It isn’t hard to imagine the havoc a physical attack on an oil and gas operation can wreak. But few pause to consider the extent of damage that can be achieved with cyberattacks alone. Be it malware taking over control systems or ransomware shutting down data access, the consequences of cyberattacks are often on par with those of physical attacks, with similar implications. In other industries, cyberattacks may threaten customers’ personal information and negatively impact a company’s compliance and reputation. In oil and gas, it’s people’s lives – and the environment itself – that are at stake.
Physical AND digital threats are on the rise, making security an increasingly important priority for virtually every company. One of the biggest threat drivers for oil and gas? The growing universe of connected “things” being deployed upstream, midstream, and downstream in the refinery and beyond.
From a security standpoint, IoT devices in oil and gas can be both a blessing and curse. They collect a wealth of real-time, real-world data that can be crucial to achieving goals around improving operational efficiency, optimizing equipment operation and maintenance, safeguarding workers, and addressing compliance requirements. Connected cameras, geo-fencing perimeter protection solutions, third-party intrusion, and other access control capabilities can even play a vital role in physical security protecting physical infrastructure.
Commercial off-the-shelf products are increasingly seen in oil and gas to perform tasks that were originally undertaken by purpose-built equipment for the operational environment. They come with more potential vulnerabilities, and therefore greater security risk, compared to traditional process control systems. By their very existence, they also dramatically increase the size of the potential attack surface.
Alongside those challenges are the vast volumes of data that so many interconnected devices and sensors generate. Just as oil and gas move through a pipeline, so does data. Beyond protecting the physical security of oil fields, refineries, and distribution channels, companies must ensure that the data pipeline is secure upstream, midstream, and downstream.
Put it all together and it’s clear that oil and gas companies must think about security not in terms of “physical” versus “digital” but rather from end-to-end, with a corresponding plan, and ongoing monitoring and management. This approach needs to unify everyone in the value chain – suppliers, partners and even customers – around a singular, standards-based security framework.
What’s the best way for oil and gas companies to begin their journey toward comprehensive security? Lead with a baseline assessment of what’s currently connected (and what needs to be connected) in each environment. Use that to gain visibility to all assets and to measure associated risks. With that level of insight, start segmenting the environments to reduce the size of attack surfaces. Develop and apply consistent security policies to each segment. And then review the assessment regularly – making updates to reflect new equipment, new threats, and other opportunities to drive business value.
It may be not be possible to eradicate all security threats, but oil and gas companies can take proactive steps to fuel smarter, more effective protection. Cisco is here to help.