By Philippe Herve and Marla Rosner
The Internet of Things (IoT) has caused sweeping changes across nearly every industry—and oil and gas is no exception. Recent cyberattacks have begun to fuel worry about the implications of IoT for cybersecurity, and rightly so; a changing technological landscape means old methods for securing systems may no longer work.
The problem of security in operational technology (OT) is still more complex. IoT is leading to a watershed of changes in the organization of systems in the oil and gas industry, merging previously separate systems – bringing information technology (IT) organizations and OT organizations together. Naturally, as more changes are made to the structure of OT, security systems must change as well to reflect current challenges and concerns.
The static security systems of the past, consisting largely of a firewall to protect the perimeter of a network and an endpoint detection system to patrol the interior, are no longer sufficient. These measures are neither accurate nor scalable enough to protect OT systems under the new, IoT-enhanced paradigm. The best way to fully secure OT systems is to instead protect them with dynamic solutions powered by machine learning algorithms.
Anomaly Detection and Machine Learning
Where traditional security measures may not be able to keep up with this new connected world, a learning solution can. A dynamic system that is capable of learning even after it’s been deployed can scale with the vast increase in both potential vulnerabilities and types of threats.
Security of the most interest to industries such as oil and gas is anomaly detection, or anomalous message detection. With the advent of IoT, preventing all threats from entering a network is far less feasible than simply detecting the ones that have already made it in. Anomaly detection is designed to monitor the behavior of endpoint devices within the network and flag any unusual behaviors or abnormal signals being sent out. For example, a learning anomaly detection solution would recognize and flag when command signals come in from an IP address that traditionally only hosts data acquisition equipment. Such unusual behavior could be the result of malicious software.
This is a particularly efficient approach for oil and gas for a number of reasons. Most facilities have only a small staff, and therefore lack the people, time, and resources to identify anomalous behaviors or potential threats themselves—a problem only exacerbated by IoT and IT/OT convergence.
Anomaly detection is also an approach well suited to securing OT systems specifically. Where IT systems may have a diverse range of signals and behaviors associated with their devices, OT systems are designed for repeatable communications. The expected signals and behaviors of OT components are fairly well defined, making anomalies particularly uncommon—and particularly easy to identify. A message to close or open a valve, for instance, will always be sent from a specific control system to the device that regulates the valves, and all messages from that control system to that device will always be about valve manipulation.
Anomaly detection software also offers further utility to oil and gas companies beyond identifying threats. Anyone can agree that anomalous behavior in OT systems is an immediate concern, regardless of the cause. Anomaly detection software is capable of picking up on anything that may be going wrong in a system, whether it’s due to malware or a mechanical failure. If a device is working improperly, it will be flagged as a potential concern no matter the reason. In essence, anomaly detection allows businesses to combine threat detection with predictive maintenance.
Not all anomaly detection softwares are based on learning algorithms. It’s possible to use a rule-based approach instead, in which humans outline by hand what is and is not considered anomalous behavior—in other words, the rules of the system—and tell the software to flag any behaviors that do not fall within these predefined rules. This is not likely to be as effective as a learning solution, however, which relies instead on generating hypotheses using multiple data sets, even those that may appear unconnected or irrelevant. Subtler attacks may involve unusual behaviors that still fall within the normal rules of operation.
For example, a control system may suddenly tell a device that regulates valves to close a valve that is usually left open. This is a normal type of message within a rules-based approach, sent between the correct devices for this context, but if planted by a hacker, its consequences could be disastrous. By closing the right valve at the right time, an attacker could cause pressure to build up within the system, creating enough kinetic energy to replicate the force of a small bomb. Since the closing of the valve is within the normal rules-based operating parameters of the system, a rules-based security solution would not identify this message as suspicious. However, the content and timing of this message is statistically unusual, so a security system powered by machine learning would flag this behavior as a potential concern.
It’s clear that traditional security solutions are no longer capable of properly protecting OT systems and assets. Dynamic solutions capable of learning from data over time, however, can address the challenges of the new security paradigm. IoT and the integration of IT with OT are changing the face of cybersecurity for OT in oil and gas. These changes in the structure of systems—as well as the growing onslaught of new malware and zero-day attacks—require a change in the approach to cybersecurity. As both our devices and our threats become more intelligent, so must our security systems.