10:30 AM
Susan Peterson
Susan Peterson
Connect Directly

Lessons Learned About Critical Infrastructure: Whats Good Enough?

Over the past decade, oil and gas companies have invested significant resources in security management, but there are sizable challenges ahead in people and processes.

With massive operational and reputational costs on the line, oil and gas operators recognized the need for, and implemented, security programs a decade ago. The industry has made great strides, but the operating environment’s complexity still present sizable challenges to most operators.

Recently, I had dinner with a respected colleague who is a recognized leader in oil and gas security, having worked in the space for more than a decade. I asked him, what, if anything, would you have done differently from the beginning?

He said, “First, I would have spent less time on educating the C-Suite and more time with folks on the ground floor. Second, I would have spent more time on secure supply chain, making certain we were purchasing products with security designed in.”

While I expected to hear about specific technologies, his response really resonated with me.

Managing complexity

With an increasing number of connected devices and two very unique operating environments – information technology (IT) and operational technology (OT) – the energy sector’s greatest challenges and opportunities for security today stem from people and process.

In the past year, one-third of critical infrastructure operators believed their control system assets or networks had been breached more than twice, and 44 percent were unable to identify the source of infiltration, according to the SANS institute.

Oil and gas organizations face huge risks associated with industrial control system vulnerabilities. One company calculated that the failure of one of its control system's “human machine interfaces” (HMIs) and the resulting downtime of two days would cost the organization an estimated $12 million in lost production alone, never mind damage to physical assets and risks to human safety. When a floating production storage and offloading operation has 80 HMIs or more from disparate suppliers, the security requirements and risks become even more complex.

Oil and gas leadership and investors understand that the cost of capital and that their ability to complete critical projects is conditional on their ability to withstand a security attack and minimize the impact of a breach. Unlike some companies in the highly-regulated utilities sector, oil and gas organizations have already invested significant resources in developing industry standards to determine how best to manage security challenges and solutions. Industry executives are now looking for security solutions that provide transparency and compliance, and that support the standards that provide guidance to assure continued profitable growth in this uncertain environment.

A common language and approach

While risk management is a core practice and priority for oil and gas, many companies still struggle to define what is good enough when it comes to security practices protecting assets such as gas turbine and compressor controls that have a life span of a decade or longer, require continuous operation, and are more vulnerable than other machines that receive regular updates and patching during frequent maintenance shutdowns. 

Operators also need full transparency so they can verify that the technology they implement is protecting digital assets effectively, and that it complies with their company’s security policies and industry standards.

In 2015, the International Electrotechnical Commission (IEC) in collaboration with major oil and gas organizations, including Shell, BP and Chevron, developed security standards, IEC 62443 for industrial automation and control systems to help the industry better understand best practices surrounding robust security programs. The energy sector needs a pragmatic and efficient way to address security concerns, and IEC 62443 helps define a common language and approach.

These standards will also help reduce the risk of investing too heavily in a sole security control, be it network segmentation or monitoring, which may ignore security needs across the entire spectrum of an OT environment. Instead, the IEC standards help organizations evaluate security controls in the context of their operational workflow and maintain it through a holistic security approach and program.

The talent gap

As my colleague noted, one underestimated component of security is training and awareness. While it seems obvious, a focus on people solves another challenge the industry is facing – a talent gap. A large portion of the oil and gas workforce is nearing retirement, and security in this industry requires a unique background of both engineering and cyber experience, which is a scarce commodity and highly sought after. As the talent gap widens, these organizations will need to become more aggressive about providing training programs and opportunities for continued education in order to develop the workforce it requires and help non-technical staff understand how their actions impact security.

With long-life assets that require maintenance and real-time patching, oil and gas organizations will also benefit by providing their suppliers with clear guidance on the security controls they expect to see in projects. Efforts to secure their supply chain require oil and gas procurement organizations to clearly distinguish OT security needs from IT security needs to ensure both environments are able to withstand cyberthreats.

The oil and gas industry faces a 20 year technical debt that can’t be recovered overnight. But continued collaboration within the energy industry about how to address the talent gap and secure the supply chain could go a long way in accelerating the next phase of the industry’s security journey.

Susan is the Product Security Leader of GE Oil + Gas. In this role, she is responsible for driving a comprehensive product security program for the business, together with stakeholders in engineering, supply chain, services, sales and product line management. Susan joined Oil ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.