As the cybersecurity landscape shifts with an increasing number of successful hacktivist attacks, combining process, automation and network engineering tools can address operational security (OT) risks.
About 80% of the successful cyber-attacks on industrial operations in 2022 were ransomware-related and about 15% were led by hacktivist groups. The expectation is that future hacktivist efforts will continue to target high-profile targets and infrastructure, according to Andrew Ginter, vice president of industrial security at Waterfall Security Solutions.
While the oil and gas industry hasn’t borne the brunt of cyber-attacks, it has weathered a few onslaughts, including the 202 Colonial ransomware attack and a trio of early 2022 ransomware attacks on ports that delayed the loading and unloading of oil tankers.
But Ginter worries that might change.
“There are distressing trends, one of which is the trend towards increased hacktivist activity,” he said. “The thing about hacktivists is that they're politically motivated. They don't have a financial agenda and are politically motivated.”
And he believes hacktivists are “quite happy” to target critical infrastructure, and the bigger the better because of resulting impact. So if hacktivist activity continues to increase, it increases the likelihood of attacks on critical infrastructure.
“That's what activists go after. That's what politically motivated attacks go after,” Ginter said.
Fuzzy risk picture
With the low number of successful attacks on the oil and gas industry, he said, some might consider playing the odds when it comes to cybersecurity.
They might ask how likely they are to have nation-state grade ransomware attacking their pipeline or refinery in the coming year, he said.
“That’s the wrong question. I mean, imagine that the refinery goes down for 10 days. How much have you lost? Do the math? It’s a lot of money,” Ginter said. “If your answer is, ‘Hey, we knew that if this grade of ransomware attack came after us, we'd go down. We knew that. We just didn’t think they’d pick on us this year.’ That’s the wrong answer.”
Even with the rise of hacktivist attacks, Ginter said the pervasive threat to critical oil and gas infrastructure is nation-state grade ransomware.
“We need to take really strong measures to protect our system against that network-based threat,” he said.
Part of designing cyber protection has been protecting against worst-case consequences, but there’s no consensus in the industry as to how to assess cyber risk, he said.
Ginter said the IEC 62443 standard for secure industrial automation and control systems touches on the process of risk assessment without spelling out step-by-step instruction on how to conduct one.
“All this thing talks about is the process. It says first you should do a preliminary and you should use the result of that to make a decision. And then you should talk about network segmentation and then decide if you need to do a detail. It doesn't actually tell you how to do the preliminary, it just says that you should do one. Yet we could not get anyone to agree on a methodology for connecting threats and consequence into risk. That's left to the reader,” he said.
Ginter also argues that worst-case consequences should determine the required strength of a system’s security program.
“But even that is controversial,” he said.
Defending OT systems
Yet the worst-case consequence in oil and gas is usually unacceptable, he said, due to the public safety threat involved.
Fortunately, he said, new approaches for addressing such threats are being created, such as the Idaho National Lab’s Cyber Informed Engineering approach, which uses engineering-style mitigations for cyber risk.
Mitigation tactics include placing a mechanical valve on a piece of equipment with the potential to explode if it overheats rather than strictly relying on a longer password on the computer controlling that equipment, he said.
“None of these cybersecurity standards mention the valve because it’s not a cybersecurity mitigation. It’s a safety mitigation. It’s a physical mitigation,” Ginter said.
Such mitigation strategies are what “cyber-informed engineering is all about,” he added.
“The new thinking is wherever practical put electro-mechanical safety in to eliminate the cyber threat to safety. Still use all the cyber stuff. You want a second and third line of defenders, but your last line of defense basically takes the threat off the table,” he said.
Recommended Reading
Liberty Energy CEO: NatGas is Here to Stay as Energy Transition Lags
2024-03-27 - The energy transition hasn’t really begun given record levels of global demand for oil, natural gas and coal, Liberty Energy Chairman and CEO Chris Wright said during the DUG GAS+ Conference and Expo.
CERAWeek: Tecpetrol CEO Touts Argentina Conventional, Unconventional Potential
2024-03-28 - Tecpetrol CEO Ricardo Markous touted Argentina’s conventional and unconventional potential saying the country’s oil production would nearly double by 2030 while LNG exports would likely evolve over three phases.
CERAWeek: Trinidad Energy Minister on LNG Restructuring, Venezuelan Gas Supply
2024-03-28 - Stuart Young, Trinidad and Tobago’s Minister of Energy, discussed with Hart Energy at CERAWeek by S&P Global, the restructuring of Atlantic LNG, the geopolitical noise around inking deals with U.S.-sanctioned Venezuela and plans to source gas from Venezuela and Suriname.
US Expected to Supply 30% of LNG Demand by 2030
2024-02-23 - Shell expects the U.S. to meet around 30% of total global LNG demand by 2030, although reliance on four key basins could create midstream constraints, the energy giant revealed in its “Shell LNG Outlook 2024.”
API Gulf Coast Head Touts Global Emissions Benefits of US LNG
2024-04-01 - The U.S. and Louisiana have the ability to change global emissions through the export of LNG, although new applications have been frozen by the Biden administration.