Lessons Learned About Critical Infrastructure: What’s Good Enough?

With massive operational and reputational costs on the line, oil and gas operators recognized the need for, and implemented, security programs a decade ago. The industry has made great strides, but the operating environment’s complexity still present sizable challenges to most operators.

Recently, I had dinner with a respected colleague who is a recognized leader in oil and gas security, having worked in the space for more than a decade. I asked him, what, if anything, would you have done differently from the beginning?

He said, “First, I would have spent less time on educating the C-Suite and more time with folks on the ground floor. Second, I would have spent more time on secure supply chain, making certain we were purchasing products with security designed in.”

While I expected to hear about specific technologies, his response really resonated with me.

Managing complexity

With an increasing number of connected devices and two very unique operating environments – information technology (IT) and operational technology (OT) – the energy sector’s greatest challenges and opportunities for security today stem from people and process.

In the past year, one-third of critical infrastructure operators believed their control system assets or networks had been breached more than twice, and 44 percent were unable to identify the source of infiltration, according to the SANS institute.

Oil and gas organizations face huge risks associated with industrial control system vulnerabilities. One company calculated that the failure of one of its control system's “human machine interfaces” (HMIs) and the resulting downtime of two days would cost the organization an estimated $12 million in lost production alone, never mind damage to physical assets and risks to human safety. When a floating production storage and offloading operation has 80 HMIs or more from disparate suppliers, the security requirements and risks become even more complex.

Oil and gas leadership and investors understand that the cost of capital and that their ability to complete critical projects is conditional on their ability to withstand a security attack and minimize the impact of a breach. Unlike some companies in the highly-regulated utilities sector, oil and gas organizations have already invested significant resources in developing industry standards to determine how best to manage security challenges and solutions. Industry executives are now looking for security solutions that provide transparency and compliance, and that support the standards that provide guidance to assure continued profitable growth in this uncertain environment.

A common language and approach

While risk management is a core practice and priority for oil and gas, many companies still struggle to define what is good enough when it comes to security practices protecting assets such as gas turbine and compressor controls that have a life span of a decade or longer, require continuous operation, and are more vulnerable than other machines that receive regular updates and patching during frequent maintenance shutdowns. 

Operators also need full transparency so they can verify that the technology they implement is protecting digital assets effectively, and that it complies with their company’s security policies and industry standards.

In 2015, the International Electrotechnical Commission (IEC) in collaboration with major oil and gas organizations, including Shell, BP and Chevron, developed security standards, IEC 62443 for industrial automation and control systems to help the industry better understand best practices surrounding robust security programs. The energy sector needs a pragmatic and efficient way to address security concerns, and IEC 62443 helps define a common language and approach.

These standards will also help reduce the risk of investing too heavily in a sole security control, be it network segmentation or monitoring, which may ignore security needs across the entire spectrum of an OT environment. Instead, the IEC standards help organizations evaluate security controls in the context of their operational workflow and maintain it through a holistic security approach and program.

The talent gap

As my colleague noted, one underestimated component of security is training and awareness. While it seems obvious, a focus on people solves another challenge the industry is facing – a talent gap. A large portion of the oil and gas workforce is nearing retirement, and security in this industry requires a unique background of both engineering and cyber experience, which is a scarce commodity and highly sought after. As the talent gap widens, these organizations will need to become more aggressive about providing training programs and opportunities for continued education in order to develop the workforce it requires and help non-technical staff understand how their actions impact security.

With long-life assets that require maintenance and real-time patching, oil and gas organizations will also benefit by providing their suppliers with clear guidance on the security controls they expect to see in projects. Efforts to secure their supply chain require oil and gas procurement organizations to clearly distinguish OT security needs from IT security needs to ensure both environments are able to withstand cyberthreats.

The oil and gas industry faces a 20 year technical debt that can’t be recovered overnight. But continued collaboration within the energy industry about how to address the talent gap and secure the supply chain could go a long way in accelerating the next phase of the industry’s security journey.