On May 29, 2009, the President of the United States gave a speech on securing our nation's
cyber infrastructure. Despite the fact that we were in the height the great recession at the time, the importance for cyber security prompted immediate attention and awareness by the Executive office.
When recounting, then recent attacks that led to the need to address cyber security, President Obama remarked, “In one brazen act last year, thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world -- and they did it in just 30 minutes. A single employee of an American company was convicted of stealing intellectual property reportedly worth $400 million. It's been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.”
One trillion dollars! Wow. Even if a fraction of that figure is accurate, the loss is still shocking. In reading the speech over, the one area of cyber security that the President’s points did not address is the vulnerabilities that cyber-attacks exploit, specifically within our Energy and Utilities space.
Recently, I discussed how a virus in 2012 impacted two of the largest oil companies in the world. This week, I want to dive deeper into the oil and gas sector to discuss how the integration of Information Technology (IT) and Operational Technology (OT) present one of the largest vulnerabilities for this sector.
Operational Technology is hardware and software that a company uses to monitor or control an environment. OT commonly detects, measures, and in some cases executes a change, or event, within a given physical area. Most commonly associated with physical access devices or within manufacturing, OT has increasing become integrated within the IT backbone of many organizations. This integration is most commonly associated with the introduction of network devices for remote access, and the integration of ‘off-the-shelf’ or common technologies.
By making OT live on a network, organizations are placing that intellectual property (IP) in a place that could be discoverable during a successful attack. In the oil and gas industry, OT is a conduit for much of the Intellectual Property produced. From volume, velocity and variety readings to geophysical equations, the data that flows throughout every part of an upstream, midstream, and downstream company is as varied as it is sacred to the present and future health of each organization.
The real potential danger in merging these two types of technology comes with adding off-the-shelf technology, such as desktop machines running common operating systems, with OT. In technology, we often classify IT and off-the-shelf tech as designed with confidentiality, integrity and availability (CIA) at its core. This means that IT prioritizes the protection of data before making it accessible. OT is the opposite. OT was built with Accessibility at its core, followed closely by Integrity and finally Confidentiality (AIC).
With these two technologies seemingly at odds, you can start to understand how something as seemingly trivial as patching a desktop connected to an OT device could have negative results on the OT device itself.
The challenge in protecting IP in oil and gas is the accessibility of data crucial to the complete operation of the industry. To enhance exploration and production, for example, IP is being used not only to find new sources of oil and gas, but to reduce the non-productive time (NPT) of assets by predictive maintenance of critical components such as ESPs (electric submersible pumps). IP is even being used to help reduce the Health, Safety and Environment incidents within drilling and production, and provide end-to-end views of hydrocarbon reservoirs and advanced pattern detection.
In refining and manufacturing, IP is used to reduce the NPT of assets through the predictive maintenance of critical components such as rotary equipment. IP can also include the data used to improve asset performance management through real-time metrics across different subsystems.
IP provides the competitive advantage that sets each company part from the other in a highly-integrated industry. It also helps oil and gas companies better understand the current environment to deliver better future results.
The challenge with IP in the oil and gas sector is determining how to best keep the IP safe, yet accessible to those that need it. Industrial Defender and Lockheed Martin, its parent company, have approached this challenge by successfully combining the IT and OT landscapes. The result is a robust solution towards IT and OT security that includes people (e.g. training), the processes (e.g. policy and procedures) and the technology to address modern security challenges.