Partnership Aims to Take Assumptions Out of Oil, Gas Cyber Defenses

The redesign of industrial control systems (ICS) has created a new issue for the oil and gas industry: how to test and measure ICS security without putting assets at risk.

Reston, Virginia-based Verodin has developed a new software platform that it says can permit a company to safely simulate a cyberattack against an IT system to test for weaknesses. Verodin and Texas-based security firm Critical Start recently announced a partnership through which Verodin’s technology will be deployed across Critical Start’s customer base, which also includes oil and gas companies.

One of the biggest challenges for cybersecurity is that companies have had to assume that the products and vendors that they used for cybersecurity – and how technology has been deployed – were effective, Christopher Key, CEO and co-founder of Verodin, told Rigzone in an interview. Verodin’s technology works by simulating attack patterns and malicious behaviors to show a company whether their tools and workers are ready for a real attack.  

Verodin, which came out of stealth mode earlier this year, is backed by investors such as Cisco Systems, and has received a lot of interest from customers and partners, Key told Rigzone.

The days of prescribing a list of security products and checklists and assuming these alone remove the risk are over, said Randy Watkins, director of security architecture for Critical Start, in a Sept. 20 press statement. Critical Start, resells security products and services and conducts assessments to help customers fill holes in security needs.

Key sees maturation of the cybersecurity industry as one reason demand now exists for Verodin’s technology. For a long time, cybersecurity was something that businesses would throw money at to solve. Some of the cybersecurity vendors who were selling products and services oversold their capabilities. Companies are also starting to ask whether the money they’re spending is actually making them secure, Key added.

This testing can be done periodically as part of an assessment that typically runs in the six-figure range, but they are more often developed into complete teams by some of the larger, more security forward, organizations, Watkins stated. These teams can cost more than one million dollars a year to develop and maintain, limiting the availability of these teams.

“These pen-test engagements are very time and labor-intensive, which can make them cost prohibitive for a lot of organizations,” said Watkins. These assessments also are performed with ‘Rules of Engagement’ that limit the amount of attacking they can do in production or more sensitive network zones due to potential impact.

This means that an organization likely can only conduct these tests a few times each year, leaving uncertainty in the rest of the year as to security gaps that might be present. Verodin has turned this process into an automated process, Watkins stated.

The growing interconnection among the Internet, SCADA and ICS systems has exposed oil and gas companies to cyberthreats. The rise of interconnectivity has less to do with remote field operations, and more to do with centralized and continuous monitoring, Watkins told Rigzone. Technology to boost efficiency and lower management costs associated with ICS networks has driven connectivity outside the air gap, or the disconnect between ICS and routers and wireless networks that touch the wider public network.

“It only takes one poorly written firewall rule to expose a company,” said Watkins.

The rise in digital technology – including the automation of ICS – is creating efficiencies across the energy sector, including exploration and production. However, it also is making ICS' more vulnerable to cyberattacks that can result in machinery breakdown, fire, explosions and injuries, according to the World Energy Council report "World Energy Perspectives 2016".

Cyberthreats rank among the top concerns for energy leaders, particularly countries in North America and Europe that have high infrastructure maturity, according to the report. In 2015, the U.S. Department of Homeland Security Industrial Control Systems Cybersecurity Emergency Response Team responded to 295 cyber incidents within the energy sector, 20 percent higher than 2014. The energy sector accounted for 16 percent of the attacks, behind only the critical manufacturing sector at 33 percent.

In these regions, energy leaders are increasingly recognizing the importance of viewing cyberattacks as a core threat to business continuity, and the need to establish an organization-wide cyber awareness culture that extends beyond traditional IT departments.


View Full Article


Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.