The idea that companies benefit from cooperation between all the parties that manage their networks is not new, or particularly unorthodox. Getting to that point, however, is not easy, and it requires open communication between groups that may have different organizational philosophies and different strategies for managing the data that come from a given facility.
At the 2019 OilComm Conference, a panel of cybersecurity experts looked at, among other things, how information technology (IT) and operational technology (OT) handle the change management needed to develop a cooperative network. The panelists focused on the primary risks that they see in cooperative networks from rogue devices, particularly as companies develop their own shadow IT groups operating outside of their central IT departments. They all agreed that lack of visibility that comes from a shadow environment is a concern.
Paul Brager, technical product security leader for digital technology, at Baker Hughes, said that shadow groups are not necessarily a bad thing, because sometimes the central IT department cannot respond to specific incidents as someone onsite could. Stopping shadow IT, he said, would inevitably impede operations. However, for such a setup to work, vendors, security teams, telecommunications, and operations must have open communication.
“There’s a lot of data coming out of these environments, and there’s no communication,” Brager said. “You’re potentially exfiltrating data on a sensor that you didn’t even know existed. Adding visibility, having some ability to systemically see what’s going on in an environment, can help give you an idea of what you’re dealing with.”
Understanding the motivations between IT and OT groups can go a long way to increasing visibility. Brager said the primary directive for people in operations is system availability and they will achieve that by any means necessary. If people can take care of a problem on site by purchasing a device at an electronics store, they will. This mindset could lead to a proliferation of equipment generating and storing data that may not be integrated within the overall environment of a given site. From a security perspective, Brager argued, companies cannot protect what they cannot see.
Another issue adding to the proliferation of equipment is what panel moderator Rick Sperandio termed the “SkyMall effect,” where companies deploy new technologies on something of a whim. Sperandio, president of US operations at Rigstar Industrial Telecom, used the analogy of “the executive who sees the new gadget in the SkyMall magazine on a flight” and immediately wants to spend significant resources implementing it.
Brager said cybersecurity personnel have to manage the risks that come with implementing new technologies in this manner. The business people own the risk, and security alerts the business to the risk. Matthew Nalbone, global oil and gas solutions architect at Cisco, said that adding these technologies on top of already existing systems often adds to the confusion.
“Making more data is not something anyone needs to do,” Nalbone said. “There are so many devices, so many things that are already making data, and we’re not using 90% of what’s being created. It’s a matter of tapping in and finding the appropriate data. The last thing they need is someone reading something in SkyMall and saying, hey, here’s something that can give you more data that I either don’t necessarily need or I’m already getting.”
Sperandio asked the panelists about the best ways companies can identify the systematic tools that enable better passive monitoring of the devices linked to their networks. Nalbone said companies are inundated with new technology and sometimes the struggle can be in using the proper lexicon to articulate what they are trying to do, whether the new technology fits under a digitization initiative, a digitalization initiative, or a full-fledged digital transformation.
Dennis Brewer, segment engineering technical authority on operations critical telecommunications at BP Upstream, said no one company can do everything needed in this area. Some companies produce standard tools for network monitoring. Others analyze traffic anomalies. When he looks for a solution, Brewer said he tries to find out where the technology, or the developer, in question best fits.
“I go to a company, and I say this is what I want you to do here. I don’t need you to do all your other bells and whistles. I just need you to do this. Then, I go to the next company. You’re the best at this, so I want you to do this for me. It’s the same way we built the process control network. It may not be the thing IT wants to see, but it works in operations,” Brewer said.
Once third-party vendors are vetted and operating within the network, they may create backdoors to funnel data from a facility to its own infrastructure for processing, storage, and other activities. With multiple vendors potentially working on the same facility and potentially using their own backdoors and workarounds to handle the data they’re tasked to handle, operators face a multitude of what Brewer termed “attack vectors.”
Brewer said that, while an operator may trust the vendors, the flow of segmented data is still a challenge. One way to handle this is to allow vendors to bypass the operator’s network entirely.
“If, say, Oceaneering wants to run an ROV off my asset, and I have LTE, why don’t I allow them to connect directly through Tampnet in the Gulf of Mexico? It’s all on Oceaneering and Tampnet, and it doesn’t touch my network. I don’t necessarily need to see all the data, and, if I do need any data, I can get it from onshore. I don’t have to get it from offshore,” Brewer said.
Brager said that third-party vendor management is as much a matter of developing the right processes as it is a matter of technologies. Any given operation has, potentially, hundreds of vendors that need to be brought on board through some sort of vetting process. From a security perspective, Brager said the greatest concern is enabling the vendor to access the things the operator wants them to access without compromising the network.
“If I am Exxon, if I am Shell, if I am Baker Hughes, I am going to provide the vendor with a mechanism that is within my risk tolerance. If you are unable to use that, then we will potentially go to an alternative, depending on how important that relationship is to us. If neither of those work, then you’re probably not the appropriate third party. Obviously, there are exceptions to that, but, generally speaking, your third-party management is more about process than it is technology. The technology is pretty easy, depending on what the use cases are that you have to support,” Brager said.