Improve Your Plant's Cybersecurity Now That the Wireless 'Genie' Is Out

Refineries, petrochemical plants and other oil and gas facilities are increasingly embracing the Internet of Things (IoT) to collect and interpret more robust data sets. The IoT relies on networks of sensors, communication protocols, data collection and even artificial intelligence to provide better information and improve decision-making.

Increasingly, IoT components communicate with each other via wireless signals instead of more traditional "hard-wired" configurations. Wireless expands the reach of IoT systems at an industrial facility; for instance, sensors can be placed in harder-to-access locations and enhance plant asset condition monitoring. It can also increase a facility's vulnerability to cybercriminals.

"The race to digitally connect industrial components has meant that many elements that would once have resided safely within the infrastructure are now laid bare for anyone to find," said Edgard Capdevielle, CEO of Nozomi Networks, which produces cybersecurity software for industrial control systems (ICS).

Edgard Capdevielle

CEO, Nozomi Networks

Industrial facilities can block attempts to access wireless signals, but they can turn to other lines of defense as well, Capdevielle continued. Machine learning and artificial intelligence (AI)-enhanced cyber-attack detection are two key innovations that can help refiners, petrochemical manufacturers and others improve the efficiencies of their industrial process cybersecurity programs, he said. He added that cyber-security tools can streamline incident investigations to contain attacks before significant damage can occur – and without the need for additional staffing.

In a recent conversation with Rigzone, Capdevielle elaborated on the cyber-security vulnerabilities of wireless systems, emerging weapons to combat these threats and more. Read on for his insights.

Rigzone: What could result from a cyberattack on an oil refinery, petrochemical plant or other industrial facility?

Capdevielle: Productivity, availability and workforce safety can all be impacted by intentional and unintentional cyber incidents. Without wishing to be dramatic, human safety is at risk should these systems be breached. Water, power, energy and transportation systems are all operated by similar technologies, ones that have historically been hard to protect, and hackers have already turned the lights off in the Ukraine. 

Rigzone: Why does connecting industrial components wirelessly open up a new set of vulnerabilities from a cybersecurity perspective?

Capdevielle: Industrial installations were never designed to be connected to the outside world, yet the reality is that the wall that separates IT and operational technology (OT) is permeable. 

As the network expands, it seems logical to take advantage of improved productivity so suddenly connections are tolerated from trusted external contractors to "service" parts of the infrastructure. From there many have taken the leap of faith and gone wireless, or aggregated to a central network operations center (NOC). The issue is that, once you've established IT connectivity it's difficult to put the genie back in the bottle. Each of these avenues is a potential point of weaknesses that can be compromised – by hackers burrowing in, or malware – such as ransomware, detonating internally and then radiating out."

Rigzone: How do owners and operators of these oil and gas facilities generally protect themselves from cyberattacks? What are the limitations of the status quo?

Capdevielle: ICS networks today face all the same security use cases – such as malicious insiders, cyber espionage, etc. as IT networks – but lack similar security options. What vendors and operators need to internalize is that it is no longer reasonable to deploy industrial control infrastructure without its corresponding security. It is like selling a car without seatbelts.

Complexity, connectedness and scale are the enemies of cybersecurity so as more Industrial IoT devices move into the oil and gas sector, so does the opportunity for more risk. On one hand, automation and robotics can increase risk, as these systems are hard to patch and contribute to complexity. On the other hand, newer equipment may have better security designed into it as compared to older equipment. Security-by-design is still a fairly new concept that's not often found today in off-the-shelf solutions. It is however gaining more attention. For instance in the power grid space, IEC (the International Electrotechnical Commission) is working on the 62351 family of standards that support end-to-end secure-by-design architectures in future systems.