IT and OT convergence in oil and gas: Increased business benefits also lead to increased risk
By Dr Rajiv Shah, General Manager Australia, BAE Systems Applied Intelligence
Wednesday, 02 September, 2015
The oil and gas industry has been relatively quick to establish convergence between operational and business information systems, but this results in the need for better methodologies for countering the threat posed by cyber attacks.
Since the first industrial revolution, operational technology (OT) has been central to the global economy. It keeps industrial networks and processes running, letting business automate industrial activity where possible — thereby delivering efficiency and control.
As networking technology has changed almost everything about our professional and personal lives, two separate silos have developed: the OT environment, which sits separate from other technology; and the information technology (IT) environment, which connects to the world via the internet.
Due to the growth of the internet, cloud, the Internet of Things and internet protocol-based communications, another, quieter revolution is taking place. This revolution is the convergence of OT and IT.
OT networks tend to be based on legacy technologies and, in the past, have been kept physically separated, or ‘air gapped’, from anything connected to the outside world. But today, by connecting these systems to corporate IT systems, businesses can increase efficiencies, drive cost savings, cut delivery timeframes, improve decision-making capabilities and enhance competitiveness.
The oil and gas industry is one area where the convergence of the OT and IT environments has become common. As they grow geographically, companies rely more on technology, analytics and automation to stay competitive. This includes deploying components, systems and people that can communicate and share information with each other in real time. The benefits are particularly attractive to those companies that have been hit by diminishing profits as a result of commodity price uncertainty and hard-to-reach resource reserves. The main reasons these organisations are driven to converge IT and OT systems are the need for automation, the need for operational excellence and the need to adapt to changing working conditions.
The new approach required to manage IT/OT security
The convergence of OT and IT lets oil and gas companies increase efficiencies, drive cost savings, cut delivery timeframes, improve decision-making capabilities and enhance competitiveness. However, with increased convergence comes increased risk, as systems that were previously unconnected are now potentially accessible through an internet connection.
OT systems were not originally designed or implemented with this connectivity in mind and have therefore been largely unprotected from the security threats that abound on the internet. The threat to these systems is very real, not only from accidental misuse and malfunction but also deliberate malicious activity from inside and outside the business.
With this increase in both the prevalence and the possible severity of physical and digital security threats, it is absolutely essential to ensure operations are resilient to cyber threats and demonstrate a suitable degree of system redundancy. Organisations that fail to do so can open themselves up to significant risks.
In order to manage these risks effectively, the following steps are recommended:
- Understand what assets and systems exist and determine which components need to be protected, as well as their relative importance with respect to the organisation’s processes;
- Determine which assets are critical and which are non-critical;
- Break down the structure of the systems into logical and functional groups;
- Create a layered defence around each of the functional groups and the critical systems that have been identified;
- Control the access of people, data and commands that flow from one group to another;
- Establish ongoing periodic checks and assessments to ensure defences remain effective.
Securing network segments and assuring the integrity of communications between them
As IT and OT environments converge and the security of physical air gaps is removed, protecting operational systems from unauthorised access and control becomes even more critical. However, the technology of many OT systems lacks the basic authentication and integrity checking controls used to implement security that may be found in today’s IT systems. The challenge is to protect operational systems that lack these basic controls, without implementing security solutions that could threaten the business efficiencies offered by merging IT and OT environments.
As a first step, security within OT environments can be improved by assigning the assets, systems and processes in industrial processes and control systems into functional groups with logical groupings for access control. This ensures that communications and processes taking place within each functional zone are relevant and authorised, preventing any activity or communication unrelated to those zones.
In addition, networks can be architecturally divided into discrete segments. This enhances security by controlling network segments — restricting and blocking unauthorised communications or those that are using the wrong protocols and incorrect formats — and by preventing the flow of messages between segments which are targeted at ports, destination addresses or devices that do not exist in the destination network segment.
Ideally, this requires a solution that enables assured information exchange between segmented networks so that business processes can operate securely. This solution would enable a remote supervisory network to communicate securely with, and control elements within, the control system or field systems, while still facilitating secure communication between industrial systems and business networks on the corporate LAN.
An effective solution for securing network segments and assuring the integrity of communications between them must meet the following seven high-level requirements:
- Help to implement network segmentation;
- Allow bidirectional information exchange;
- Prevent unauthorised systems from exchanging information;
- Positively filter exchanged information, allowing only information verified as ‘good’ to pass into sensitive network segments;
- Ensure that the integrity of information is preserved from source to destination;
- Be as transparent to the existing systems as possible;
- Maintain the reliability of the existing systems and data flows.
