Refineries, petrochemical plants and other oil and gas facilities are increasingly embracing the Internet of Things (IoT) to collect and interpret more robust data sets. The IoT relies on networks of sensors, communication protocols, data collection and even artificial intelligence to provide better information and improve decision-making.
Increasingly, IoT components communicate with each other via wireless signals instead of more traditional "hard-wired" configurations. Wireless expands the reach of IoT systems at an industrial facility; for instance, sensors can be placed in harder-to-access locations and enhance plant asset condition monitoring. It can also increase a facility's vulnerability to cybercriminals.
"The race to digitally connect industrial components has meant that many elements that would once have resided safely within the infrastructure are now laid bare for anyone to find," said Edgard Capdevielle, CEO of Nozomi Networks, which produces cybersecurity software for industrial control systems (ICS).
Industrial facilities can block attempts to access wireless signals, but they can turn to other lines of defense as well, Capdevielle continued. Machine learning and artificial intelligence (AI)-enhanced cyber-attack detection are two key innovations that can help refiners, petrochemical manufacturers and others improve the efficiencies of their industrial process cybersecurity programs, he said. He added that cyber-security tools can streamline incident investigations to contain attacks before significant damage can occur – and without the need for additional staffing.
In a recent conversation with DownstreamToday, Capdevielle elaborated on the cyber-security vulnerabilities of wireless systems, emerging weapons to combat these threats and more. Read on for his insights.
DownstreamToday: What could result from a cyberattack on an oil refinery, petrochemical plant or other industrial facility?
Edgard Capdevielle: Productivity, availability and workforce safety can all be impacted by intentional and unintentional cyber incidents. Without wishing to be dramatic, human safety is at risk should these systems be breached. Water, power, energy and transportation systems are all operated by similar technologies, ones that have historically been hard to protect, and hackers have already turned the lights off in the Ukraine.
DownstreamToday: Why does connecting industrial components wirelessly open up a new set of vulnerabilities from a cybersecurity perspective?
Capdevielle: Industrial installations were never designed to be connected to the outside world, yet the reality is that the wall that separates IT and operational technology (OT) is permeable.
As the network expands, it seems logical to take advantage of improved productivity so suddenly connections are tolerated from trusted external contractors to "service" parts of the infrastructure. From there many have taken the leap of faith and gone wireless, or aggregated to a central network operations center (NOC). The issue is that, once you've established IT connectivity it's difficult to put the genie back in the bottle. Each of these avenues is a potential point of weaknesses that can be compromised – by hackers burrowing in, or malware – such as ransomware, detonating internally and then radiating out."
DownstreamToday: How do owners and operators of these oil and gas facilities generally protect themselves from cyberattacks? What are the limitations of the status quo?
Capdevielle: ICS networks today face all the same security use cases – such as malicious insiders, cyber espionage, etc. as IT networks – but lack similar security options. What vendors and operators need to internalize is that it is no longer reasonable to deploy industrial control infrastructure without its corresponding security. It is like selling a car without seatbelts.
Complexity, connectedness and scale are the enemies of cybersecurity so as more Industrial IoT devices move into the oil and gas sector, so does the opportunity for more risk. On one hand, automation and robotics can increase risk, as these systems are hard to patch and contribute to complexity. On the other hand, newer equipment may have better security designed into it as compared to older equipment. Security-by-design is still a fairly new concept that's not often found today in off-the-shelf solutions. It is however gaining more attention. For instance in the power grid space, IEC (the International Electrotechnical Commission) is working on the 62351 family of standards that support end-to-end secure-by-design architectures in future systems.
Doing nothing isn't an option. You must assume incidents are happening so the bigger question is how well equipped are you to identify and then deal with them?
DownstreamToday: How can machine learning and artificial intelligence contribute to the new line of defense in oil and gas cybersecurity?
Capdevielle: We have gone from perhaps one "extraordinary" attack per year orchestrated by a nation-state (Stuxnet in 2010), to a barrage of attacks every day in the U.S. alone (as reported by the U.S. Department of Homeland Security for 2015) turning the extraordinary into an everyday occurrence.
When it comes to effective cybersecurity, oil and gas companies must consider new technologies like passive monitoring systems that utilize artificial intelligence and machine learning to help deal with the complexity of monitoring industrial systems and identifying incidents and anomalies. And they must invest in systems and processes that help once an intrusion has happened. That means deploying tools that can identify intrusions and the processes and training involved with incident response.
Control system traffic is fairly predictable so, by establishing a baseline of ICS network communications and conducting active monitoring for anomalies, anything that deviates from expected behavioral patterns is an anomaly worth analyzing. Furthermore, it would be very valuable to identify if these anomalies are due to malicious activity or unintentional errors that could cause process impacts/disruptions – whether from internal or external sources.
DownstreamToday: Are any other industries already using these technologies? In other words, can the oil and gas industry learn this approach from someone else?
Capdevielle: Many critical infrastructure industries have the same issues related to ICS cybersecurity. However, the oil and gas industry has been more progressive and proactive than many other sectors. Because the threat environment continues to escalate, there is still significant room for improvement.
Oil and gas companies are more prone to delegate OT management to vendors and therefore have less OT-specific knowledge about the equipment they use. As a result, they have less control of the infrastructure and its security. Historically, oil and gas companies have focused on strengthening IT security and isolating OT from IT. Today, that approach is no longer enough as IIoT (Industrial Internet of Things) makes it possible for cyberattacks to go straight to the OT subsystems.