As the cybersecurity landscape shifts with an increasing number of successful hacktivist attacks, combining process, automation and network engineering tools can address operational security (OT) risks.
About 80% of the successful cyber-attacks on industrial operations in 2022 were ransomware-related and about 15% were led by hacktivist groups. The expectation is that future hacktivist efforts will continue to target high-profile targets and infrastructure, according to Andrew Ginter, vice president of industrial security at Waterfall Security Solutions.
While the oil and gas industry hasn’t borne the brunt of cyber-attacks, it has weathered a few onslaughts, including the 202 Colonial ransomware attack and a trio of early 2022 ransomware attacks on ports that delayed the loading and unloading of oil tankers.
But Ginter worries that might change.
“There are distressing trends, one of which is the trend towards increased hacktivist activity,” he said. “The thing about hacktivists is that they're politically motivated. They don't have a financial agenda and are politically motivated.”
And he believes hacktivists are “quite happy” to target critical infrastructure, and the bigger the better because of resulting impact. So if hacktivist activity continues to increase, it increases the likelihood of attacks on critical infrastructure.
“That's what activists go after. That's what politically motivated attacks go after,” Ginter said.
Fuzzy risk picture
With the low number of successful attacks on the oil and gas industry, he said, some might consider playing the odds when it comes to cybersecurity.
They might ask how likely they are to have nation-state grade ransomware attacking their pipeline or refinery in the coming year, he said.
“That’s the wrong question. I mean, imagine that the refinery goes down for 10 days. How much have you lost? Do the math? It’s a lot of money,” Ginter said. “If your answer is, ‘Hey, we knew that if this grade of ransomware attack came after us, we'd go down. We knew that. We just didn’t think they’d pick on us this year.’ That’s the wrong answer.”
Even with the rise of hacktivist attacks, Ginter said the pervasive threat to critical oil and gas infrastructure is nation-state grade ransomware.
“We need to take really strong measures to protect our system against that network-based threat,” he said.
Part of designing cyber protection has been protecting against worst-case consequences, but there’s no consensus in the industry as to how to assess cyber risk, he said.
Ginter said the IEC 62443 standard for secure industrial automation and control systems touches on the process of risk assessment without spelling out step-by-step instruction on how to conduct one.
“All this thing talks about is the process. It says first you should do a preliminary and you should use the result of that to make a decision. And then you should talk about network segmentation and then decide if you need to do a detail. It doesn't actually tell you how to do the preliminary, it just says that you should do one. Yet we could not get anyone to agree on a methodology for connecting threats and consequence into risk. That's left to the reader,” he said.
Ginter also argues that worst-case consequences should determine the required strength of a system’s security program.
“But even that is controversial,” he said.
Defending OT systems
Yet the worst-case consequence in oil and gas is usually unacceptable, he said, due to the public safety threat involved.
Fortunately, he said, new approaches for addressing such threats are being created, such as the Idaho National Lab’s Cyber Informed Engineering approach, which uses engineering-style mitigations for cyber risk.
Mitigation tactics include placing a mechanical valve on a piece of equipment with the potential to explode if it overheats rather than strictly relying on a longer password on the computer controlling that equipment, he said.
“None of these cybersecurity standards mention the valve because it’s not a cybersecurity mitigation. It’s a safety mitigation. It’s a physical mitigation,” Ginter said.
Such mitigation strategies are what “cyber-informed engineering is all about,” he added.
“The new thinking is wherever practical put electro-mechanical safety in to eliminate the cyber threat to safety. Still use all the cyber stuff. You want a second and third line of defenders, but your last line of defense basically takes the threat off the table,” he said.
Recommended Reading
TGS, SLB to Conduct Engagement Phase 5 in GoM
2024-02-05 - TGS and SLB’s seventh program within the joint venture involves the acquisition of 157 Outer Continental Shelf blocks.
2023-2025 Subsea Tieback Round-Up
2024-02-06 - Here's a look at subsea tieback projects across the globe. The first in a two-part series, this report highlights some of the subsea tiebacks scheduled to be online by 2025.
StimStixx, Hunting Titan Partner on Well Perforation, Acidizing
2024-02-07 - The strategic partnership between StimStixx Technologies and Hunting Titan will increase well treatments and reduce costs, the companies said.
Tech Trends: QYSEA’s Artificially Intelligent Underwater Additions
2024-02-13 - Using their AI underwater image filtering algorithm, the QYSEA AI Diver Tracking allows the FIFISH ROV to identify a diver's movements and conducts real-time automatic analysis.
Subsea Tieback Round-Up, 2026 and Beyond
2024-02-13 - The second in a two-part series, this report on subsea tiebacks looks at some of the projects around the world scheduled to come online in 2026 or later.