Digital transformation has enabled the oil and gas industry to boost productivity, increase efficiency and reduce costs. Unfortunately, it has also increased the possibility of cyberattacks with the potential for creating global chaos.
The benefits and risks all flow from the increased integration of operational technology (OT) and information technology (IT) networks. The convergence of physical and digital systems supports the automation of critical processes and enhances data collection and analysis. Yet, it also exposes the systems to all manner of threats.
Once malware infects an Internet-connected IT network, it can make the hop onto the OT network of industrial control systems. Data-encrypting ransomware or data-wiping malware variants can obscure all operational data, making it impossible for operators to monitor or control pipeline transmissions.
The 2021 Colonial Pipeline ransomware attack brought the risk into the public eye. Attackers breached the company’s IT network through an email-borne phishing attack and encrypted billing records and other key data. The company shut down the pipeline to prevent the ransomware from spreading to its OT systems. The six-day shutdown interrupted the flow of petroleum products between Texas and the East Coast, drove gas prices to their highest levels in years and led President Biden to declare a state of emergency.
It was not an isolated incident. More than two-thirds of oil and gas companies have experienced at least one cyberattack, according to a Ponemon Institute survey. The increase mirrors the rise of converged IT/OT systems. For decades, critical operational technologies such as flow meters, pressure sensors, temperature controls, level sensors and other instrumentation were functionally separated from IT systems. They weren’t designed with most IT cybersecurity protections because they weren’t intended to connect to public networks such as the Internet.
More than two-thirds of oil and gas companies have experienced at least one cyberattack.
Digital transformation has upended that model by connecting machines, sensors, systems and networks. According to a Deloitte report, a typical large-scale oil and gas company now has thousands of connected control systems spread across large geographic areas, with hundreds of thousands of processors generating and transmitting petabytes of sensitive field data.
To address the growing risk, the Government Accountability Office (GAO) recommends replacing or upgrading legacy OT infrastructure. Many legacy devices rely on unsupported operating systems that no longer receive software security patches to address vulnerabilities. In addition, they often lack the ability to log commands sent to the devices, which makes it difficult to detect malicious activity.
GDS has specific expertise in developing, deploying and managing secure connectivity solutions for the energy industry. Contact us for additional recommendations on securing critical oil and gas infrastructure.