Detect the presence of malware or any unusual system behaviour
Monitoring networks and network activity has always been important for managing the health of any network. As the threat levels against organisations increase, the need for more proactive and more pragmatic monitoring grows. Where OT is converging with IT, monitoring requirements now extend to both the enterprise LAN and the supervisory and control networks.
Monitoring of the enterprise LAN is important, not only to better protect the enterprise but also in order to mitigate risk and prevent cyber attacks and malware from spreading into the supervisory networks, ICS and industrial processes. Traditional forms of enterprise LAN security (such as vulnerability scanners, firewalls and IDS) aim to identify, block or remediate cyber risks before any damage is done. However, as cyber attackers have become more skilful, the ability to identify a virus and block it before it enters the network is no longer enough. Increasingly, a cyber attack will consist of a series of seemingly unrelated events which are deliberately conducted over an extended period of time so as not to raise suspicion. To detect these, cyber analysts need to look for anomalous behaviour which could herald future attacker intentions.
When monitoring should also include supervisory networks and industrial processes, organisations will need to deploy a combination of different techniques. Firstly, organisations need to recognise that, as supervisory networks increasingly become TCP/IP enabled, the cyber threat to the IP components (laptops, workstations, databases, servers, firewalls) within OT networks becomes similar to that which threatens the enterprise LAN: the security considerations for the enterprise LAN also apply for OT networks. So organisations need the same visibility into cyber activity in the OT networks as in the corporate IT network. Some security monitoring solutions deployed in the corporate IT environment may also find applicability within certain areas of OT.
Secondly, organisations need to appreciate that the nature of the threat to industrial processes and OT systems could be different to the threat to IT systems. A control system needs to be able to see, monitor, manage and respond to the industrial networks it is managing. If a valve stops working, or a temperature starts increasing beyond safe parameters, the supervisory network needs to see this, register it and respond fast. If malware targeting OT systems removes this visibility, the OT environment as a whole is under threat. With the enterprise LAN, malware may seek to enact a denial of service (DoS), but with OT networks and industrial processes, the equivalent is to create a situation with loss of view and loss of control.
The effect that a DoS attack could have on OT systems may be far more serious than on IT systems: an outage on a mail server could stop communication for a period of time, but a loss of control preventing telemetry data being accurately received could lead to incorrect control of industrial processes and possible damage to those industrial systems.
To address this threat, organisations need a solution which helps analysts build an overview of control processes, establishing a baseline of normal activity and behaviour in OT environments and allowing security managers to overlay policies on top of this observed activity. For example, if a clever attacker or malicious insider manages to alter, inject or control commands, the safeguards provided by the management system may be lost. However, an independent monitoring device which understands the operating policies for specific devices could generate an alarm if a value is changed or a command is instructing a device to function outside of an authorised range of possible operation.
Conclusion
The convergence of IT and OT offers companies tremendous opportunity to enhance productivity and increase efficiency and competitiveness. However, enterprises need to recognise that the risk of cyber attack and other security violations has increased, opening up many new security challenges.
The approach required to manage these threats requires a different mindset and methodology to traditional IT security for a number of reasons. Converged IT and OT systems result in more complex architectures, making it harder to accurately determine the security requirements of the various components and to quantify the levels of risk.
Network architectures to segregate different domains are also required. These must ensure the availability of OT systems at all times, avoid any latency in real-time protocols and ensure the validity, integrity and authorisation of data exchange.
Organisations should follow three basic steps to ensure security is managed as part of any IT/OT convergence activity:
- Prepare: Understand what assets and systems exist. Determine which components need to be protected, their relative importance with respect to the organisation’s processes and the structure of the network.
- Protect: Assign assets, systems and processes into functional groups and use these to define functional zones in the network. Use advanced solutions that can allow bidirectional information exchange, maintain the reliability of data flows and avoid additional latency, but which can ensure the integrity of information transfer and prevent unauthorised systems from exchanging information by positive filtering.
- Monitor: Establish ongoing periodic checks and assessments to ensure defences remain effective, and be ready to respond if attacks or vulnerabilities are detected. This includes the monitoring of both the enterprise LAN and the supervisory and control networks. Advanced monitoring approaches will be needed to detect modern advanced attackers, and the approaches for the supervisory and control network will also need to take into account the specific characteristics and risks associated with such networks.
Anticipating maintenance problems with predictive analytics
By utilising predictive analytics, process manufacturers can predict failures, enhance...
Air-gapped networks give a false sense of security
So-called 'air-gapped' OT networks can still fall victim to cyber attacks, so what is the...
Maximising automation flexibility: the ISV-driven approach
Vendor lock-in has long been a significant barrier to innovation in the industrial sector, making...