they are targeted not only by malevolent
individuals but also by organisations that use
cyberattacks as weapons to be used to weaken
nation states and other global institutions.
A third element to consider when
formulating a cybersecurity strategy is the
proliferation of mobile devices. Mobile
phones, tablets, laptops and thumb drives
in the hands of practically every oil and
gas industry employee worldwide creates a
need for the development of more modern
and robust security policies. The added
connectivity of these devices makes it easy
for outsiders who guess or steal passwords to
penetrate the control environment.
A reasoned – and steady – approach
for deploying cybersecure solutions
Fortunately, there are several steps that oil
and gas companies can pursue in order to
minimise the threat to cyberattack-driven
disruptions to business continuity:
“
CYBERSECURITY
IS NOW A COST OF
DOING BUSINESS.
When considering the issue of cybersecurity
and its impact on business continuity, several
types of threats come into play. The first is
the exposure of employees to outside emails.
More than 400 businesses every day are
exposed to email ‘spear-phishing’ schemes,
draining three billion dollars from businesses
over the last three years. The percentage
of emails that contain potential business
disrupting malware today stands at one in
131, the highest rate in five years.
A second issue involves attacks by organised
groups on critical infrastructure. Oil and
gas facilities are increasingly considered
critical national infrastructure. As such
www.intelligentcio.com
Step one involves building firewalls to
keep outsiders from entering the corporate
network and gaining access to control
systems. This will work in environments
where entry points into the system are
somewhat limited. However, in an IIoT
world, cybersecurity will need to be built into
every control system hardware and software
component, protecting every node that has
computing capability.
Step two requires a gradual approach to
strengthening cybersecurity infrastructure.
Responsible control systems manufacturers
are now designing cybersecurity into every
module they build and deliver so that clients
don’t have to concern themselves with
building in cybersecurity after they purchase
a new product.
Manufacturers like Schneider Electric, for
example, apply a Secure Development
Life Cycle (SDL) approach to their product
development. Within the context of SDL,
secure architecture reviews are performed,
threat modelling of the conceptual security
design takes place, secure coding rules are
followed, specialised tools are utilised to
analyse code and security testing of the
product is performed.
These actions help to ‘harden’ products,
making them more resilient against
“
business
‘‘
TALKING
BOTH EMPLOYEES
AND VENDORS
COMING IN NEED
TO BE AWARE OF
THE SECURITY
POLICIES OR
RISK BEING
DENIED ACCESS
TO SENSITIVE
EQUIPMENT AND
OPERATIONS
SOFTWARE.
cyberattacks. In this way, as new products
replace old, entire systems evolve to become
more cybersecure.
Step three includes the education of
employees. A cybersecurity-aware culture
needs to be developed within oil and gas
organisations to help employees understand
or appreciate the key risks, so that operations
can be run in a secure manner (including
basic password management or
changeover management).
Such an environment should audit and
enforce cybersecurity best practices on
a consistent and effective basis, utilising
available supervision and detection tools, so
that exposure to risk can be minimised.
In such a cybersecurity-aware process
culture, the priorities of the IT and industrial
control departments need to be aligned.
Both employees and vendors coming in need
to be aware of the security policies or risk
being denied access to sensitive equipment
and operations software.
For more best practices in countering
cybersecurity threats, download Schneider
Electric’s complimentary reference guide,
A Practical Guide to Achieving Oil & Gas
Operational Efficiency through Digitization. n
INTELLIGENTCIO
23