When Nozomi Networks’ Chris Grove first arrived in the operational technologies sector six years ago—after more than two decades in cybersecurity overall—and he found a lack of knowledge/interest from companies about the security risks involved in connecting their OT (operational technology) devices to networks. “When we would go to customers [on sales calls] it was largely education. We would educate 50 environments for every one that we closed a deal in.” Grove is director of cybersecurity for Nozomi, which is a worldwide OT and IoT security company.
OT is defined as hardware or software used to control industrial equipment, manage human-machine interfaces, perform other, related tasks. OT primarily interacts with the physical world. OT can include industrial control systems (ICSs) like programmable logic controllers (PLCs), distributed control systems (DCSs), and supervisory control and data acquisition (SCADA) systems.
Gradually, Grove saw companies open up to the need for cyber security. That transition involved OT and cybersecurity engineers meeting together for the first time. Many cybersecurity people had never even been to a plant or in the field where the OT machinery is located. The challenge for Grove was to “get them to speak a common language and wrap their heads around solving a common goal.” That effort “was what we did most of the time.”
Over the ensuing six years world events involving ransomware and other hacking incidents began to show the industry that they, too, were vulnerable. Now, Grove said, most prospective clients call his company and say “We have this [security] problem, how much will it cost to solve it?”
Creating “air gaps” in connections—or insulating equipment from online hackers—is vital, Grove said. He finds many companies who think they have those air gaps but quickly learn of weaknesses after Nozomi evaluates the system. “We would bring in visibility and show them, ‘Well, you’re kind of air gapped, but look at all this,’ and they would be surprised.”
Some of what he called “weird connections to their network” involves an OT engineer installing a cell phone connection or setting up an unsecured Wi-Fi network without notifying the cybersecurity department.
The proliferation of connections to monitoring equipment has exposed the IT department to geopolitics. “Up until now there hasn’t been a huge demand for OT engineers in the trenches to be thinking about Russian nation-state attacks.” Grove added that the threat from international hackers has actually been around for more than a decade, it just hasn’t been in the news until the Russian invasion of Ukraine—and 10 years ago networks were indeed somewhat more isolated than they are today.
Today’s far-flung connectivity benefits a company by adding visibility and control of remote operations but, Grove pointed out, there are indeed risks. “It’s really important from the beginning that companies bake visibility into it,” when adding connections. Specifically, “Visibility that is flexible enough to adapt to that change.”
The changes themselves have risks because when networks are added or move, or filtering is adjusted, those changes create security gaps. E&P companies also must deal with partners onsite, such as service companies, equipment providers, or contractors, whose security standards may vary from the host’s levels.
If security is not, as he noted, “baked in” to any network changes from the start, it is much harder to find and plug security gaps later—and it is truly too late if a gap has resulted in a security breach or ransomware attack.
The more security measures a company has, the better. “You don’t want to be the low-hanging fruit on the internet,” he cautioned, adding, “Ransomware operators find your weak spot, and that’s how they get in.”
Robert Nawy
Grove’s observation about the growth of exposure through device connectivity is echoed by two experts from IPKeys Cyber Partners. Company CEO Robert Nawy says they detect an abundance of vulnerability in the marketplace as a whole. “We see the need to continuously monitor networks, devices, cloud spaces, land spaces, and SCADA. Our mantra is a simple one: We’ve got to lock the doors, continuously monitor the locks and the compliance.”
With international threats increasing, Nawy feels that a certain number of successful hacks are inevitable—but there are ways to minimize the damage. In spite of security risks, business must go on. “You still have to deliver your energy, you still have to deliver your power—you can’t lock everything down.”
This is where risk mitigation comes in.
For IPKeys’ Loney Crist, SVP Cyber Security Software Development, the issue is not so much in new methods of attack as it is in the proliferation of connected devices, which presents “an ever-increasing hack surface, not just for oil and gas, but for most of the OT systems we monitor.”
IPKeys Cyber Partners is a provider of industry-leading, secure OT/IT intelligence platforms that address the complex cybersecurity, data, and critical infrastructure protection challenges faced by operators of mission-critical networks for customers in the energy, government, public safety, communications, and industrial markets.
Crist sees a certain amount of design in the idea of Russian operatives attacking specifically the U.S. oil and gas sector, in light of the latter’s boycotting of Russian oil and gas. “Anything they can do that could possibly take out other gas sources, it makes them even more of a target, long-term.”
Recalling the notoriety of the 2021 Colonial Pipeline ransomware case, Nawy pointed out that there are actually dozens of under-the-radar cases each year that are resolved either by paying the ransom or by the victim using a backup system to restore operations without paying up. The pay-or-not-to-pay decision is often driven by how fast the company needs to get back up and running—it takes longer to restore from backups than to pay up. Of course, there’s risk with that as well—in a certain number of cases the hacker does not restore the data after being paid, so the victim faces a double whammy.
