October 2018 Exclusive Story
Oil Production, Refining Output Hit New Heights
HOUSTON–Cybersecurity attacks pose a major threat to the oil and gas industry with consequences that may prove catastrophic for field operations. As field components gain direct lines of communication to today’s fully networked digital systems, companies must fundamentally change their security approach. Yet, the industry is still looking to protect itself using “air-gapping” to isolate secure computer networks from unsecured networks, and applying other techniques borrowed from corporate information technology–techniques that do not always meet the decentralized requirements of oil and gas operations.
The million-dollar issue for energy professionals is figuring out how their organizations can adapt to the rapidly evolving IT environment while also combatting security threats to operations. A big part of the answer is blockchain, the decentralized ledger technology that uses cryptography to facilitate digital transactions.
Security risks are increasing exponentially, with attack frequency growing by more than 250 percent each year. In an industry with as many remote assets as oil and gas, creating authentication and access control between various devices and Internet of Things applications for increased productivity is a challenge. It is also a challenge to securely and instantly access distant systems–whether they are oil and gas storage tanks, control centers, pipelines, or refineries and processing plants–which results in decreased uptime and higher maintenance costs.
The majority of oil and gas companies are reliant on legacy systems that are not equipped to handle the security exposure of IoT connectivity. As a result, most companies are still using vulnerable human-machine interface or supervisory control and data acquisition architectures and poorly protected remote terminal units. As fields become more sophisticated (e.g., delivering more operational efficiency as more devices “talk” to one another, IoT-style) and, as companies take oil and gas fields into new technological dimensions, they are doing so at the cost of creating a much higher level of cybersecurity exposure. And this is comings at a time when attack attempts are constantly escalating.
Security for existing RTU, programmable logic controller, SCADA and HMI systems is often limited, relying on air-gapping local computer networks, or subdividing them using methods such as virtual private networks (VPNs). However, as automation drives the joining together of local networks and rich software applications, and demands for remote access lead to wide-area connectivity, existing RTU, PLC, SCADA and HMI systems are often left unprotected.
Additional exposure comes from the onsite use of outside tools such as laptops and smartphones. Field personnel want to engage in calls with subject matter experts, conduct video calls, access online manuals for field-installed equipment, share information with headquarters and much more. But these external devices can open up bot and malware attack vectors directly into the digital oil field.
Another issue faced by the oil and gas industry comes from the use of temporary contract service personnel. This model opens up operators to security issues they cannot control, whether through the use of poorly protected devices, the leakage of confidential information such as passwords, digital theft, or other malicious action by former workers.
The days of being able to safely isolate an oil or gas field in small pockets of limited connectivity are over.
Blockchain has the potential to solve all of these problems. As is an open distributed database, or “digital ledger” for information, blockchain is essentially a set of computers working together to approve a change before it is verified and recorded. It is tamper-proof because all the computers, or nodes, in the system work together to guarantee the authenticity of information. If someone attempts to compromise part of the blockchain, the system will self-heal as the nodes in the system come together in consensus to reject the false information from the compromised machine.
Blockchain achieves its very high level of security by being decentralized, with no single data store, and building on itself to create an immutable record of tamper-proof data “blocks.” By its very nature, blockchain’s decentralization makes it an excellent match for the highly distributed upstream oil and gas industry. With wells spread across remote locations covering large geographic areas, operators need consistent and secure information in many places, such as a contractor’s login credentials at one location being the same as at another.
Effective cybersecurity begins by creating an inventory of all devices across an operator’s field. That includes well pads, storage tanks, control centers and all the machines, applications and users that interface within the network. With gateways deployed at “the edge” (in simple terms, edge computing allows data generated by IoT devices to be processed in the near vicinity of the devices rather than transmitting raw data to remote centers or to the cloud) and brokers deployed at the company’s control centers, cybersecurity vendors can create a blockchain-protected security fabric complete with policies for how different user groups, devices and applications work with each other.
The operator is given ultimate control over this security fabric, which then acts as an authenticator for all transactions occurring across the operation, including device onboarding, as well as access control for users and control applications. The result is the creation of a tamper-proof security layer, with the authenticator available in distributed machines across the entire oil field.
Tamper-proofing is the top objective for securing operations within the oil and gas industry. Otherwise, every system is as weak as its weakest components, maybe a 10-year old RTU with no protection or an HMI machine running Windows® 98. Blockchain’s key feature involves being able to link many individual components to a single data ledger, and enabling all network components to “talk” to one another and securely share approved information.
Tamper-proofing can extend beyond the network itself to individual devices in the network, allowing organizations to store the identities of connected machines and log this in the secure fabric. These fingerprinted devices include every machine, every central processing unit inside a machine, every piece of software and every sensor. With this accomplished, if a device is changed in an unauthorized manner, the system will lock out the unauthorized device to ensure the security of the entire setup.
Up until now, every device within a network was vulnerable: an attacker could comprise one machine and then use the initial breach to spread contagion across the entire network. A blockchain-based security fabric gets stronger with each device added, creating a new standard of mutual protection. Even if one node is compromised, the system as a whole will not be damaged.
With a 250-percent annual increase in cyberattacks within the oil and gas industry, it is more crucial than ever for companies to update security measures across all equipment. Blockchain interoperates and deploys on existing machines, so that existing investments are preserved and protected from attacks. Benefits include:
As an industry expert observed, “What this system gives operators is the assurance that they will not wake up one morning, a year or two from now, and discover that half of their production has been turned off . . . or that the valves on an oil pipeline might be opened unexpectedly.”
In making exploration and production more efficient and profitable, technological changes are moving the industry in the right direction. Even so, a strong security foundation must be put in place to continue automating and optimizing. Accelerating security risks make it imperative that companies act proactively rather than reactively to comprehensively protect their processes now and in the future.
Duncan Greatwood is chief executive officer of Xage Security, a Silicon Valley-based firm that specializes in industrial sector cybersecurity. He previously served as an executive at Apple, leading search-technology projects and products. Prior to that, Greatwood was CEO of Topsy, which was acquired by Apple in 2013, and founder and CEO of PostPath, which was acquired by Cisco in 2008. He holds a B.A. in mathematics and an M.S. in computer science from Oxford University, and an MBA from London Business School.