English
English
Search
Log in / Register

Whitepaper

How open software adds security for oil and gas modernization

Last Updated:

New technologies increase efficiencies but can create new security risks

Sustained low oil prices continue to push infrastructure modernization up and down the oil and gas value chain. This proliferation of digital technologies also creates new attack vectors and delivery channels for hackers. This paper examines the security and cost challenges facing energy companies today and how enterprise open source software solutions can lead to higher earnings before interest, taxes, depreciation, and amortization (EBITDA) while also protecting critical data and systems.

Energy companies a target for cybercriminals and state-sponsored actors

During the first half of 2019, the use of malware doubled in comparison to the second half of 2018, according to research by IBM. More than 50% of these destructive attacks targeted industrial companies with oil and gas among the sectors facing the greatest risks. 

Unfortunately, with cyberattacks on the global energy industry increasing, not all organizations are prepared. According to Ernst & Young’s (EY) 20th Global Information Security Survey, rising digitization and the Industrial Internet of Things (IIoT) are increasing the complexity of the threat landscape. The research also found that 60% of oil and gas companies have had a recent significant cybersecurity incident, and 87% of companies have not fully considered the information security implications of their current strategy and plans.

Why bad actors target the oil and gas value chain

What motivates hackers to target energy production and supply operations in particular? The types of attackers and their motivations vary widely. Competitors could steal intellectual property or disrupt business to grab an advantage. Since oil and gas reservoirs are complex ecosystems, an unethical fracking operator could potentially exploit production data stolen from a competitor. This industrial sabotage might include, for instance, performing operations that improve production in the competitor’s resource while adversely impacting production in your adjacent reservoir. 

Or, a malicious hacker could slow down the oil extraction process by, for example, altering speed commands sent from internal optimization controllers. This altered data feed would then vary the motor speed and thermal capacity of an integrated sucker rod pump, adversely affecting down-hole fluid production or potentially damaging the well. 

Even market speculators could potentially benefit from data regarding a super major’s production and reserves and how that might affect the commodities futures market. 

Some cybercriminals have motives other than financial or competitive gain. These include hacktivists wanting to make political statements or hostile nation states seeking to disrupt critical energy infrastructures. According to a recent report from the infrastructure protection firm Dragos, these types of cyberattacks on oil and gas operations range from reconnaissance and research intrusions to dropping malicious malware.1 Politically motivated cyber incidents include:

  • State-sponsored actors attempting to damage oil and gas and related industries to further political, economic, and national security goals.
  • Threats targeting original equipment manufacturers (OEMs), third-party vendors, and telecommunications providers that impact their oil and gas customers.
  • Groups carrying out full energy infrastructure attacks (oil and gas, electric, etc.) on countries around the globe.

Cyberattacks can hit every phase of the oil and gas production life cycle—from exploration to development to production.

image container Figure 1. Examples of cyberattacks across the oil and gas value chain2


More than ever, data lives on the edge

Deploying computing resources at the network's edge—at or near where production, processing, and transport occur—helps companies reduce cost, increase production and EBITDA, and improve safety and compliance. However, this new edge computing environment, which includes the convergence of operational technology (OT) with the IIoT, also creates new attack surfaces and delivery channels for hackers. 

The monitoring and control systems commonly used in oil and gas operations produce large volumes of data in isolation. Replacing or augmenting these conventional supervisory control and data acquisition (SCADA) systems with digital technology makes it possible to collect data from all operation sources. These inputs include everything from IT-level databases to millions of sensors in the field. 

Open source software technologies enable cost-effective innovations such as new types of SCADA systems that incorporate agile clouds and add security to IIoT devices for remote monitoring and control systems. For example, many of today’s IIoT edge devices have much greater onboard processing power and memory. 

By processing and even analyzing data at the edge, these new technologies can contextualize and present results to users. The result is meaningful, valuable information—often delivered in real time. Teams can also use this shared data for vastly different purposes, ranging from wellhead optimization to business forecasting.

