Less Reliance on Foreign Oil Begs the Importance of Domestic Cyber Protection

By Marco Ayala, Industrial Automation and Control System (IACS) Cybersecurity Sector Lead at 1898 & Co.

In April of 2023, OPEC’s surprise oil production cuts left the Biden Administration sitting with a huge, missed opportunity to refill 180 million barrels of the Strategic Petroleum Reserve. Oil has become a sacred and limited resource, begging the importance of keeping domestic commodities secure both physically and from cyber-attack. As the United States depends on domestic oil stock, this precious and limited resource must be protected. Without proper security measures for this critical infrastructure, the country could face a repeat of the 2021 Colonial Pipeline hack, which could result in even more severe nationwide effects and panic.

Domestic Commodities are at Risk

The oil and gas industry relies on technology to manage vast networks of assets and operations remotely. While remotely connected operational technology (OT) is critical to safety, it is also vulnerable to cyber-attack. A study by GAO states that a network of 1,600 offshore facilities produces a majority of the country’s domestic oil and gas. These networks are a prime target for malicious actors, and because there are so few of them, they are easier to target and can cause a bigger impact.

Vulnerabilities in the oil and gas sector also stem from older facilities operating on outdated legacy systems which lack modernized cybersecurity measures. In 2018 alone, there were over 15,000 identified Common Vulnerabilities and Exposures (CVEs). While legacy systems were once built in line with current cybersecurity practices, the passage of time has rendered them obsolete in 2023’s evolving threat landscape. These legacy systems create greater attack surfaces that are easily targeted remotely without the technology required to properly patch, update and monitor threats before they become an issue.

Severe Implications of Cyberthreats

Cyberattacks on oil and gas infrastructure have the power to cause physical, environmental and economic harm. We have seen multiple OT attacks play out in recent years, all of which were detrimental to business and safety. For instance, the ransomware attack that impacted Colonial Pipeline stole data, locked computers, and limited access to the billing systems within the corporate/IT environment. The operational technology (OT) systems had to be shut down, effectively halting business functions and limiting the ability of system administrators to have visibility into their systems. System shutdowns have the largest negative impact on the industry because they don’t guarantee complete isolation. A full system shutdown is much more complex than flipping a switch, allowing threat actors to further burrow through the available networks and infiltrate the system further.

Cyber-attacks clearly disrupt physical systems, but they are no longer reserved for personal attacks. Cyber hacks can also have a grave impact on the people and surrounding communities, and environmental harm could be as tragic as the Deepwater Horizon or Exxon Valdez oil spills. One well-planned attack on an oil pipeline, refinery, or storage facility has the power to release thousands of gallons of oil into the area, putting employees, businesses and schools in grave danger. Gartner predicts that by 2025, hackers will have successfully used a critical infrastructure cyber-physical system to harm or kill humans.

Protecting Domestic Production with Proper Cyber Measures

It is imperative that a proper cybersecurity plan is put in place for domestic oil and gas companies. Establishing an OT cybersecurity program and improving upfront preparedness is critical. By implementing strategies including baseline risk assessments, asset inventories and as-built architectural maps, paired with continuous updating of incident response plans and testing, these environments will have a strong security baseline.

Another layer is incorporating CIE and CCE (consequence-driven, cyber-informed engineering), which protects the company’s critical function so that when an adversary attacks, the lifeblood of the company continues to operate, even though some less critical components may be impacted.

We need new collaboration methods where federal and non-federal stakeholders can openly discuss ideas regarding how to apply scarce resources and share sensitive information about threats, and public/private partnerships is the answer. The federal government needs to create collaboration mechanisms that encourage effective public-private partnerships that aren’t only driven by reactions to new regulations, security directives and compliance issues. The importance of these partnerships is consolidated by public information sharing, as proven by the Guam critical infrastructure hack that was found by Microsoft and relayed to U.S. decision-makers.

Marco (Marc) Ayala is a process automation professional with over 25 years of experience working in petrochemical facilities, where he designed, implemented, and maintained their process instrumentation, automation systems, and process control networks. Currently, the director and ICS cybersecurity section lead at 1898 & Co. (part of Burns & McDonnell), Marco has expertise with safety systems, advanced process control, enterprise historians, and industrial network security, where he worked with enterprise IT to implement a corporate PCN security solution. He is active in cybersecurity efforts for the oil and gas, maritime port, offshore facilities, and chemical sectors, working alongside federal, local, and state entities for securing the private sector.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.