Moving beyond the previous generation of analog technologies, today’s oil field of networked wells is quite different. Companies deal with the complexities of a web of wells connected to separation tanks, storage tanks, control centers and groundwater wells across large territories.
To facilitate better operational efficiency, greater visibility and improved human safety, the digital oilfield concept emerged. New networks were created to enable automation and operator visibility. The digital oil field became software-driven across the entire service trajectory, delivering major operational improvements but also creating new and possibly catastrophic cybersecurity risks that must be addressed.
Given the way large and small oil and gas companies are networking more and more equipment for wired and wireless connectivity, with applications accessible on laptops and smartphones, there is an upward jump in the sheer quantity of networked devices, as the industry moves away from small islands of “air gapped” connectivity. Also joining the network are more sensing equipment and visual recognition applications to help detect spills or production shutdowns. Looking at the ever-growing network and the proliferation of Internet of Things (IoT) devices, two powerful trends are coming together in digital oilfield security.
As networks get bigger and more complex, it only takes one action to cause exponential trouble. A single laptop in the field with malware can be leveraged by hackers into the means to launch attacks across the entire infield network. The bigger the networks, the harder they are to protect at the network boundary. Oil and gas industrial networks are becoming as open and exposed as conventional IT networks. They must be protected on the basis that attackers will eventually find ways to access the network and might be able to find vulnerable networked devices to form the basis of an initial compromise.
Key sources of cyberattacks
Where are cyber threats coming from? Unfortunately for the oil industry there is a broad range of potential attackers and types of attacks. Attackers include vandalism threats as well as highly motivated state actors with direct economic interests in disruption, looking for a vulnerability and choosing the right moment to attack. Or competitors may simply be trying to steal commercial secrets from the field.
Cybersecurity has leapt from being barely on the oil and gas operators’ radar to becoming a major operational challenge. Yet, too many oil and gas companies are still taking a somewhat laissez-faire approach, as if they are still working with small closed network islands and fixed-function controllers. Meanwhile, the intersection of more infield automation, more networking, IoT adoption and more aggressive attacks have exposed major security issues, and companies need to step up their efforts to match the scale of the threats.
Xage’s Edge security system provides a blockchain-protected security fabric that creates a distributed, redundant and tamper-proof ecosystem to enable multiple vendor and multiple customer authentication and access controls for protection of deployed SCADA systems. (Source: Xage)
Cybersecurity actually has a repeatable recipe. Step one involves identifying and locking down assets deployed in the field so attackers cannot use unapproved devices as a launchpad for their attacks. In other words, companies must have a secure way of holding the inventory of accessible systems, of enforcing access control and enabling restricted policy-based enrollment and management.
Step two focuses on device passwords, making sure that all passwords are so complex they cannot be guessed, keeping those device passwords securely in the edge and having technicians use personal credentials—not hardcoded device passwords—to access data, remote terminal units and other devices. This personal “role-based access control” also can enable secure remote access and control of infield systems.
Step three addresses securing legacy systems. Security should be added in such a way that if a legacy system is hacked, fingerprint changes can be recognized and attackers can be blocked from issuing damaging control instructions and prevented from infecting other components. Given the vulnerabilities of many existing SCADA, human-machine interfaces (HMI) and remote terminal units, real access control with explicit authorizations is required for legacy equipment and protocols.
For example, when software needs to interact with a controller in the field, it should be required to prove its identity before being able to access that controller. This has become increasingly important with more software- to-machine interaction in a world oriented toward interconnecting and automating various elements with distributed intelligence.
Step four involves constructing a system that has no single point of security failure. Otherwise, if hackers can gain control of a HMI, for instance, they can control the entire system and easily access new systems to attack. System construction must best ensure that if any aspect does get compromised, the operator can prevent the attack from spreading beyond those compromised elements to the entire spectrum (i.e., across many nodes) of the field.
The big picture
A typical oil and gas company may have hundreds or thousands of assets in the field, a wide-ranging array of devices from controllers to HMIs spread over multiple geographies and territories. Consequently, there’s a major problem with tracking all these assets and creating an inventory of the assets and software applications allowed to interact with each other.
Making the solution more complicated is the evolution of various technologies and equipment resulting in a hodgepodge of protocols. For historical reasons, many do not have any authentication or control built in, which means the equipment and software are interacting without explicit access control. To solve that problem, gateways are deployed around the edges in the oil patch, the control centers and by tank sites to manage access between the various controllers, sensors, applications and users—giving the operator the ultimate control over data exchange in the field to improve security and availability.
A key cybersecurity point is that companies should implement application-level security for their systems as contrasted with pure network-level security. Application-level goes beyond network security in controlling who can do what, which devices can “talk” to each other and which applications are allowed to issue instructions for certain devices. Operators should not be satisfied with security that breaks down as soon as the network is breached.
What are key cybersecurity takeaways for companies? Security for oil and gas is different from traditional security models. It focuses on authentication, trust and access control between devices, applications and users in the field and utilizes a distributed security approach with no single point of failure.
Companies must recognize that large security risks are real and protection requires more aggressive approaches, regardless of how near or far a potential threat may have appeared until recently. Companies also must recognize that highly automated IoT approaches are not consumer science fiction but are quickly taking hold in oil and gas. Companies are discovering that yesterday’s security approaches simply will not serve today’s automated world. As a result, they need a new approach to get prepared for the huge operational benefits that IoT can bring—without the potentially catastrophic risks.