When Hardware-based Attacks Strike Oil

When Hardware-based Attacks Strike Oil

When Hardware-based Attacks Strike Oil Author: Jessie Amado, Head of Cyber Research at Sepio Systems

When Hardware-based Attacks Strike Oil - The oil and gas sector is entering a digital revolution to improve efficiency and operational capabilities. However, in doing so, the industry has become more interconnected, thus increasing its exposure to cyberthreats.

Due to the nature of its operations, the oil and gas sector is one of the most important components of a nation’s critical infrastructure. Such significance makes the industry a valuable target for malicious actors. More worrisome is that a cyberattack on an oil and gas entity can have physical implications due to a cyber-physical environment.

Interconnectivity welcomes attackers

As part of the industry’s digitalization, the oil and gas sector is becoming increasingly reliant on a large number of third parties. According to the World Economic Forum, oil and gas companies rely on over 1,000 third parties to support their digital transformation. While third parties are undoubtedly valuable, they also expand the attack surface as, oftentimes, third parties act as an entry point for malicious cybercriminals; and with more third parties comes more entry points.

Attackers look for the easiest way in. If their target operates in a highly secured environment, bad actors look for an alternative infiltration method – the supply chain. Enterprises are only as secure as their least secure supplier. Hence, heavy investments into cybersecurity prove to be limited when a malicious actor successfully infiltrates a third party.

When it comes to hardware-based attacks, an attacker can manipulate a device at any point along the supply chain or simply insert an-already-manipulated device. Either way, the harmful device ends up inside the target enterprise, triggering no security alarms due to its covert nature (i.e., physical layer manipulation).

With digitalization comes the use of Industrial Internet of Things (IIoT) technology. IIoT enables interconnectivity between traditional technologies used within the oil and gas sector, allowing for faster and more accurate operations. The use of IIoT, however, exposes the industry to more cyberattacks due to the increased number of entry points.

The 2020 Honeywell USB Threat Report found that the amount of USB-borne malware that had the potential to cause major disruption in an industrial control system increased from 26% in 2018 to an alarming 59% in 2020. And since IIoT allows for the connectedness of IT and OT, the effects of a cyberattack can turn physical.

Steps to take

Primarily, oil and gas entities need to take greater control in governing third parties’ risk. They must ensure that third parties understand their roles and responsibilities within the organization. The employees that handle third parties must be cyber literate and educated on the risks associated with third parties, understanding how to perform duties and responsibilities consistent with related policies, procedures and agreements. Further, the enterprise should monitor third party compliance with security requirements to ensure that standards are being upheld.

Importantly, the enterprise must establish access controls based on the principles of zero trust. Micro-segmentation and the principle of least privilege limit user and device access to certain parts of the network in an effort to enhance security and limit the blast radius of an attack, should there be one.

In order to effectively enforce zero trust protocols, asset management is extremely important, and assets must be covered for their entire lifecycle. The enterprise must be able to gather all necessary asset information for the entire time said asset is used within the enterprise, and third parties should do the same.

PLATINUM

Innovators

The visibility challenge

The above-mentioned efforts are limited in efficacy due to a lack of hardware security. Access controls and asset management protocols can only be effectively enforced with complete device visibility. However, the lack of hardware security results in visibility challenges that hinder such efforts. In other words, security investments are going to waste as attackers are exploiting the Layer 1 blind spots.

Sepio Systems’ HAC-1 solution

Sepio Systems’ Hardware Access Control solution (HAC-1) enables Physical Layer (Layer 1) visibility, providing a panacea to the gap in device visibility. Not only are all devices visible to HAC-1, but by validating a device’s Physical Layer information, its true identity is revealed – not just what it claims to be. No device goes unmanaged, whether it is IT, OT, or IoT, providing complete protection of all hardware assets. The solution’s policy enforcement mechanism enables Hardware Access Control by enforcing a strict, or more granular, set of rules based on the device’s characteristics.

And, importantly, HAC-1 instantly detects any devices which breach the pre-set policy, automatically instigating a mitigation process to block the device, thus preventing malicious actors from successfully carrying out an attack. Such capability accounts for any visibility challenges experienced by a third party; should an attacker successfully plant a rogue device along the supply chain, it will be detected instantly when it reaches the enterprise.

HAC-1 enhances the efforts of zero trust and asset management by significantly reducing an enterprise’s blind spots. With greater visibility, current security software and protocols are put to better use, thus enhancing the enterprise’s protection within, and outside of, its traditional perimeters.