Solving Cybersecurity Challenges in the Oil and Gas Industry

Unlike their peers in similar sectors, oil and gas organizations haven’t always faced tough regulatory OT requirements. Absent catalyst events like the widespread grid outages that led codification of NERC reliability rules, regulators were mostly happy to leave companies and industry groups in charge. Even with high profile incidents like Colonial and growing unease about the cybersecurity consequences of geopolitical instability, many orgs were still not being proactive about their OT security.

But with the 2021 TSA Security Directive on pipeline and LNG operators, recently updated with new guidance, CIP compliance and security rules have arrived. This matches past developments in other sectors, with guidance moving from voluntary to compulsory, and increasingly prescriptive rules being put into place. Requirements are more and more programmatic, including formal vulnerability assessments and regular testing and validation of controls.

It’s also not just regulators demanding concrete answers on readiness. Underwriters, suppliers, investors, and customers—everybody’s expectations on cybersecurity for oil and gas are high. It’s up to OT teams to take the lead in protecting the organization by securing the environments they operate and control, ensuring unique needs stay met.

Distinct technical challenges

The unique operating challenges of oil and gas multiply the security difficulties most all OT teams already face, while adding new constraints to the mix. Like most OT environments, oil and gas production systems are a complex mix of vendors and versions, with legacy and new infrastructure carefully integrated and optimized to maximize safety and reliability.

Oil and gas production requires the physical connection of disparate physical sites and facilities, including remote and distributed assets, resulting in systems that span thousands of miles and nearly every terrain. These environments are typically optimized to ensure maximum safety, uptime, reliability, and productivity. Any other outcome, compliance or security included, is secondary.

Embedded resource constraints

All these pressures are being confronted by organizational cultures not exactly designed for agility, with many decision-makers still seeing technology, digital, as an expensive and potentially dangerous distraction. This is especially true when it comes to cybersecurity, where many decision-makers still believe they face a binary choice between safety and security.

At the same time, the teams responsible for operations and maintenance are already busy beyond capacity, and don’t have the time or expertise required to add security to their job description. Some assets might sit unattended or unwatched for weeks on end, with others only accessible after much hard work and disruption.

Towards a single source of truth: making OT security work in oil and gas

Establishing visibility across the distributed complexity of oil and gas systems would be difficult for even a well-resourced team of dedicated experts. OT organizations must find a way to solve the technical and governance challenges standing in the way of getting fundamental security questions answered.

• How do we gain visibility into our assets and environments? How can we begin to build a logical, organized view of how we work?
• How can we understand risk driven by our systems and supply chains? How can we help solve information governance and security conflicts?
• How do we watch for change driven by expected and unexpected events? How can we scan our environments for known vulnerabilities and emerging threats?
• How do we create context out of disparate information sources? How can we better inform the decisions teams and tools must make?
• Where can we quickly access insights and reporting to give leaders and regulators answers they want?

Bring advanced technology to better best practices

Oil, gas, and energy OT teams deserve security tools built with their needs in mind, especially the extreme system complexity and sensitivity. Here's what we recommend for ICS security teams in the oil and gas industry:

• Experts need multiple methods of data collection: passive monitoring, manual entry, configuration analysis and active discovery techniques. No single method is sufficient on its own.
• Teams need to be able to automate collection where possible, while still enabling manual collection methods where necessary.
• Organizations need to be able to adapt, extend, and customize these methods, ensuring a completeness of information that goes beyond structured telemetry, software version data, and other traditional inputs.
• Leaders need a single source of OT truth they can trust for important answers on compliance and readiness, and for fast access to reporting when regulators call.