Professional Documents
Culture Documents
Abstract
From military aggression to cyber threats, the oil & gas sector has always been a
high-profile target for adversaries. Originally, the probability of a major failure due
to a cyberattack was highly minimal as organizations usually adopted a production-
oriented approach wherein operational systems were isolated and never integrated
into enterprise systems. In the current scenario though, the emergence of the
Internet of Things (IoT) has nullified the most basic assumptions about operational
technology. All sorts of industrial facilities, like oil fields, pipelines and refineries,
are vulnerable to cyber-attacks. The major security-related concerns in the oil
and gas industry range from lack of asset visibility in a distributed environment;
to setting operational, technological, and environmental specific policies and
procedures, defining roles, responsibilities and accountability and implementing
technical controls for assessing real-time security incidents for a dynamic production
environment. In this paper, inherent limitations & security challenges the oil & gas
organizations face have been discussed in detail along with the approaches that
define the way forward for addressing these concerns. Key factors that need to
be considered for defining and designing right security roadmaps for sustainable
cybersecurity programs have been discussed in detail.
Overview – The oil & gas industry
The oil & gas industry happens to be Downstream. The processes in the oil & are used to manage the industrial
a complex industry having multiple, gas sector include exploration, gathering, operations and enable monitoring &
cumbersome and complicated processes production, processing, refining, storage, controlling of these operations across the
involved. At a high level, all the processes and transportation of petroleum liquids value chain.
in this industry can be sub-divided into and natural gas. ICS (Industrial Control
three i.e., Upstream, Midstream, and System) and OT (Operational Technology)
Impact: Financial loss and Impact: Explosion, spillage Impact: Supply disruption,
damaged competitive advantage and product loss reputation loss
Opera�onal
Hackers
Disrup�ons
• Policy & Standard
• Secure Network Reputa�onal
Hac�vist • Threat Intelligence
Architecture Damage
• Regular risk Assessment
• Training and Awareness • Con�nuous
Employee • Third Party Management Monitoring of event Financial Loss
• Iden�ty and Access and Incident
Management
• Inventory Management • Incident Regulatory Fines
Third Party • Network Segmenta�on
Management and Penalty
• Threat and Vulnerability
Management
State Sponsored • Back-up Management • Emergency Response Loss of Cri�cal
• Physical Security Informa�on
• Security Use cases • 100% Visibility
Terrorist Injury & Fatality
A comprehensive approach that can consequences should be considered while It’s critical to build a sustainable, robust
bring IT and OT security together is a creating an end-to-end management and integrated cybersecurity framework to
must for addressing the new age security framework that can assess and reduce the avoid serious cyber threats and achieve a
challenges. likelihood of an impact, thus significantly risk free, incident free organization.
minimizing the overall risk posture of an
Identifying potential threats and their
organisation.
Identify: Understanding the organizational malicious activities. Based on the initial Respond: This is a key step in which
goal and business requirements. Gathering understanding of the requirements, processes and activities are clearly
the current landscape information to security controls are identified to protect identified, planned and communicated
manage cybersecurity risk to systems, the systems. Controls have to be derived within the team and organization. These
assets, data, and capabilities. The activities from people, processes, technology or processes and procedures are created
in the identify function are vital for combined. and implemented to respond to all cyber
planning a secured environment. They incidents. This enables an organization
Detect: There are chances that intrusions
help an organization to identify its current to restrict the impact of a cyber-security
still happen even after implementing
security posture and steps needed to incident to a minimum level.
multiple controls and technology
improve as per the security requirements.
solutions. A system with no openings to Recover: This step involves creating and
They provide visibility of the current threat
intrusions is almost impossible to achieve. implementing processes and procedures
landscape, next steps & actions needed to
Organizations should have a system that for recovering from the cyber incident.
improve the security posture.
can detect and deter any intrusions. Early This enables organizations to recover fast
Protect: Developing and implementing detection of intrusion helps to reduce from the impact and come to normalcy in
security controls to ensure continuity the spread of the attack and thereby the minimum time. Creating and maintaining
and availability of critical infrastructure impact to the organization. business continuity procedures is a must
services. Protect activities help an for any organisation.
organization to deter cyber intrusion and
Asset, Change, and Configuration Management Asset management policy Visibility Tool Continuous Monitoring
Privilege Access
Identity and Access Management IAM Policy & Procedure Segregation of duty
Management
Threat and Vulnerability Management Threat Evaluation Process VM/System Hardening Advisory & Mitigation
Standard Operating
Situational Awareness Security use cases Logging & Monitoring
Procedures
Information Sharing and Communications Threat Intel and feeds Signature updates Threat Hunting
Vendor/Third Party
Supply Chain and External Dependencies Management Security Updates Real -time support
Management
Cybersecurity Program Management Policy and Procedure Review Product Evaluation Likelihood & Impact
Figure 4: Infosys Cybersecurity control framework for oil and gas industry
Governance: This is a key area in which and malicious activities more effectively security incident to a minimum level.
