In episode 55 of The Cyber5, we are joined by Nate Singleton, a security practitioner who was most recently the Director of IT, Governance, and Incident Response at Helmerich and Payne. In this episode, we discussed the conundrums of operational technology security within gas and energy sectors, including risks downstream and upstream.
Here are the 5 Topics We Cover in This Episode:
1) Operational Technology is Built to Last, Bringing Nuance to Security:
- Underlying technology controlling oil, gas, and energy PLCs runs on old Linux and Windows servers from 20 years ago and patching for upgrades is expensive and takes a lot of down time.
- Routine vulnerability scanning against an entire IP block often seen within regular IT environments can cause major damage, even resulting in the loss of human life, if not conducted carefully and properly in OT environments.
2) Interconnectivity Comparisons Between Legacy Silicon Valley Tech and Operational Tech Development:
- Security takes a back seat in operational technology for the Energy Industry, just like it does for Silicon Valley product development.
- The bigger challenge is often integrating regular IT and application developments that need constant upgrades with OT technology that can’t take the upgrades on time. A “move fast and break things” mentality in OT could get someone killed.
- Ransomware and other malware events have the capacity to take down OT production lines for weeks, costing millions of dollars.
- While the Colonial Pipeline ransomware event only attacked the IT environment, it did not attack the OT environment, thus demonstrating the potential for future calamities to occur.
3) Attacks Against Oil and Gas are Geopolitical in Nature and Will Likely Get Worse:
Attacks against critical infrastructure are going to get worse and the attacks are often conducted by nation states who have the time to build exploits against the IT environment and are also leveraging sophisticated OT technology.
4) Strategies for Protecting Operational Technology in ONG:
- OT security is protecting the IT administrator who can access oil rigs, energy systems, and OT devices.
- Reporting must make it from the OT systems to the corporate IT systems so they can see profit and loss. Therefore, many critical infrastructures use the Purdue Model to segment different layers in network infrastructure from the machinery to different levels in the corporate environment so customers can be billed. More granular strategies include:
- Updated EDR products in the corporate environment
- Multi-factor authentication separating corporate and OT environments
- Separate domains for engineers’ ability to browse the internet and check email and upgrade software on the OT networks
- Robust firewall policies on the network layer controlling port protocol connectivity back and forth
5) Threat Intelligence for OT Security:
- Integrating Indicators of Compromise (IOCs) into a SIEM has become an antiquated practice, but they are still valuable for OT environments since they are modeled around constant connectivity and up times.
- Client-specific intelligence of what threat actors are doing is most critical because the remediation will take place over weeks and months. A cost-benefit analysis is always going to be levied when allocating resources to fix vulnerabilities. A “block all” approach to threat intelligence is not going to work.