Oil and gas companies need to focus on prevention, detection and resiliency
Cyberattacks currently cost businesses as much as $400 billion a year globally with experts predicting the costs could reach $90 trillion by 2030 (Cybersecurity Market Report, 2015). Malicious cyberattacks are on the rise and the Internet of Things (IoT) revolution is only adding to the concerns of security threats. In fact, research has shown IT leaders are even delaying implementing IoT initiatives due to security concerns of “increased exposure of data” and “information security“ (IT Pro, 2016). This is understandable considering documented evidence of sophisticated attacks launched by governments, corporations and individuals.
At a national level, governments with near limitless resources have retrieved sensitive data through unauthorized network access. In the case of Petrobras, for example, the United States National Security Agency has been accused of using malware and covert implants to access data from Petrobras private network. While the US government acknowledges it conducts surveillance in the interest of national security, it denies the information gathered on Petrobras was illegal espionage.
In addition to gathering data on unsuspecting targets, cyberattacks have also been conducted with the intention of causing harm or destruction. Sony Pictures was the victim of such an attack in late 2014 when hackers accessed its computer systems, stole confidential documents and then leaked the information to the public. While some believe the attacks came from the North Korean government, most researchers believe it was the work of a professional hacking group with assistance from a disgruntled insider.
Finally, there are the untargeted attacks or what some call, “Internet background noise.” These type of cybersecurity threats come from hackers who care more about the challenge of hacking into a system than what is actual on the system. These attacks usually can be stopped by standard security practices or off the shelf tools.
Oil and gas companies have always been serious about security, mainly because their facilities are a critical part of a society’s infrastructure and the potential for catastrophic damage is very real. For example, consider the devastating impact a compromised refinery in northern California could have to the surrounding areas. For this reason, most oil and gas companies previously have used physically wired, proprietary technology systems without Internet access, but this is changing due to the compelling benefits of IoT. Yet, unique aspects of the industry continue pose ongoing security challenges, such as the safety of pipelines in remote or unstable areas.
The Vision – A Secure End-to-End Solution
Ultimately, oil and gas companies need a secure end-to-end solution where data from the edge is captured and securely transmitted to a high-speed technology platform. From there, the data is inspected, stored and used for analytical or predictive modeling to determine appropriate next-step actions. Therefore, the main security goal must be preventing the corruption of data throughout the cybersecurity framework, and treat communications from the edge of the network as “hostile until proven otherwise.” The security solutions must reject anything deemed untrustworthy and immediately notify the appropriate people.
The Challenge – Protect the Edge
Of course, creating a secure network that can help decision makers transform data into action is easier said than done. First, the industry must work together to protect the edge of the network. Machines that communicate with other machines often have been designed by manufacturers who are not familiar with existing and long established security best practices. For this reason, mistakes are being made in software development that open up opportunities for security breaches. In addition to protecting the machines, companies should also implement enhanced physical security measures such as prohibiting personal devices from entering secure buildings or requiring security identification badges. Interestingly, the vast majority of cybersecurity attacks are facilitated either willingly or unwillingly by someone inside an organization.
The Solution – Cooperation and Communication
As with most complex situations, there is not a single comprehensive solution to protect data and networks from cyberattacks. Cybersecurity is an on-going and evolving challenge with solutions varying depending on the individual situation. However, exposure to threats can be greatly diminished through partnerships and technology. On the communication side, having a process for reporting vulnerabilities or publishing security findings whether there is a fix or not, could help develop solutions more quickly.
On the technology side, the security advancements needed for a more secure network can be broken down into three layers:
- Security Prevention – Technologies used to prevent cyberattacks from accessing data on the end devices.
- Security Detection – Technologies for identifying, containing and mitigating attacks on data center, platforms or applications, including scanning ERP systems and threat modeling exercises.
- Security Resiliency – Technologies that help prevent hijacked edge devices to corrupt data and pass it along to the infrastructure.
Security-related technologies often use sophisticated modern day PKI cryptography, which provides both encryptions and client or server identity certification, to ensure the edge device and the end point for any device communication are indeed communicating with the right host. This information is then supplemented by intrusion prevention and detection software, network access controls (ideally operating on device behavior, which in many cases can be reasonably and confidently predicted in a machine-to-machine/IoT scenario), and other standard security infrastructure – including over-the-air firmware updates for any patching of the edge devices.
SAP is paving the path to security for companies worldwide. In 2011, SAP appointed Gerold Huebner, Chief Product Security Officer to ensure a strong focus on security. Since then, the company has worked closely with leaders in the oil and gas industry to jointly develop and enhance its Enterprise Threat Detection (ETD) software, helping to secure the execution of the most critical oil and gas technology processes. At the beginning of 2016, SAP also appointed Justin Somaini as SAP’s chief security officer (CSO), emphasizing how important security is for SAP in this era of cloud computing and IoT. SAP also has worked with information security researchers to identify vulnerabilities and deployed mechanisms that keep data secure while in transit and at rest. This includes implementing appropriate access controls based on the level of sensitivity, the use case, environment, device infrastructure and industry involved, as well as partnering with best-of-breed infrastructure partners. Additionally, SAP is proactively developing IoT best practices and working on a risk model for evaluating cybersecurity risks for specific customers.
As cyberattacks continue to increase, understanding and managing the risks has become increasingly important. Oil and gas companies must continue to take proactive measures to reduce vulnerabilities and protect data at all points. Adopting innovative technologies and collaborating closely with partners will help create more resilient and proactive security capabilities.
For more information on how SAP O&G solutions can help you navigate the Digital Energy Revolution, click here.