The oil industry’s unseen dangers: OT cyber vulnerabilities

Given the sophistication and effectiveness of recent industrial cyber attacks, such as the Ukrainian power grid attack in 2015, the Industroyer/CrashOverride malware attack in 2016, and the Triton/Trisis malware attack in 2017, it is more important than ever to identify and remediate operational technology (OT) vulnerabilities, particularly in key critical infrastructure industries such as oil and gas. However, most energy companies still struggle to effectively manage OT cybersecurity vulnerabilities and risks. Attacks on OT systems are rapidly escalating, yet many oil and gas companies continue to focus cybersecurity efforts on IT-centric, rather than production-centric, endpoints. They also continue to rely on manual vulnerability management processes, leaving their industrial facilities exposed to unacceptable risks.

Surface view of OT vulnerabilities

IT-centric cybersecurity approaches focus on securing Level 2 endpoints (Purdue model) − operator workstations, servers, routers, and switches − as they are much easier to assess than controllers and smart field instruments. Level 2 cyber assets make up only about 20% of endpoints that exist in process control networks (PCN).

Level 1 and 0 cyber assets are often left unassessed. They comprise about 80% of the cyber assets in industrial facilities and include Distributed Control Systems (DCSs), Programmable Logic Controllers (PLCs), Safety Instrumented Systems (SISs), turbine controls, smart field instrumentation, and the smart sensors that directly connect to process equipment.

Level 1 and 0 endpoints matter the most in industrial facilities because they are responsible for delivering safe and profitable production. Proprietary architectures and lack of standard protocols in multi-vendor process control environments make asset discovery, vulnerability assessment, and risk mitigation difficult. This leaves OT systems exposed to vulnerabilities lurking on these underlying systems.

Vulnerability counts continue to rise

The number of vulnerability advisories issued by ICS-CERT has increased by 1,035% since 2010.

Many of these vulnerabilities have likely been present for years, only coming to light now due to increased awareness of ICS cybersecurity risk.

Manual, point-in-time assessments

OT vulnerability assessment is often a largely manual, point-in-time activity performed by outside contractors once every few years. Assessments quickly become outdated as systems change, existing vulnerabilities are remediated, and new vulnerabilities emerge. To maintain currency, OT cybersecurity professionals monitor ICS-CERT and automation vendor websites for new vulnerability advisories or bulletins, and then send emails to asset owners at sites to determine if systems are vulnerable, and if so, what the remediation plans are. Timely, accurate responses are rare, leaving most organisations exposed. Critical vendor patches and updates are often not applied for months or years. No centralised view exists to provide insight into which assets are secure and which still have vulnerabilities. OT cybersecurity personnel and asset owners have only an incomplete view into their OT security posture.

What’s required: better OT vulnerability visibility and management

The variety of automation system brands and models running in industrial facilities necessitates a more efficient, standardized approach to OT vulnerability identification and remediation.

Know what you have

Industrial environments need a comprehensive, evergreen inventory of all their Level 2, 1, and 0 systems, including detailed information about current system configurations, firmware versions, operating systems, and applications.

Manage change effectively

Asset security postures change when process control engineers install new hardware, make configuration changes or perform upgrades and maintenance. Cybersecurity personnel must have an automated way to identify changes and quickly discover new vulnerabilities.

Assess vulnerabilities continuously

Only automated approaches to OT vulnerability assessment can keep up with the rapidly evolving OT threat landscape so risks to production safety and reliability can be quickly identified. Levels 2, 1, and 0 assessments should occur when new vulnerabilities are published, new systems come onto the PCN, or existing systems are updated.

Prioritise remediation or mitigation

Cybersecurity personnel must prioritise vulnerability remediation or mitigation activities effectively based on potential impacts. Many organisations use the National Vulnerability Database (NVD) Common Vulnerability Score System (CVSS) to gauge the potential impact a vulnerability may have. CVSS scores provide important information about vulnerability exploit ease, potential exploit impact, and if there is known malware that targets the vulnerability. Other factors, such as asset location and criticality to process safety and reliability, should also be taken into account when prioritising remediation actions.

Track vulnerability remediation continuously

Defined vulnerability remediation and mitigation workflows ensure consistent activity tracking and reporting. Viewing the latest data in dashboards and trend views gives asset owners and OT and IT cybersecurity personnel the information they need to make educated vulnerability remediation and cyber risk management decisions. For example, one facility remediates critical vulnerabilities in four months, while another requires eighteen months. OT cybersecurity leaders need this information so they can increase focus or augment staff to improve responsiveness at the slower site.

Summary

Vulnerability management is an ongoing, never-ending process focused on risk reduction, not a point-in-time assessment. Similar to the approach to industrial safety, continuously reducing cybersecurity risk across the entire is what an OT vulnerability management programme is all about.

As new vulnerabilities are disclosed and system configurations change, OT systems that were previously thought to be secure become insecure. Organisations that implement continuous OT vulnerability management across Levels 2, 1, and 0 endpoints are best positioned to minimise cybersecurity risk and improve process safety and reliability.

Read the article online at: https://www.oilfieldtechnology.com/hse/20082018/the-oil-industrys-unseen-dangers-ot-cyber-vulnerabilities/