The era of connectivity has exposed legacy oil and gas infrastructure to possible cyberattacks, but not all equipment carries equivalent risks.
Cybersecurity in operational technology (OT) can be low priority for owners of older equipment, particularly if they are working in low-margin sectors of the industry, Blake Benson, senior director of cybersecurity at ABS Consulting, told Hart Energy.
As older equipment is increasingly connected to or at least touching the internet, companies have to find ways to protect what’s critical and cybersecurity experts need to communicate to management the potential fallout in the event of an attack.
That means adding more scrutiny to vulnerabilities even as E&Ps prioritize worker safety.
“Legacy equipment is all equipment, for the most part, in the OT space,” he said.
Owners of companies in critical infrastructure sectors typically spend more on maintaining than upgrading equipment, he said.
“Safety is a bigger part of their budget. They're almost always more concerned about operational risk and ensuring someone doesn't die than upgrading equipment,” Benson said.
Federal agencies often put out security directives and threat advisories that can’t be implemented for myriad reasons, including lack of support by the original equipment manufacturer (OEM) and IT-based recommendations such as patching.
Putting those suggestions into place typically “break the systems,” he said.
“That presents a whole new dynamic that's not only unique to OT, but can be unique to that specific environment or that specific critical infrastructure sector at large. And that's a really important distinction to make,” he said.
Assessing risk
When considering cybersecurity among other needs, OT managers need to assess what is most critical to operations, he said.
“What do I need to care about, and how do I invest in the things that are most critical, or most important to the availability and safety of this operation as a whole” are the questions OT managers should keep in mind, Benson said.
Protecting infrastructure means first identifying critical assets and determining which ones have cyber dependencies, he said.
That cyber terrain and those systems “are the ones that you should probably start to invest in. When you talk about integrating controls, those are the ones you want to harden. Those are the systems you want to ensure are more protected. That's the architecture you want to focus on,” he said.
One reason: it’s not possible to upgrade everything.
“It's a fool's errand. A lot of it can't be upgraded. The OEMs don't even make it to where it can be upgraded. It's impossible,” Benson said.
Historically, when the National Institute of Standards and Technology (NIST) or other groups create guidance and recommendations, an inability to patch software commonly causes stumbling blocks, he said.
“It falls on deaf ears because the plant managers and the people responsible for maintaining this equipment know that the last time this thing had an update was in 1998,” he said.
Benson said it’s important to approach cybersecurity for OT systems differently than for IT. For instance, he said, a typical IT approach recommends active scanning of networks.
“But these systems weren't designed to even ingest that type of info on that network,” he said.
Deploying an IT scanning tool into the OT environment is like “setting a 10-pound, large-mouth bass loose on the network. You wouldn’t put a 10-pound bass in a 20-gallon aquarium, just like you shouldn’t use IT tools in an OT environment” that typically deals with something more the size and speed of minnows, he said.
“This ecosystem wasn't built for this bass. You're going to run into everything. You're going to break everything… It doesn't work.”
What does work, he said, is hardening critical parts of the OT network and isolating that equipment from the internet as much as possible.
“Ultimately, that's the name of the game,” Benson said. “Instead of defending the ocean, you really want to identify these little ponds of criticality. And then you want to segment those as far away from the internet as possible and from each other to prevent lateral movement while still being able to maintain visibility and management over that network.”
Translating risk to dollars
One of the biggest barriers to achieving cybersecurity is budgets, he said.
“Cybersecurity experts don't know how to effectively communicate risk,” he said, and they tend to hyperfocus “on their slice of the pie.”
The most effective path forward is for cybersecurity experts to communicate risk by explaining how much revenue is at stake, he said.
“How much revenue would an outage cause in this facility? What is our liability if we got ransomware and an insurer held us liable for that?” Benson said. “What causes us the biggest headache if this goes down?”
Not all risks are created equal. In the past, for example, well inspections required someone to physically drive to well sites. With the advent of the Internet of Things, sensors can transmit info to the office, which means fewer trips to the well sites.
But that also introduces risk.
With those sensors, “you're introducing connectivity into an environment that was never engineered to be connected. When you do that, you intentionally or unintentionally, are exposing these assets to the larger threat landscape of the internet,” he said.
He said it’s important to contextualize that risk back to operations.
“At the end of the day, it may not be a big deal if that system were to be compromised,” he said. “What are the worst case scenarios?”
For a wellhead, it might be an incorrect payment, or it might be a spill because the sensor said it was empty when it was actually full.
“Contextualizing the cyber risk back to operations … is something people really don't know how to do very well and is really, really hard. That process requires a lot of subjective experience in the field, requires a lot of knowledge of operations people need to be doing. People need to be doing that better,” Benson said.
Recommended Reading
Marketed: EnCore Permian Holdings 17 Asset Packages
2024-03-05 - EnCore Permian Holdings LP has retained EnergyNet for the sale of 17 asset packages available on EnergyNet's platform.
Elk Range Royalties Makes Entry in Appalachia with Three-state Deal
2024-03-28 - NGP-backed Elk Range Royalties signed its first deal for mineral and royalty interests in Appalachia, including locations in Pennsylvania, Ohio and West Virginia.
Marketed: Foundation Energy 162 Well Package in Permian Basin
2024-04-12 - Foundation Energy Fund V-A has retained EnergyNet for the sale of a 162 Permian Basin opportunity well package in Eddy and Lea counties, New Mexico and Howard County, Texas.
Exxon Shale Exec Details Plans for Pioneer’s Acreage, 4-mile Laterals
2024-05-03 - Exxon Mobil plans to drill longer, more capital efficient wells in the Midland Basin after a major boost from the $60 billion Pioneer Natural Resources acquisition. Data shows that Exxon is a leading operator drilling 4-mile laterals in the Permian’s Delaware Basin.
Marketed: Navigation Powder River Eight Leasehold Lots in Wyoming
2024-04-09 - Navigation Powder River has retained EnergyNet for the sale of eight non-producing federal leasehold lots in Converse and Campbell counties, Wyoming.