In just one year—2022-2023—ransomware attacks on operational technology (OT) in the United States increased by 50 percent, according to cyber security experts at Dragos, in their 2023 Year in Review. And cyber security firm Palo Alto Networks reported that 70 percent of industrial firms suffered a cyber attack in 2023 (The State of OT Security 2024). The oil industry and industry in general, including critical infrastructure like power grids, pipelines, and communication, among others, are key targets for both foreign disrupters and cyber criminals simply seeking a payoff.
It’s obvious that simply using your birthdate as a passcode is no longer an option, say the experts quoted here: John Cusimano (CFSE, CISSP, GICSP), Vice President OT Cybersecurity for Armexa in Houston; Yair Attar, CTO and Co-Founder at Tel Aviv-based OTORIO; and Alexander Garcia-Tobar, CEO and founder of Valimail.
Pipelines Get Smarter
John Cusimano
All aspects of oil and gas involve locations scattered across miles of county, state, and international borders, leaving tens of thousands of possible cyber crime entry points. But pipelines in particular are designed to reach across the miles carrying crude oil, natural gas, natural gas liquids, and refined products, among others. They are among the biggest targets because of that distance and because of the amount of critical product they carry.
“All pipelines have to have communications along the lengths of the pipeline,” Cusimano said, “and they do that in a number of different ways.” Fiber optic cable is one, but wireless options like satellite and cellular networks both public and proprietary are growing by miles every day, even for individual firms.
“Most companies use multiple types of media for redundancy purposes,” he said. In the field those communications connect with valves, terminals, pumps, or other [hardware] through various types of electronic interfaces. Because of that spread in miles, devices, and communication media, there are a lot of potential vulnerabilities that all must be addressed to keep data and operations safe.
Most of the danger, Cusimano said, resides on the field side because the corporate end has plenty of locks, access permissions, alarms, and cameras. The first line of field defense is to add as many of those office type safeguards as possible in the field as well. His phrase was “Guards, gates, and guns,” of which only “gates” would be very practical for a location 40 miles outside of Pecos, Texas. Because the word “gates” really means any kind of physical restraint, Cusimano mentioned fences, locks, and alarms on doors and cabinets, security cameras, and other sensors transmitting to an alarm or home office.
The next layer of defense involves end-to-end encryption of the OT communications, “from the control centers all the way out to the field devices, so if somebody does intercept [a sensitive communication] it will be encrypted, and they won’t be able to make sense of the data.” Multi-factor identification is also on the list.
What Are They After?
Quoting the Dragos and Palo Alto stats above, Cusimano said attacks are more persistent and dangerous. For ransomware in particular, “It’s a ripe market [because] industrial firms are willing to spend money to get their operations back,” as opposed to the ugly alternative of dropping $1 million per day in lost production.
As for phishing and disruption, that’s on the rise as well, particularly involving actors in Russia and China. But Cusimano sees little purpose in tracking exactly who or where those threats are coming from. “We’re playing defense,” he said, while noting that what matters is knowing their tactics and techniques, maybe a fingerprint, “so you can tune your detection systems to look for the types” that may be aimed at being deeply embedded to prepare quietly for a future disruption. But exactly who’s sending the threat is of less importance than simply stopping it, in his estimation.
Regulatory Help
Many large corporations are almost as worried about public disclosure of a hack as they are about an actual breach. The bad PR could damage business and investor confidence. But, Cusimano said, regulators like the Securities and Exchange Commission (SEC) are starting to require disclosure, at least for certain companies. The Transportation Safety Administration (TSA), which regulates pipeline safety, issued its Pipeline Security Directives in 2021, shortly after the infamous Colonial Pipeline ransomware shutdown. The PSDs apply to about 100 of the largest midstream operators, Cusimano said. There are other reporting requirements as well, including the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. It requires critical infrastructure operators public and private to report cyber incidents within 24-48 hours, he noted.
