 #bwg_container2_0 .bwg_slideshow_dots_active_0 { background: #FFFFFF; border: 1px solid #000000; }