How control system vulnerabilities can threaten the oil industry [Q&A]
The Colonial Pipeline attack in 2021 highlighted how vulnerable industrial control systems, and in particular energy supplies, can be to cyberattacks.
The oil and gas sector is particularly at risk as it often relies on older devices that don't receive timely firmware updates. We spoke to Mark Kerzner, CEO and co-founder of ElephantScale and Scaia AI who has worked with many oil industry leaders, to find out more about the risks and how they can be addressed.
BN: Why are the petrochemical sector's control systems particularly at risk?
MK: They are at risk because of the suddenness of the change that happened to them. You see, they were building their operations in what they believed was a secure environment. I will give you one example. Last week I was delivering cybersecurity training for a group of engineers from a major oil and gas company. They confidently told me that, "In our company we have a rule: no equipment is allowed to be connected to the Internet." This is called 'air gapping,' meaning that your equipment is never exposed to the web.
Now imagine what happens when this air gap is bridged. Suddenly, you realize that you built your systems without protection assuming that they were safe anyway. Well, air gaps are known to have been bridged before, such as by dropping infected thumb drives on the floor (think Stuxnet.) But what happened here is more serious. The Internet of Things (IoT) suddenly caught up with the petrochemical sector -- and, in fact, with all asset-heavy industries. This is usually called Operational Technology, or OT.
Now, imagine that you were writing software before the internet, not giving any thought to security, and suddenly someone connected all of your systems to the internet. You would rush to shelter. This is exactly what happened with OT.
BN: What's the role of programmable logic controllers (PLCs) and why are they a problem?
MK: Programmable logic controllers first appeared in the 1970s. They were a great way build systems when linked to a sensor and an actuator. First, you measure what is going on with your machine (this is the job of the sensor), then analyze what your reaction should be (this is what PLC is doing), and then perform some action (this is what the actuator does.) For example, you see that your steam boiler's pressure is too high (the sensor), analyze that and make a decision to lower it (the PLC), and open the valve (the actuator.)
The PLC is a great idea and it allows you to build great automated systems. There is nothing wrong with them by themselves. But imagine what happens then the PLC is open to a cyber attack. I will let your imagination run wild... You're right. That is exactly what can happen. What makes this even more problematic is the fact that software patches for PLCs are much less common than in the PC world. It may be much harder to fix the security flaws that can be found on a regular basis.
BN: Should these systems be air-gapped from the internet to keep them secure?
MK: Of course they should! The problem is that the IoT is unstoppable, it is being implemented in modern devices, sometimes even without your knowledge. And this IoT can breach your air gap.
BN: Do enterprises in this sector need to do more to understand the threats?
Yes! I spoke to one of the leading companies in this sector. They told me that the first step for their new customers usually is to map the current system. In other words, the client is asking themselves a question: 'what do I have?' And in very many cases they don't completely understand their existing systems. Many times, this first mapping brings about an 'oh, wow!' reaction when they realize the extent of the risk.
BN: What's the role of education in securing systems?
MK: There is a saying: 'One light can bring illumination to a hundred people.' The light here is knowledge. You need to provide a hundred meals if you are talking about feeding a hundred people, but only one light will suffice for them to see to eat. In the same way, acquiring basic knowledge is key. It may be the beginning of a long journey, but it has to start somewhere. Often, my students will surpass me in their knowledge. I welcome this, but I am really enjoying helping them start.