Common applications of open source digital technologies include:

  • Asset surveillance.
  • Remote production monitoring.
  • Remote drilling monitoring.
  • Health, safety, and environment (HSE) for field workers, including wearables, location, certifications, environmentals.
  • Data governance security—many organizations have sensitive data that they do not want to leave their facilities under any circumstance.
  • Audit and compliance—as a regulated industry, oil and gas companies must often prove that their security posture met standards.

What happens when data moves beyond the safety of the datacenter?

As a result of the industry’s ongoing digital transformation, devices on oil wells and offshore platforms, pipelines, tankers, and refineries increasingly store, process, and transmit vast amounts of data. This approach is a good thing for the business decision maker but a major worry for IT security professionals. This so-called edge computing puts sensitive data beyond the familiar security controls of the datacenter, such as firewalls, intrusion detection, and data loss protection (DLP). Therefore, it requires a whole new way of looking at data and network security.

As a regulated industry, security must include governance and an audit path

Another big security concern for the oil and gas companies is the growing need to comply with government regulations. This compliance is particularly important in downstream operations where pipelines, refineries, and storage present risks to the environment and the people who live or work near these facilities.

Securing the remote data and devices at the edge

The energy industry was a pioneer in edge computing. Oil and gas systems have long used computers, communication networks, and computing platforms for real-time process management. In fact, by pulling in remote data from telemetry sensors and operational technology such as pump controls, these SCADA systems were the original precursors of the IIoT. 

While today’s energy companies could hardly exist without SCADA infrastructures, their myriad industrial controls, remote sensors, and other IIoT devices can present significant security risks. Many of these devices have vulnerabilities related to outdated hardware architectures. For instance, they might not have enough firmware or Adobe Flash memory space to hold a modern, secure, embedded real-time operating system (RTOS) or the latest security updates. 

Consequently, in mature oil and gas fields, many older IIoT devices are so resource constrained that a costly rip-and-replace approach represents the only viable way to bring the edge up to an acceptable security posture. Or, at a minimum, it could require truck rolls to remote locations because these older devices also typically lack capabilities for over-the-air (OTA) software updates.

Many edge computing systems also host their own web servers for remote maintenance and logins, creating extended attack surfaces. A single insecure server could allow a bad actor to penetrate all the way to the datacenter, and then extract data or disrupt the entire network and back-end systems. 

Why open source software provides an innovation edge—at the edge

Cybercriminals constantly come up with new ways of obfuscating malicious code or otherwise outsmarting or circumventing modern cybersecurity software and best practices. In this area of technology innovation, open source software shines. Its superior innovation, enabled by a global community of open source developers, can help keep your security posture ahead of potential attackers.  

The open source developers' community not only offers capabilities to build a better solution, but it also provides access to an enormous number of reviewers. They do not work for your company or for your vendor, but they can review your software and find potential security gaps that a hacker could exploit to steal data or cause damage to systems. This community provides a level of code maintenance that would be nearly impossible for  one company to do on its own. 

To learn how open software can help you overcome challenges of computing at the edge, talk to a Red Hatter today. 

image container Figure 2. Traditional IoT edge


Transmitting data back to the home office also raises the risk of interception. Plus, it causes latency issues. Older devices typically lack sufficient onboard processing power for edge computing. These IoT endpoints might just send raw data back to a collection point, and then relay it back to the datacenter or cloud for processing. 

Open software provides significant security advantages at the edge

A modern, software-defined SCADA or other remote industrial control and monitoring infrastructure offers not only inherently better security but also more cost efficiency. For example, many of today’s IIoT edge devices have much greater onboard processing power and memory. So, rather than sending raw data back to the home office, processing, encryption, and even real-time analytics happens at the edge. These functions can happen on a robust device with an open source embedded Linux® operating system, for example.

Even when the devices in the field lack sufficient processing power or memory, open source software can provide a bridge between the device and datacenter—or the cloud. After all, this multitude of sensors typically produces huge volumes of data. You would usually not want or need to transmit all of the information to the datacenter.

image container Figure 3. Intelligent IoT edge—cloud computing extends to the edge

 

In an edge computing model, sensors and connected devices often transmit data to a nearby edge computing device. This near edge aggregation and processing is sometimes called the “fog” because computing happens between the edge and the cloud or datacenter. The aggregation point, or gateway, processes and sometimes analyzes the data locally rather than sending it back in raw form to the cloud or remote datacenter. In this way, an intelligent gateway powered by open source technologies can increase efficiency while also raising your edge computing security posture. 

