Oil & Gas Infrastructure Protection

Current Issues and Threats

Much like other industrial systems, oil & gas infrastructure has relied upon proprietary protocols, software and hardware that are, to a large extent, both manually managed and monitored by humans and also largely unconnected to the outside world. Therefore, they were by default a fairly inaccessible target for hackers.

Modern demands for ‘always connected’ and automated technology has made convenience a priority, leading to largely unmanned, yet connected and, in some cases legacy, control systems. This has opened the sector to cyber attacks never experienced before. This proliferation of new IP-based interfaces has directly resulted in oil & gas infrastructure facing a Swiss cheese of attack vectors. One only needs to consider the immense geographical areas covered, be they remote or within urban conglomerations, to grasp the magnitude and complexity of the problem.

A typical oil and gas company like Canada’s Suncor for example, is an immense operation. Suncor owns and operates four refineries, Canada’s largest ethanol plant, wind farms, and a network of more than 1,500 retail and wholesale outlets providing North American consumers with secure sources of energy. That is a lot of hardware and systems to protect, as  the number of penetrable PIC’s and FIC’s (Pressure / Flow Indication Controllers) across Canada’s pipeline systems is astronomical.

Given the convenience and gains that connectivity brings, especially to an economically, technologically and geographically dispersed organisation like Suncor, the oil and gas industry is faced with protecting itself with an ideal balance of bulletproof security YET be sufficiently convenient in terms of authorised access and control.

Securing Today’s Oil & Gas Networks

The information that comes from connected control systems and devices is simply too valuable to be available to anyone with an Internet connection and a modicum of hacking ability, yet that is today’s reality. Thus the key questions to be asked are:

  • Why is it connected?
  • Does it need to be connected?
  • If it has to be connected, can it be kept disconnected until needed?
  • Can it be disconnected extremely quickly in the event of ransomware or breach?

For context, the aforementioned questions can be applied to an example of simple process operations:

  • 10G-1 A/B/C/D are main feed pumps to a process or pipeline. “A” and “D” are running, but it’s time for periodic maintenance or there is a vibration or worse, a seal is blown, which then becomes a maintenance issue. “D” pump is a bad actor and has to be brought down, so operations need to be transferred to “B” or “C” pump. But, there may be another problem, such as FiC’s  not opening and pumps not starting because they were hacked. An outsider now has unauthorised control of the equipment.
  • Meanwhile the “D” pump in operation has come down due to safety concerns. Operations are now running at half capacity and hundreds of thousands of dollars in production and sales are lost with every hour.

Had the pumps that were off-line been air-gapped until the moment of start-up, it could have saved the company millions in production losses. One simple step added into every standard operating procedure eliminates the problem:

  • Open Air Gap for {pertinent equipment} to come on-line, verify PLC / Control Panel connection

Keeping something physically disconnected until the second that it is needed sounds like a simple solution, but the devil is in the details. Remotely physically connecting and disconnecting any kind of an asset is possible today, but it’s not done as all of the connection command pathways are governed by Internet protocol, which makes the command pathway itself as vulnerable as the asset. But what if one could physically connect and disconnect assets or control systems, remotely, instantly, all without using the internet?

Goldilock TruAirgap™ offers just such ‘selective isolation’, delivering the ability for an organisation to reevaluate if assets need to be connected and online 24/7, and either keeping them disconnected until the very second needed, or instantly disconnect literally from anywhere.

Proactive versus Reactive Protection

Proactive measures as we’ve described, keeping assets hidden and disconnected, are only part of the equation. Reactive measures are also essential as once an attack is identified, limiting its spread is essential. In most situations, it is simply not viable to have humans participating in mitigation procedures because of cost, distance and time.

Take for instance a sub-plant,booster station or telemetry devices along 3000 miles of pipeline. How might one disconnect or “pull the cables out” to protect the data or the equipment in a timely fashion? It is simply not viable to have people either in proximity, or getting to sites in a timely manner.

This is where TruAirgap™ can save manpower, time, money and nerves. It  allows users to issue an authenticated remote non-ip command to instantly ring-fence PIC’s or FIC’s controllers within seconds, from, and to, anywhere on earth. The asset is then completely safe and unhackable because it is physically disconnected from the network.

Furthermore, TruAirgap™ is triggered by port, so disconnection can be very surgical – right down to the network segment or endpoint.

Being in a complete Shutdown or Turnaround is a common event, and it is very costly, in terms of operations, manpower and logistics. With the simple strategic placement of TruAirgaps™, one can completely ring fence an entire Upgrader, Refinery or Platform, until they are ready to Start-Up and Re-Commission.

Taking your process down completely and bringing it back on-line, especially when it can  take 30 days and potentially cost millions of dollars, is hacker and ransom heaven. Goldilock can help to mitigate this very real world scenario with speed, elegance and agility unthinkable before.

Data In, Data Out

More good news is that industrial environments usually have lower volumes of traffic than IT environments. Much of the traffic is travelling between determined endpoints and, therefore, can be selectively released, accessed or segregated more easily than traffic that is generated on an IT network. Using a TruAirgap™ can significantly reduce, if not eliminate an attack surface, all the while enabling complete control of assets on a surgically selective basis.

But what about constant monitoring or telemetry that must flow from a selected asset? How can that be possible while air-gapped? With the simple addition of a one-way data diode alongside TruAirgap™, necessary data can flow from any point continuously. As the diode is unidirectional, there is no upstream flow of data on which an attacker can ride. With data egress secure and constant, TruAirgap™ then controls ingress, or access, to the asset or controls for updating.

The Power to Choose

With such a myriad of attack vectors, broad attack surface and so many legacy systems, the options for the Oil and Gas cyber defender have been, to date, limited. Goldilock TruAirgap™ prevents and mitigates attacks, without the need to worry about compatibility, forklift upgrades to old systems and with minimal installation and cost , by enabling instant disconnection of assets prior or during an attack. And all without increasing headcount.