Register for the Cyber and Physical Security Convergence: Aligning to CIP in Energy webinar while John Villali and Andrew Meyers provide their insights and recommendations for those energy companies working towards CIP compliance in the present, and in the future.
Energy Companies Focus on the Necessity for Security
The energy industry may not be the first sector someone thinks of in the world of security. However, critical energy infrastructure has become increasingly vulnerable to attacks by nation-states and organized international criminals. Energy companies are now employing risk management-based frameworks to address both cyber and operational security. Cyber enemies continue to get more sophisticated and versatile and it is imperative that the industry become more agile to respond to these threats. Additionally, there have been insider threats and energy infrastructure attacks which have been on the rise in aggregate.
The view of security in oil and gas shifted in 2012 when the Shamoon virus was used to target Saudi Aramco. The attack had a profound effect on business systems that manage logistics which resulted in refined products not being able to get to market. Fortunately, the production and processing aspects were unaffected, but only because these systems were isolated.
Energy companies traditionally operate within their firewalls with limited connectivity to infrastructure and remote operations. The potential issue in oil and gas is that systems and infrastructure are becoming less isolated. There are two ways to look at it:
- A legacy SCADA system that controls an asset may be relatively safe in the sense that, although not highly sophisticated from a security point of view, it is not connected to a wider network of assets.
- On the other hand, cutting edge digital assets have state of the art security but are often connected to a larger complex enterprise network.
As oil and gas companies continue to move data and computing to the edge, it is necessary to undertake extensive evaluation of infrastructure vulnerabilities. Aside from new systems and technology, a key challenge within the energy industry is the reliance on legacy assets with software-limited sensors that may not have industry-grade encryption capabilities. This can leave edge computing devices outside of the perimeter vulnerable if an energy company decides to disincentivize the adoption of leading-edge technology with effective embedded security.
IT and OT Security Converge
It will not be uncommon for an energy company to have a mix of asset vintages in their portfolio therefore requiring a comprehensive examination of security risks. The additional cost and resources to safeguard personnel, assets and infrastructure has slowed many companies down on their digital journey. This has been the case on the IT side as well where leading oil and gas companies spent years of skepticism regarding cyber security, particularly in the cloud. Views of cloud cyber risk have decreased in order of magnitude in recent years and adoption has increased. IDC expects the same adoption of connected asset technology to increase as standards in both cyber and operational security improve in an environment where IT and OT security measures are beginning to converge.
IT-OT convergence initiatives are largely being driven by the growing concern of security threats and breaches within the energy sector. IT-OT integration as it relates to security is a good practice as energy companies are facing growing threats and concerns which require to have both physical and cyber security technology, measures, and protocols in place. Currently most energy companies manage physical and cyber security as two separate systems. That said, IT networking and security vendors have a unique opportunity to position their strengths at the early stages of Internet of Things (IoT) adoption, and the associated OT security infrastructure architecture evolution, by bringing their IT learnings and applying a holistic approach across the two environments.
Strategies to Manage IT/OT Security
IDC Energy analysts, Andrew Meyers and John Villali have unlocked the transformative trends and best practices evolving in the energy sector as it relates security and how to best manage it from an integrated IT-OT approach to both physical and cyber security. In addition, they share the strategies needed to maintain Critical Infrastructure Protocol (CIP) for the security of energy companies in both utilities and in Oil & Gas in their upcoming webinar within the IDC Energy Insights 2020 Webinar Series. Join us during the Cyber and Physical Security Convergence: Aligning to CIP in Energy webinar live on September 8th 11 AM/EST to learn more.