Let us consider a scenario: one night, an executive responsible for operations for a remote downstream oil and gas refinery gets a call from one of their subordinates saying things started acting up ever since they plugged in a USB they brought from home. Multiple processes have become unstable and commands sent to equipment are not executed as requested.
Panicking, they say there has been a cyber attack on the supervisory control and data acquisition (SCADA) system. Valves, pumps, and compressors connected to the system are going haywire, and the organisation’s legacy systems were not equipped to prevent whatever new malware snuck into the system. Production comes to a halt for two days. The company accrues millions of dollars’ worth of downtime costs. The executive starts to wonder if Xenotime, the hacking group behind the Triton attack against oil and gas facilities in the Middle East in 2017, is responsible. Dymalloy, Electrum, and Hexane are also possibilities, among many others.
This is not a far-fetched scenario. It is real and can happen at any time, with no warning.
A secure industrial environment enables a robust, sustainable economy. However, the merging of operational technology (OT) and information technology (IT) systems to achieve the promises of digitising business processes has amplified a recent breed of trouble: zero-day cyber attacks on industrial assets. As a result, there is a dire need for better digital security to enhance asset protection in the downstream oil and gas sector.
Increased connectivity, increased risks
The 2020 State of Operational Technology and Cybersecurity Report from Fortinet found that nine out of ten organisations experienced at least one OT system intrusion in the past year and that 65% had three or more intrusions. Spanning factory plants, energy production platforms, and utilities, among others, this is concerning in terms of maintaining high productivity and quality standards.
Of particular concern in the industrial space is how oil and gas companies are faring against cyber threats. As the engine of the world economy, asset uptime and reliability are crucial for meeting increasing demand. According to The State of Cybersecurity in the Oil & Gas Industry study from the Ponemon Institute, oil and gas companies benefit from digitalisation. Still, it has significantly increased cyber risks, according to 66% of respondents. Further, only 35% of respondents rated their organisation’s OT cyber readiness as high, with most describing their organisation as having low to medium cybersecurity readiness.
Pervasive connectivity unfortunately introduces more avenues for attacks, as well as the increased potential severity of an attack. And oil and gas companies are increasingly going remote. In July 2020, the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that foreign adversaries could be targeting critical infrastructure across the US, including oil and gas refineries.
Exacerbating the problem is the traditional perimeter-based cybersecurity model with an air gap that creates a physical barrier to the outside world. Now that companies are marrying OT and IT networks to take full advantage of their data, companies need to adapt to protect their assets and thrive in a ‘perimeter-less world.’ And while digital transformations have made the traditional perimeter-based cybersecurity model obsolete, McKinsey reports that most of today’s OT networks consist of legacy equipment that was initially designed for perimeter-based systems. This translates to a lack of layered protection should there be an attack originating within the OT network.
Even a completely air-gapped system is still vulnerable to attacks from USB devices and wireless access points. Think back to the example at the beginning of this article, where the employee unwittingly plugged in an outside USB stick they brought from home into their refinery’s network. No matter how strong the perimeter, its firewall was defenseless against the threat hiding in a small, seemingly unassuming flash drive.
Air gap configuration does provide a level of security and is better than nothing, but it should not be a refinery’s only defense against cyber attacks. There’s a concept in cybersecurity called ‘Defense in Depth,’ in which a series of security mechanisms are layered throughout the network with backup defense mechanisms so that if one fails, another will already be in place to thwart an oncoming attack. To put it simply, traditional perimeter-based cybersecurity systems do not adhere to ‘Defense in Depth.’
Further, many protective strategies depend on signature-based defenses, which rely on frequent patching and making updates to the list of known threat signatures. The keyword here is ‘known.’ According to Verizon’s Data Breach Investigations Report, 99% of malware is only seen once before hackers modify it, rendering signature-based defenses ineffective. In other words, signature-based protection is reactive in nature, meaning downstream oil and gas companies need to take a more proactive approach to protect their most critical OT assets.
The AI and machine learning approach to cybersecurity
In response to this challenge, artificial intelligence (AI) and machine learning play an increasing role in cybersecurity, especially to protect OT environments. These emerging technologies allow downstream oil and gas companies to take a more proactive approach to prevent threats, whether known or unknown, in real time.
