How The Oil and Gas Industry Can Protect IoT Assets Written by: Soracom Team Published: September 30, 2022 Use Cases Tags: Cyber Security | Energy | Industry | IoT | Oil and Gas For years, the oil and gas industry has invested in and relied upon IoT solutions for applications such as pipeline and equipment monitoring, and asset management. However, as organizations have incorporated new IoT tools to improve efficiency and safety across the full breadth of their operations, they have also experienced increased numbers of network security breaches and hacks. A recent industry study revealed 72% of those who are concerned about cyberattacks consider poor network security to be the biggest challenge to IoT implementation. A well-known breach within the industry was the May 2021 ransomware attack on Colonial Pipeline, which resulted in the shut down of a major fuel pipeline on the East Coast of the US, and the company paying about $4.4 million USD to regain control of its infrastructure. Though that particular attack vector came through the company’s business systems, the opportunity to breach a system through an IoT device or sensor is a very real danger. IoT devices are not necessarily built to provide a layer of network security and must be audited and monitored for vulnerabilities. Though IoT investment by companies in the oil and gas sector primarily serves to drive cost savings and profitability efforts, IoT sensors and cameras have provided industry-wide safety improvements as well. Let’s look at some of the risk factors that the industry faces from day to day. Risks Faced By The Oil and Gas Industry The threats to IoT assets within the sector have increased due to two factors. First is an overreliance on legacy systems. This is an industry that got its start in 1859 – it has a long history. Companies that have been around for decades or longer typically rely upon older IT systems that may no longer be up to the task of defending against modern hackers. Second, as many industries have experienced, the COVID-19 pandemic has shifted the way oil and gas companies leverage employees and technology. The rise in remote work has required different tools to keep teams connected and able to monitor aspects of the oil and gas supply chain in ways they never had to before. “The accelerating speed of IoT adoption over the course of the Covid-19 pandemic has brought with it a proliferation of security concerns, given the increasing number of potentially vulnerable endpoints associated with IoT projects,” said Mike Carter, President of Inmarsat Enterprise, which conducted the research. Here are a few ways in which the industry finds itself at risk: Size and complexity of infrastructure: Oil and gas companies generally extract raw material from underground or the deep sea, transport it via ship or pipeline to a refinery or processing plant, then convert that refined material into a variety of end products that then have to be shipped to market. Asset management is a key piece of this supply chain – IoT sensors that track various data along the route help ensure the product gets where it needs to go. But if those sensors are not protected through good security practices, they open up a risk point for the organization. A patchwork network of systems infrastructure: According to industry analysts, oil and gas companies tend to have a broad network of systems of different ages and functionalities across their field locations and units. It can be challenging to keep those all connected securely, updated properly, and patched from known vulnerabilities.The assumption that systems are “air-gapped:” Historically, legacy oil and gas companies have been able to protect their operational equipment and devices by installing “air-gapped” systems, which means they are not connected to the Internet. The increase in remote operations sparked by the COVID-19 pandemic, however, has also provided back doors and other opportunities for hackers to breach oil and gas networks. Likewise, common connected office equipment like wireless printers, mice, and keyboards also provide potential access points for hackers, even if the networks those tools are used to access do not have connectivity. Cybersecurity talent is in high demand: Even oil and gas companies that are actively trying to strengthen their defenses may have trouble finding the personnel they need to address the challenges. While 55% of oil and gas companies report that they need additional security skills to properly deliver IoT projects, 76% of all companies are facing challenges in recruiting and hiring the appropriate cybersecurity staff. Almost everyone – 95% surveyed across industries – said the shortage of skilled cybersecurity professionals and the impact of these hiring issues has not improved over the past few years, and 44% said the problem is only getting worse. In an industry that is already struggling with hiring and retention, niche roles in this area may be challenging to fill. This is not a challenge unique to the oil and gas industry, either. A recent study revealed that 67% of all enterprises have experienced an IoT security incident, and only 16% of enterprise security managers say they have adequate visibility of the IoT devices in their environments. The study also revealed 93% of companies plan to increase spending on security for IoT and unmanaged devices. Protective Measures Oil and Gas Companies Can Take As oil and gas companies expand their cybersecurity teams, there are many basic precautions those teams can put in place to protect their organizations. Consider how best to secure operational technology. Networking critical infrastructure in the oil and gas industry has made it more vulnerable to attacks. Thinking through how that operational technology – which was once air-gapped but no longer can be while remaining effective – can be secured. “Securing…the computing and communications systems used to manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge,” said Trond Solberg, Managing Director of Cyber Security for DMV. Staying on top of updates and patches to firmware. Many companies simply forget or deprioritize installing critical updates that can remove exploitable vulnerabilities. By tracking and ensuring all IoT devices within a company’s technology ecosystem are as up-to-date as possible, IT security teams can decrease their risk. Keep IP addresses on the network private. IP addresses are common, easy targets for hackers trying to find ways into a system. If every device uses public IP addresses to talk to the broader network, that means every device is a potential entry point to the system. Making those private makes it harder for hackers to steal data, infect systems, and attack networks. Constant monitoring of systems and network activity. The best way to address an attack is to avoid it in the first place. By paying close attention to network anomalies, cyber security teams can sometimes stop a breach before much damage is done. With the market growth in IoT in the oil and gas industry estimated to grow by more than 20% and reach USD$43.48 billion between 2019 and 2024, companies will need to look across their legacy and upgraded systems and prioritize addressing where they have the most vulnerability to cyber attack. The IoT sensors and devices that are transforming the oil and gas industry must also be deployed and maintained in ways that protect the security of each part of a company’s workflow. Planning for strong cyber security must be part of each oil and gas company’s strategy to implement IoT solutions. ……………… Got a question for Soracom? Whether you’re an existing customer, interested in learning more about our product and services, or want to learn about our Partner program – we’d love to hear from you!