Operationalizing cybersecurity has been a major challenge for oil and gas engineers to date. With their primary priority to maintain uptime, these managers have been putting off updating security: ironically, implementing cybersecurity across process control networks can be seen as increasing risk. As a result, operations would rather isolate their systems from that of the rest of the company, including IT from IT security policies.
However, this is changing. Several advanced oil and gas operators now recognize the need to deploy cybersecurity technologies to stay in business. The need for cybersecurity is being used by savvy plant managers to make the case for upgrading failing equipment and modernizing plants. Pragmatically, this often means opening connections into plant production, highlighting the productivity and cost saving benefits it could bring. Instead of fighting the drive to connectivity, operators are getting involved in their company’s new technology choices in the cybersecurity domain, such as secure remote access controls, and helping guide investment decisions toward solutions that bear their productivity needs in mind.
This is critical at a time when, according to the World Economic Forum, cyber-attacks are the number three risk facing the world in 2018. The oil and gas industry is unprepared for managing threats: according to LNS Research, only 37 percent of plants are monitoring for suspicious behavior, and over half experienced security breaches in the previous year. As the report indicates, “industrial companies woefully under-invest in industrial cybersecurity best practices across people, process, and technology, and survey results illustrate shortcomings in all of these areas.”
However, by making industrial cybersecurity part of a larger modernization strategy, companies will not only build security capabilities into the business, but also improve overall plant metrics. Therefore it makes sense for operational leaders to link the much-needed plant upgrades to implementing effective cybersecurity measures.
There are many examples of these initiatives being coupled together:
Bringing Together Operational Control Centers
Many initiatives in the oil and gas sector do not allow for additional resourcing. This is especially the case in dangerous or hard-to-reach locations. As a result, innovators have looked to find ways to increase plant productivity while using the same or reduced levels of manpower.
Centralizing command centers and operational control rooms is one way companies are looking to create efficiencies, while improving productivity through cybersecurity. Thanks to new technologies such as industrial secure remote access solutions and integrated industrial risk management tools, reaching points across multiple plants safely is far more achievable. Companies can now centralize the cybersecurity function, much in the same way corporate structures facilitate other roles such as finance, marketing or legal.
The benefits of this approach include:
Less downtime, with a boost to knowledge-sharing: As process experts spend more time together in a single location, we have seen greater levels of collaboration. This is because anomalies can be addressed more quickly, with insights shared and applied, without having to overcome time zone or communication barriers. Furthermore, experts can learn new techniques from each other and boost knowledge sharing.
Streamlined recruitment and training: With highly specialized experts available 24/7 centrally, there is less pressure on different plants to recruit and onboard cybersecurity specialists across disparate locations. Particularly in geographies where the job location itself is demanding, finding experienced cyber teams can take years. Customers tell us, especially those in the Middle East, that it’s not just finding people, but training people that consumes significant team bandwidth.
Increased staff retention: Hand-in-hand with less dependence on global recruitment, process control engineers deployed to more central locations report better job satisfaction. Instead of remote or even hostile locations, centralization efforts typically place control centers closer to cities and areas with richer social resources, for example.
Modernizing plant operations: Most exciting for many of our operator customers, the same infrastructure developed for centralized cybersecurity can be used for many plant capabilities to align with new Connected Plant strategies. These can include recording and checking online contractor remote access sessions, to patching outdated software, to performing various health checks and performance optimizations across the process control network. Meanwhile, the tools themselves add useful operator features and capabilities, like drag-and-drop setting capabilities and intuitive data visualization.
Cybersecurity as Operational Expertise
As we move to more connected systems, the need for cybersecurity at a plant level is stronger than ever. Customers often mention their requirements to offload or lessen the burden on their plant staff, stripping away any additional responsibilities that are not focused on production and uptime. The LNS Research survey found that staffing for cybersecurity remains a significant issue. Approximately 45 percent of the responding companies still do not have an accountable leader for cybersecurity at the enterprise level, and 51 percent have no one leading cybersecurity for manufacturing.
For those plants with limited centralized staff options, or those who simply want to delegate cybersecurity management and liabilities, another productivity-enhancing trend is outsourcing. The Industrial Security Operations Center (SOC), can be fully, partially, or hybrid-managed, depending on the service level agreements or desired levels of support. In all cases, the reduction on in-house teams for managing security can significant impact daily productivity.
For example, one customer has a strategic priority to increase business agility, including the need for new exploration sites established within weeks. In their situation, the need to protect assets, people and operations could be better handled by highly trained, readily-available managed services teams, rather than by making the long-term investment to build an in-house security team. They may also use the managed service just for upstart, and then transition to teams if the exploration site shows promise.