Swimming Upstream: Energy’s Critical Nature Makes Producers a Big Target
Upstream operations are also widely spread, and Yair Attar echoes Cusimano’s warning about the need for segmentation of systems, both remote and at the base location. “For remote sites, given their vulnerability due to isolation and infrequent supervision, implementing a defense-in-depth strategy is critical. This involves rigorous network segmentation to ensure that any compromise at one site is contained, preventing its spread and minimizing overall network exposure,” he said in an email interview.
Continuous monitoring is also key at central locations, and prioritizing “areas with the highest risk and potential impact.” The balance of how easy something is to access vs how bad it would be if it were hacked is important. Attar explained, “This ensures that resources are allocated based on the relative risk and criticality of each site.”
As international tensions continue to rise, state-sponsored cyber actors become busier, smarter, and more sophisticated, making “detection and mitigation increasingly challenging,” Attar noted. But he
Yair Attar
pointed out that there are still too many doors left wide open due to poor password practices and unpatched systems that make greater technology unnecessary.
Environmental groups have so far focused their activity on physical threats, but, “Motivated by the desire to draw attention to their causes, these groups could potentially hack into systems to halt operations or even cause physical damage. Although their traditional focus has been on physical, financial, and reputational impacts, the extension into cyber threats could represent a significant and emerging risk to the industry,” Attar warned.
Ironically, he added, green radicals could hack the very systems operators employ to help their ESG scores. “As companies invest in new technologies to reduce their environmental impact, these systems themselves become new targets for cyber attacks,” he said.
Geopolitics and Disruption
Cyber terrorism specifically targets industries whose disruption would cause the most widespread harm, Attar explained. State-sponsored and independent cyber attacks activated by political tensions “frequently target both public and private sector critical infrastructure to disrupt operations, exfiltrate sensitive data, or induce chaos within supply chains.” The oil industry, “…due to its critical role in the global economy, has become a prime target for such activities.”
Fighting Back
As noted above, closing obvious loopholes would be a start, but Attar added that cybersecurity is evolving “from a reactive to a proactive stance. This proactive approach is critical as it enhances the chances of thwarting cyber attacks before they can cause harm. Investing in advanced industrial cybersecurity technologies, which provide comprehensive visibility of all assets and a precise assessment of exposures, is becoming increasingly crucial.”
Artificial intelligence (AI) and machine learning (ML) are becoming a weapon as well—but equally so for both sides, due to their abilities to analyze massive amounts of information in a short time. On defense, they look for abnormal patterns, but hackers also use them to analyze cyber defense systems for the tiniest exploitable weaknesses.
Election Year and Emails Up the Ante
Alexander Garcia-Tobar
As stated above, the single biggest threat to a company’s security revolves around employees opening, or worse, responding, to phishing emails. The year 2024 will be an especially dangerous year for these kinds of threats, says an email security expert.
This year, elections are happening around the world, with somewhere around half the planet’s population involved. Because those kinds of decisions influence policy for anywhere from two to six years or more in the future, state actor threats are heightened during those times, warns Alexander Garcia-Tobar, CEO and founder of Valimail, a California-based email security firm.
“2024 brings a national election,” he said, “which will bring a heightened risk of targeted information attacks, especially given explicit warnings from foreign state actors about their intentions to disrupt or influence the electoral process through information warfare. With email and social networks as primary attack vectors, there will be an increased need to know the authenticity of the sender/originator of the communication.”
The combination of a rise in artificial intelligence and global turmoil in places like Ukraine, Gaza, and elsewhere is creating international threats beyond the election sphere. From notable celebrities like Scarlett Johanssen having AI copy their voices for video games to false narratives about international events, AI will be working overtime this year, Garcia-Tobar believes.
“In 2024, there will be an acceleration in disinformation, exacerbated by ongoing global conflicts and the growing availability of AI tools that will create and/or spread false narratives more rapidly and convincingly. This trend will be viewed against a backdrop of declining public trust in institutions, a phenomenon intensified by the U.S. election year. With email being the primary communication tool used, validating sender authentication will become increasingly more important,” he said.
AI and deep fake videos may indeed pose ever greater threats to the public and to baseline industries like oil and gas in 2024. Keeping on top of these threats professionally and personally has never been so difficult—or vital.