Keeping an attack under wraps ironically benefits both parties. The victim avoids being seen as weak on security, and the hacker lives to hack another day.
Which bring up the question as to lightning striking twice—has there ever been a company that’s fallen to ransomware a second time? Maybe somewhere, said Crist, but it’s more likely that a once-ransomed company quickly becomes one of the most resistant on the planet. And, their security chief likely is looking for a new job.
Regarding protection, things like AI and human security oversight are part of the plan, but the biggest open door always is untrained or lackadaisical employees who open spam emails. Said Crist, “Humans are always the weakest link in these things.” When the web browser asks, “Are you sure you want to open this?” and the employee clicks “Yes,” the door is opened not matter what other systems are in place. Work-from-home scenarios are another risk.
Loney Crist
The key in any situation is indeed to monitor through AI and human observation by trained security personnel, he said. A hacker almost never knows where or how to advance right at first. They must prowl quietly, seeing what information is poorly partitioned or not air-gapped, then choosing a target on which to try various login combinations. Alertness can often prevent any real damage even when a breach has occurred.
M&A activity, which merges systems from two or more companies, presents a challenge, as the new system must be evaluated and updated, if necessary, as quickly as possible to keep both databases safe.
Part of the evaluation process is for a security company to test for weak spots, said Glenn Hartfiel, principal in Opportune LLP’s Process and Technology practice. External hacking attempts are one method, but perhaps the most disturbing one is the ease of access through a simulated onsite attack.
“We would walk into a site—they [at the site] didn’t know we were coming—we’d walk in, they’d hold the door open for us, we go into a conference room, plug a laptop in to the network,” from which they had quick access to making an internal attack. “That was pretty effective and pretty easy to perform,” Hartfiel said. They had success both in field offices and in corporate headquarters.
On that level, Grove’s technique would involve walking in, finding the smoker’s lounge, and leaving some thumb drives loaded with malware on the table. Then someone would find the drive, thinking someone at the company had forgotten it. Next they would plug it into their laptop to see what files were on it to try to determine whose it was. In that act, they allowed the malware to load itself onto their computer, giving access to the hacker.
In both cases a company’s chief information officer (CIO) or chief financial officers (CFO) would engage the security company without telling the general staff, for the purpose of find holes, then plugging them through personnel training or other means.
Checking for IDs or challenging unknown people is where that starts—there are times that good old west Texas hospitality will lead to trouble.
But today, Hartfiel said, most hacking attempts originate overseas.
Surprisingly, something as simple as multifactor authentication—even two-factor authentication—can greatly reduce risk of outside hacking success. “When you log in, you have to then use your phone plug in that code, or just approve the login. That helps quite a bit.”
The famous Colonial pipeline shutdown from last year could have been prevented by something as simple as two-factor authentication, he said, adding that for the amount Colonial reportedly paid the hackers, they could have paid much less to have a good security team on board that would likely have prevented the break-in.
With international hacking, who is vulnerable? Is it just ExxonMobil, Chevron, or maybe Pioneer-level companies? Or does Mom and Pop Oil, with 15 wells on their back 40, also have to beware?
Said Hartfiel, “It’s always who has exposure that can be scanned from the internet. Like anything, people will scan the internet for any open devices and look for any target they can get into.”
There is actually a service for hackers that performs that kind of search. They look for default passwords, open logins, etc., and publish those on the dark web.
Russia is not the only source of hacking, Hartfiel said. “If you deploy anything with Amazon cloud, you’ll see a lot of Chinese internet addresses come through. You will get some from Russia, you’ll get some from Viet Nam, you’ll get some from Brazil, but the majority of them are coming from China. That’s been going on for years.”
So yes, bigger companies including refineries are going to be at the top of the list, but anyone who is not protected is at some risk.
Most hacking is profit/theft based, from some type of organized crime. “Basically, the effort is to make money. They want to inject something like ransomware that will encrypt your data, then they basically say, hey, you pay the ransom, we’ll give you the decryption key then you can decrypt your data.”
Often companies go ahead and pay the ransom in order to get back to business as quickly as possible—a situation Hartfiel sees as unfortunate because it encourages “more bad actors on the internet.”
For companies that do not need web access from outside the United States, he suggests geolocation blocking as part of the firewall. A subscription-based service, it blocks “all the IP addresses that originate from outside the United States.”
He continued, “That prevents at least 90 percent of the attempts.” However, as he cautions, “It slows them down, but nothing’s perfect.” Still, making it even somewhat harder can cause a hacker to give up and find an easier target. This is much like locking a vehicle while downtown—it’s not foolproof either, but it may cause a potential thief to move on, looking for an unlocked car.
All correspondents stressed the idea that protection against hacking is possible, and minimizing the damage in case of a successful hack is also possible—if sufficient protective resources are put in place. Sometimes something as simple as two-factor verification is enough. But simply hoping, without preventive action, is leaving the door wide open to trouble.
By Paul Wiseman