processes and activities are clearly and in real-time. Based on the initial Organisations must have continuous
identified, planned and communicated understanding of the requirements, monitoring capabilities to ensure real-
within the team and organization. technology-based security controls are time detections. They can then trigger
Processes and procedures are created and identified to protect the systems. However, immediate application of correction
implemented for the effective handling there are chances that intrusions still measures in case of a breach. Centralized
of security-related issues across the happen even though multiple controls systems must be in place to run integrated
organisation. Governance is to secure and technology solutions have been security operations for both corporate
the environment and help organizations implemented. Technology based controls and operational environments with clearly
to assess their current security state and help in effectively dealing with the spread defined roles and responsibilities for each
the steps needed to improve it as per the of sophisticated attacks and impacts on an and every stakeholder involved. Apart from
requirements. It provides an overview of organization. this, creating and maintaining business
the current threat landscape, corrective continuity and timely recovery procedures
Operations: The most important function
steps & actions needed to improve the is again a must for the organisations and
of operations is to have the right processes
security posture. undoubtedly for the oil & gas production
and procedures for responding against
value chain.
Technology: Technology helps cyber incidents. This enables organization
organizations to deter cyber intrusion to restrict the impact from a cyber-
ONG-C2M2 Self
ONG-C2M2 Self- Evaluation Report List of Gaps & Prioritized
Evaluation Template Potential Implementation Plan
Inputs Policies & Procedures
Organizational Consequences
Objectives Owners and Actions
Organizational are defined
Understanding of Impact to Critical Constraints
Cybersecurity Infrastructure
Program
Identify Actions to
Analyze Gaps in the Address Gaps Track Progress to
Conduct ONG-C2M2 Organization's context Plan
Activities Self- Evaluation
Evaluate Potential
Cost Benefit Analysis
on Actions Re-Evaluate
Workshop with Consequences from Gaps Periodically or in
Appropriate Prioritize Actions & Response to Major
Attendees Determine which Gaps Plan to Implement Change
Needs Attention Prioritize Actions
Optimize and
Standardize Processes
Integrate IT and OT Remediation advisory
Systems Mature cyber risk
Implement OT Security IT/OT integration strategy management processes
cybersecurity M aturity
Level 1: Initial Level 2: Developing Level 3: Defined Level 4: Managed Level 5: Optimizing
Figure 6: Cybersecurity maturity roadmap
Although the risk level and current maturity asset inventory detailing the total assets, secure baselines should be implemented
may vary for different organisations attributes, types and locations. Performing as per the best practices. We help
there are few controls for industrial periodical reconciliation and reviews. organizations to design and implement
security transformation which every Providing complete visibility of OT assets security architecture using zones and
oil and gas organisation should have including the SCADA systems and field conduits incorporating DMZ’s as per IEC
in place. Deploying these controls can devices and network visibility using 62443. The conduits have appropriate
be an effective initiation point for a passive monitoring of the OT network. security controls and technologies
comprehensive integrated cybersecurity This monitoring has Zero impact on like firewalls and VPN. Blocking all
program aimed at achieving the identify, existing systems and processes. It provides communication from IT to OT or else having
protect, detect, respond and recover automated asset discovery, classification a minimal connection (single if possible)
capabilities. and management along with real-time through a Firewall and DMZ. Reviewing
monitoring of asset configuration and the firewall rules regularly to make sure
Security policy & guidelines: Defining and
changes in the network. It gathers adequate protection is provided in light of
establishing security policies, procedures
extended information and details of all PLC/ the ever- changing security threats.
and guidelines for the ICS environment.
RTU/DCS/SCADA devices including OS &
It should cover the control areas such Continuous monitoring: Implementing
firmware versions, associated vulnerabilities
as asset inventory, access control, patch passive security platforms for ensuring
with mitigation recommendations.
management, network security, workforce 24/7 centralized monitoring for all the
development, portable media usage, Network security: Communication and incidents and events performed in an
security incident management, backup and access to the ICS environment must be operational environment. Conducting real
restore, etc. defined & aligned with the business needs. time monitoring of OT security activities.
Network segmentation, segregation and Integrating the alerts from OT security
Assets visibility: Maintaining complete
Brief Summary
In this new age of connectivity, the sophisticated cyber-attacks scenario, cyber maturity assessment, analysing
past practices of isolation between the the need for closing the security gaps in the current state of the environment and
corporate and operations environment an operational environment cannot be preparing a roadmap for addressing the
for oil and gas sectors have pretty much ignored. Any further delay could lead to a security challenges by defining the short
disappeared. As digitization continues potentially disastrous impact on the sector. term, medium term and long term goals.
to grow in the operational environment A secured IT OT integration helps oil & gas
Never in the past, the need for
and the risk of sophisticated cyber-attacks companies to transform from disconnected
strengthening the security and resilience
looms large, the preparedness of industries networks to integrated businesses thus
of operational infrastructures against
is still in the initial phase. fast-tracking their digitization journey.
cyber threats has risen to this scale. The
With this connected world and starting point for the industry is to initiate
Authors
Suhas Desai, Industry Principal, Infosys
Nilby Jose, Principal Consultant, Infosys
Saurabh Srivastava, Consultant, Infosys
Yogesh Shelke, Associate Consultant, Infosys
For more details, please contact: CyberSecurity@infosys.com
© 2020 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys
acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this
documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the
prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.