NorthAmOil                               GUEST COMMENTARY                                         NorthAmOil




       Colonial Pipeline hack sounds





       alarm for greater OT security







       It is time for oil and gas companies to take a closer look at their security

       solutions, writes Chris Bihary



        US               IT has been less than a week since Colonial Pipe-  This means that oil and gas companies – includ-
                         line, the Georgia-based operator of a petroleum  ing upstream, midstream and downstream
       WHAT:             product pipeline network that runs across 13  operators, as well as service providers – should
       The ransomware attack   states from Texas to New Jersey, revealed that  all assume that they are on the list of targets, no
       on Colonial Pipeline   it had been hit with a ransomware attack. The  matter how big or small they are.
       has had serious   attack appears to have been carried out by Dark-  On the other hand, the consequences can be
       consequences for US fuel   Side, a for-profit operation that specialises in  dire. Shutdowns, lockdowns and other disrup-
       markets.          double extortion schemes, which involve lock-  tions are usually expensive for the companies
                         ing down the target company’s networks and  involved, as well as a drain on the economy at
       WHY:              also releasing stolen data if the company does  large. They can lead to regulatory violations,
       The incident does not   not pay the ransom demanded.   legal troubles and poor public relations. Even
       appear to have affected   It also appears not to have infected any of  worse, they have the potential to pose direct
       the company’s OT   Colonial Pipeline’s operational technology  threats to the health and safety of workers and
       networks, but it highlights   (OT) networks. Nevertheless, the company  nearby communities.
       the link between   took its 5,500-mile (8,851-km) network offline
       security and operational   in order to ensure that DarkSide malware could  Time to take a closer look
       continuity.       not spread from corporate information technol-  But what exactly should oil and gas companies
                         ogy (IT) systems into the OT systems that man-  be doing to prepare?
       WHAT NEXT:        age the flow and distribution of fuel through its   First, they should be taking a look at their own
       Companies involved   pipelines.                        cybersecurity solutions. If they do not have any,
       in the oil and gas   Since Colonial Pipeline accounts for about  now is the time to find some. But even if they
       sector should try to   45% of all the gasoline, diesel and jet fuel con-  do have something in place, they ought to take
       determine whether their   sumed along the East Coast, the shutdown has  a closer look and make sure those solutions are
       cybersecurity solutions   had significant consequences. It has triggered  up to the challenge.
       are robust enough to   the shutdown of the largest refinery in the United   That process will probably involve one or
       withstand a rising tide of   States. It has led major airlines to revise their  more of the following steps.
       threats.          fuelling arrangements in order to avoid short-                              It is probably
                         ages. It has caused hundreds of filling stations to  Steps to strengthen cybersecurity posture
                         run out of gasoline and diesel because they can-  Asset discovery: Companies active in the oil   going to take
                         not secure supplies through the usual channels.  and gas sector should take a look at all of their   a few weeks to
                           The company said on May 13 that it had been  assets and determine exactly what their IT and
                         able to restart the pipeline. Nevertheless, it is  OT systems consist of, including both hardware   bring US fuel
                         probably going to take a few weeks to bring US  and software. They should also determine how
                         fuel markets back to normal.         these systems are connected – and how all the  markets back to
                                                              components of each system are linked (For oil
                         Objective reasons for beefing up security  and gas companies, this would involve identify-  normal.
                         It will also take time to sort out the consequences  ing every asset involved in the performance of
                         of this incident on the cybersecurity side. Even  both administrative and operational duties).
                         so, companies active in the oil and gas industry –
                         and in all other sectors of critical infrastructure  Asset inventory: It is not enough for compa-
                         – should start thinking now about how to guard  nies to draw up a list of assets. They also need
                         against the next attack.             an organised inventory that explains what each
                           There are objective reasons for increased vig-  asset does and how each asset works with other
                         ilance. On the one hand, the number of cyberat-  parts of the system. Additionally, they need a
                         tacks targeting the oil and gas industry is on the  way to manage the inventory to ensure that it is
                         rise, not just in terms of absolute numbers, but  updated each and every time there is a change
                         also in comparison to other sectors of the econ-  in the line-up – for example, if new devices are
                         omy, as a recent Kaspersky report has detailed.  added to a network or if existing software is



       P6                                       www. NEWSBASE .com                           Week 19   13•May•2021