The benefits of this approach include:
Time-to-security-implementation: Skilled resources have highly specialized experience that limits how much time they require to adeptly “onboard.” Combined with sophisticated risk management and remote access technical solutions, these teams can readily review, act on, and report on your situation with the right data at the right time. In contrast with building teams in-house, these service engagements do not require heavy processes (e.g. physical security clearance steps, travel approvals). What we hear from customers is often relief that they don’t have to develop and build entire industrial cybersecurity teams from scratch, which they fear would slow timing and impact day-to-day tasks.
Improved asset productivity: Paying someone to regularly review and update your assets consistently means you often gain more from your technology investments. We are seeing that even basic security management, such as industrial firewall rules tuning, improves system performance significantly. Specialized teams know how to correctly install the latest software, and perform ongoing optimizations, on a schedule that is set – unlike in-house staff with varied skills who “get to it when they can get to it,” amidst dozens of other priorities. For your staff, not having to handle these tasks can increase their productivity, not to mention positively impacting their job retention and satisfaction.
Knowledge transfer: As in-house staff work regularly with cybersecurity experts, they themselves gain a different perspective and risk reduction routine, which makes it easier to understand and act on security needs. Some providers (such as Honeywell) will include formal knowledge transfer as part of service engagements. This provides flexibility, in that you can turn in-house teams back on after a set period. It also improves productivity, since the learning for your people is hands-on and directly applicable to your unique configuration.
Combining Engineering & IT Expertise for Competitive Advantage
Pushing for better plant productivity is ultimately geared toward competing better globally, and winning more and longer-term business. As you develop your cybersecurity approach, consider how to leverage existing knowledge across multiple teams, including tapping into IT leaders, operational leaders, and engineering leaders. While this might seem daunting or even unpalatable at first, any future strategic initiative (Industry 4.0, Connected Plant) will at some point require it. As we noted, it’s also no longer a question of if you should work together, but when and how.
Taking steps now will differentiate your leadership and help staff evolve to develop the necessary new skills coming their way. Overall, the same teamwork and collaboration you develop for cybersecurity can help productivity, reliability and safety, and thus better differentiate. An easy method to categorize your steps is people, process, and technology streams, as we will describe further in a moment.
Our most advanced customers have one aspect in common – they have identified their industrial cybersecurity maturity level, and assembled teams as part of an Industrial Cybersecurity Program, with defined objectives to reduce risk. What risk? More and more, what might have been a cyber IT risk is in fact, a physical operational risk. What might have been isolated threats in the past (virus on business network) are increasingly using multiple threat vectors (virus on USBs at control stations) and several steps (social engineering plant workers and email phishing). This is why it’s critical to evolve your organization to better align with the sophisticated level of threat.
As part of their industrial Cybersecurity programs, customers consider people, process and technology, and blend solutions to address the greatest risks. Companies with new staff, for example, invest in threat awareness to teach employees (people) never to use USBs they “found” outside their office or at a tradeshow. Companies that never had remote connectivity, as a different example, are now establishing policies to decide who can access the process control network, how, for what and how long.
Once again, making these programmatic moves for cybersecurity reasons will also deliver additional benefits.
Better planning: Monitoring and measuring risks across both IT and OT makes it far easier to develop business cases and budgets for following year investments, whether people, process or technology related. We have seen more articulate and informed risk discussions once risk measurement tools are in place for several months, providing standardized, real data across plants, for example. In many cases, a risk area is outdated, long-untouched software (such as Windows XP), making the organization vulnerable. Viewing all machines enterprise-wide is a far smarter approach than leaving production machines out of the count for modernization or multi-year upgrades.
Deeper insights: As with any team, garnering vastly different perspectives can inform a more resilient position. What are IT security threat analysts seeing that could be useful for operational leaders to know (e.g. phishing attacks on refinery plant employees, or repeated USB infiltration into particular plant location)? Connecting security-conscious people has even changed how some of our customers run their organizations. Some institute job rotation programs or cross-functional roles, based on the insights and benefits they derived from building their diverse security program teams.
Greater efficiencies: Whether defined as greater efficiency or improved productivity, the fact that 5 people instead of 25 individuals will track down and share threat information eliminates staff run-around, should any threat suddenly impact your organization. Your defined team, with clear roles and objectives, can communicate promptly, and share accurate information to help any area of your enterprise.
Each firm’s individual situation will vary depending on the business and where it fits in the sector. For example, here is a higher cybersecurity priority for those oil and gas companies with field-level equipment that could be impacted by malicious commands. In these cases, firms may want to trade-off some short-term productivity to assess and tighten vulnerabilities, knowing it will later pay off by saving human injury, corporate reputation, or simply your job if your plant is hit.
Understanding cybersecurity programs and measures will align to plant productivity needs, helping to create a connected and secure plant in the long run. Based on what we are seeing with the most advanced industrial leaders and their approaches today, cybersecurity should be viewed as a strategic initiative that will not only reduce risk, but also help justify equipment and plant modernization.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.