The gateway first receives data from a variety of edge devices. Next, it processes the information to connect it to the right applications, at the right time, and in the right format. Then, right there close to the actual operations, it uses business rules for decision making to initiate actions like turning devices on or off, sending data alerts, and changing information flows. 

This complex event processing means that decisions are made in real time by implementing rules, and devices are controlled in the field faster and easier. As a result, your IIoT/SCADA infrastructure operates more cost effectively. It also reduces unnecessary data traffic—which includes risk of exposure to theft or malicious exploits by hackers—to your datacenter. Additionally, an intelligent gateway with the power to run a full, enterprise open source OS offers much more security than the IIoT devices and their thin embedded RTOS.

How does this intelligent IIoT edge for data-intensive applications, including agile clouds, help operators in the real world? Take the example of a gas pipeline telemetry sensor at a remote location that connects to Houston headquarters via a wireless connection. A conventional system would send raw data—unencrypted—over the low-bandwidth connection. A smart edge device, or an intelligent gateway running a robust open operating system and located at the near-edge collection point, could link to an agile cloud application. 

The cloud app might analyze the data to detect anomalies such as values under or over a predetermined threshold. This edge computing process could potentially surface an over-pressure situation at a station on the pipeline. In this case, the device would send only an encrypted alert (with a small data footprint) back to operations staff in Houston. Or in an automated approach—converging IIoT and OT—it might securely send a command from machine to machine that would remedy the overpressure situation in the field. These steps would happen without the need for a human to respond to an alert.

Blocking attack pathways from the edge to core business

A key thing to remember is that any edge device—or a gateway for that matter—is a computing device that exists as part of your datacenter infrastructure. As a result, you must consider all these devices and systems in a meta security context. In other words, to you, the data stored on IIoT devices or on aggregation points might appear to have little value. But it does have value to an attacker.

When you think of an edge device as a server, it is actually an extension of the datacenter. Everything about the device—from its existence to metadata around it—has value to an attacker. For instance, an attacker could exploit this information to ferret out pathways into the datacenter and attack critical back-end systems. The cybercriminal would use this information in the reconnaissance phase of an attack, continually probing your attack surface for vulnerabilities. 

In addition, hackers will often target the midpoint between the IIoT devices and the datacenter—for example, the gateway or aggregation hub in the fog. Making sure that these midpoints are running an operating system with appropriate security will go a long way toward preventing attacks. A device running a modern, open source OS, such as Red Hat® Enterprise Linux, can provide robust security at this midpoint. It  can also cut off a potential pathway for bad actors who might attempt to use edge devices to access more valuable core business systems and data. 

This buffer between the device and the datacenter is critical. Many older IIoT devices in the field have never passed the same level of scrutiny required for a server running an enterprise open source operating system. Typically, this is because the original device manufacturer did not want to invest in an adequate bill of materials, such as for a sufficiently powerful embedded microcontroller. Or, they were reluctant to spend anything on onboard security features like hardware-based encryption. 

Why open source software provides an innovation edge—at the edge

Cybercriminals constantly come up with new ways of obfuscating malicious code or otherwise outsmarting or circumventing modern cybersecurity software and best practices. In this area of technology innovation, open source software shines. Its superior innovation, enabled by a global community of open source developers, can help keep your security posture ahead of potential attackers.  

The open source developers' community not only offers capabilities to build a better solution, but it also provides access to an enormous number of reviewers. They do not work for your company or for your vendor, but they can review your software and find potential security gaps that a hacker could exploit to steal data or cause damage to systems. This community provides a level of code maintenance that would be nearly impossible for  one company to do on its own. 

To learn how open software can help you overcome challenges of computing at the edge, talk to a Red Hatter today.