Don’t let physical security vulnerabilities compromise cybersecurity

Oil and gas are key elements of our critical national infrastructure (CNI) and require ever more advanced levels of protection to guard against threats that are growing in seriousness and complexity. The cyberattack on the Colonial Pipeline in the US, which carries 100 million gal./d of fuel and services seven airports, reinforces the fact that such sites continue to present a target for criminal gangs, terrorist units and nation-state threat actors. It serves as a reminder that, if and when they succeed on a significant scale, the effects are catastrophic.

The World Economic Forum cites cybersecurity failures as being among the top mid-term threats facing the world in its Global Risks Report. Globally, the providers of essential services remain vulnerable to cyber-attacks, necessitating a greater focus by governments on securing oil and gas supply lines and infrastructure, and protecting the people that work in such environments. While no industry or sector is immune to the potential of being attacked, the key is to take appropriate measures to mitigate that risk where possible. One such measure is to select and install physical security technologies that are manufactured with cybersecurity as a prime consideration.

Physical and cyber protection through ‘defence-in-depth’

As a crucial part of our CNI, each site must be protected using the best physical security tools and technologies available to maintain high levels of protection. When seeking to roll out appropriate solutions, it is essential that devices have a hallmark of quality and are themselves deemed to be secure from a cybersecurity perspective. A security system is only as strong as its weakest link and it's imperative that these systems are not left open to attack, compromising the physical security of a site or multiple sites.

Modern solutions to guard and detect can be customised from site-to-site depending on requirements, with a combination of traditional intrusion detection measures and the latest cyber secure physical security technologies resulting in a robust system. An example of such a solution might include surveillance cameras with onboard analytics, infrared motion detection, access control devices and a video management system (VMS) providing alarm verification, ensuring effective physical security of assets and operations. This multi-layering of different measures, commonly referred to as ‘defence-in-depth’, ensures that security is not significantly reduced with the loss of any single layer.

Strengthening the system through device cybersecurity

As with all technology, there are inherent risks when improperly secured IoT devices are installed on an IT network. Network surveillance cameras, for example, which are not cyber secure can be used as a backdoor to gain access to the IT network, either from an insider threat or a remotely triggered assault. Technologies manufactured in regions with lower standards of regulation and compliance might appear to offer adequate protection, but in reality, come with none of the assurances around quality of manufacture or adherence to cybersecurity principles. Secure technologies, built with cybersecurity considerations at the forefront, should form an essential part of any enterprise asset protection strategy.

The oil and gas sectors should look for guarantees from the providers of such technologies, such as Secure by Default and Cyber Essentials Plus, offering evidence of operation in accordance with advanced security principles, aligned with regulation and best practice. From a network perspective, the success of the IoT should not be hampered by weaknesses in physical systems and should be secured across every touchpoint and unexpected vulnerability. Hardening security networks will lock down exposed connections, reducing access to IP-based industrial control systems (ICS), while automating the 24/7 health and cybersecurity monitoring of devices also adds an additional layer of cyber protection.

The importance of working with trusted partners and vendors

According to the International Association of Oil and Gas Producers (IOGP), managing security risks is an essential business activity within the global upstream oil and gas industry. Risk management extends to the forging of trusted relationships with partners and vendors, helping to ensure that smart and effective cyber secure solutions are in place to mitigate risk. Whether the threat takes the form of low-level criminal damage, or large-scale cyber-attack, a converged approach whereby trusted partnerships are formed with the reliable vendors of high-quality security systems, is the best line of defence.

Such partnerships will enable vulnerabilities to be addressed and resilience to be maximised across all sites. Regulations such as the GDPR, and the NIS 2 Directive, are placing more onus on industry sectors to demonstrate security understanding and compliance and to ensure the integrity of their systems. Through implementation of a scalable, future-proof physical security solution, built with cybersecurity considerations front and centre, and backed by the full support of a trusted partner, today’s oil and gas providers will be ready to face whatever challenges lie ahead.

Read the latest issue of World Pipelines magazine for pipeline news, project stories, industry insight and technical articles.

World Pipelines’ June 2023 issue

In the June 2023 issue of World Pipelines, we cover hydrogen pipeline transport; pipeline sensing, composite coatings and inline inspection. Also featured are articles on metering and monitoring, and subsea pipelines.

Read the article online at: https://www.worldpipelines.com/special-reports/13062023/dont-let-physical-security-vulnerabilities-compromise-cybersecurity/