As the second-most prone to cyber attacks, the oil and gas industry stands to gain a wide range of benefits led by four core features of AI-powered cybersecurity solutions:
- Zero-day resilience.
- No regular updates required.
- Machine learning models specifically trained to the environment.
- Independent of threat intelligence.
The digitalisation of OT assets in the oil and gas industry introduces a wealth of new vulnerabilities, including zero-day and never-before-seen industrial attacks. Ponemon Institute’s 2020 State of Endpoint Security Risk Report found that 68% of security professionals say their company experienced one or more endpoint attacks. From the same report, of those endpoint attacks that were successful, 80% were zero-day attacks. This is a troubling figure for oil and gas companies hoping traditional cybersecurity measures can effectively protect their refinery from zero-day exploits.
Some modern AI-powered solutions use behavioural analysis to continuously monitor and detect zero-day threats without relying on threat databases. This enables security professionals at refineries and drilling sites to prevent or mitigate novel attacks still unknown to industry or law enforcement professionals, all while reducing asset security costs.
No regular updates required
Among its many benefits, AI can identify patterns in massive amounts of data flowing through both IT and OT environments. It can use predictive analytics to detect irregularities and make threat classifications much more rapidly than humans can.
In traditional cybersecurity practices, the first line of defense requires a timely patch that recognises newer, more formidable threats. It is never just one patch, either; frequent patch updates are necessary to keep up, and even then, some malicious code can slip through the cracks. Algorithms that learn from the data over time using predictive analytics eliminate the need for making regular updates.
More importantly, an AI-powered cybersecurity platform, such as SparkCognition’s DeepArmor® Industrial solution, can be installed on a Monday, receive no updates all week, and remain an effective defense on Friday.
Let us return once again to the refinery employee who plugged an outside USB stick into their company’s computer system, unwittingly spreading malware to the refinery’s SCADA system. If they introduced this entirely new threat on a Tuesday, the refinery’s OT assets would still be secured without any patches or updates necessary.
Models specifically trained to the environment
Evolving site operations call for machine learning algorithms that evolve over time. Whereas signature-based defenses offer general protection without a tailored approach, AI-powered cybersecurity protection offers robust machine learning models that can be tailored specifically to a refinery’s OT environment. These machine learning models train on both clean and malware data samples to continuously learn how to distinguish between normal and malicious activity.
Continuous learning ties directly into not having to make regular updates, as AI-powered cybersecurity defenses remain effective from the moment they’re installed in the OT environment — even on isolated systems.
Threat intelligence independence
Threat intelligence enables refinery professionals to make faster, data-driven decisions in the fight against OT cyber threats. However, the widening threat intelligence gap allows cyber criminals to attack a refinery’s blind spots when relying on signature-based defenses. AI and machine learning-based cybersecurity defenses work independently of threat intelligence to continuously protect a refinery’s OT environments from mega-attacks, insider threats, and physical-digital attacks. With AI and machine learning spinning through the data and continuously learning, oil and gas companies will be able to make even faster and more informed decisions.
The AI-powered cybersecurity market is expected to reach $46.3 billion by 2027. As industrial companies continue to merge OT and IT environments, more comprehensive cybersecurity solutions and strategies will be required to ward off advanced criminal groups and rival nation-states from attacking. Similarly, as attacks on the oil and gas industry continue to grow in frequency and sophistication, energy executives, refinery security teams, and industrial professionals need to address their OT systems’ vulnerabilities by adopting emerging technologies.
While AI and machine learning technologies are fundamental to our future, AI based solutions are already available to protect IT and OT networks from cyberattacks. Downstream oil and gas companies can take advantage of modern solutions today to meet their core business needs, most of which revolve around critical OT assets functioning properly. Whether it is an old threat that is made the rounds or a novel threat that the industry has yet to discover, a spark of artificial intelligence will help build a robust digital layer of protection that keeps downstream oil and gas companies up and running.
Written by Sridhar Sudarsan, SparkCognition, USA.
Read the article online at: https://www.hydrocarbonengineering.com/special-reports/07122020/the-value-of-a-good-defence/