An industry veteran brought out an interesting point at a recently concluded cybersecurity conference. As per him, cybersecurity in the oil and gas industry across upstream, midstream and downstream segments involved a complex play of OEM priorities, asset and site complexities, varying plant specificities, and employee awareness levels.
Despite being labeled as critical infrastructure in many countries, as per him, many sector participants were yet to realize the gravity of the consequences arising from deploying adequate cybersecurity levels.
As an industry, the oil and gas sector does face some unique challenges. Beyond everything that is known, certain practices are yet to face security scrutiny. These include reliance on cybersecurity tactics that are IT-focused and miss out on security for Operational Technology/Industrial Control System security altogether.
Explore Sectrio’s solutions today: Solutions | Products | Services | SOC
The lack of an institutionally embedded approach for OT security that informs all aspects of operations is another challenge that merits mention.
As per Sectrio’s threat research team, oil and gas sector entities lost over 7 TB in data in the first 5 months of the calendar year 2024 to cyberattacks. These include attacks traced back to APT groups and sophisticated threat actors.
Key security challenges in the oil and gas sector
- Lack of asset visibility and lack of depth in security measures
- Lack of ICS-focused audits that can determine the presence of specific assets with security issues
- SecOps teams are not adequately trained in and informed about OT security practices
- Lack of awareness on the TTPs of oil and gas-specific threat actors
- Enterprise risk exposure management practices are not adequate
- The presence of legacy assets without adequate security levels
- A complex network architecture that presents asset and network blind spots either due to lack of planned DMZ or due to converged environments with convoluted security ownership
- Lack of institutional mechanisms such as a security operations center (SOC) for faster discovery and remediation of threats
- Supply chain cybersecurity weaknesses
- IEC 62443 Security Level is below the required level
- IEC 62443 Maturity Level is below the required level
- Reliance on OEMs for cybersecurity
- Lack of granular mechanisms for isolating parts of the network that could be impacted
How can oil and gas industry sector entities manage their cybersecurity priorities better?
The path to cyber maturity in the oil and gas sector is a journey and needs to pass through the following milestones:
- Understanding the threats and risks involved
- Auditing the infrastructure for the above
- Piecemeal/standalone security efforts often do not add up unless guided by an institutional mechanism with clear guidelines
- Addressing the threats, institutionalizing security operations and incident response
- Evolving the SecOps mechanisms constantly to keep them ahead of the threats and risks
- Bringing vendors and OEMs on board and aligning them with these practices
- Developing internal security standards as part of the overall governance risk and compliance policies
- Using these standards to develop and deploy security measures along with clearly identified owners for each measure and what it applies to
- Tracking the success of the deployment of these measures using the right KPIs
Where can the Oil and Gas Sectrio start?
No matter where your oil and gas firm is in the cybersecurity level or maturity, an IEC 62443 and NIST CSF based ICS risk and gap assessment can help you plan your journey. Not only does such an assessment expose gaps it also outlines residual risks that can be matched with risk tolerance/appetite to ensure risks are well within acceptable limits.
All measures that are recommended after an IEC 62443-based risk assessment should be implemented in letter and spirit to ensure that every security gap is addressed.
Once the gaps are addressed, a security operations center can be established to ensure the institutionalization and replication of ICS security measures. This will also ensure the propagation of security best practices and prevent the erosion of such knowledge over a period of time.
Talk to Sectrio to secure your oil and gas infrastructure
Sectrio is working with leading oil and gas companies to secure their ICS infrastructure. In addition to solutions and SOC for securing ICS infrastructure, we can also conduct cyber risk and gap assessment exercises to identify and address the security gaps as per IEC 62443.
Reach out to us now.
Conduct an IEC 62443/NIST-CSF based risk assessment and gap analysis now!
Thinking of an ICS security training program for your employees? Talk to us for a custom package.
