Ensuring Cybersecurity Throughout the Oil and Gas Security System Value Chain – Jason Chiu

 

By Jason Chiu

In the world of surveillance systems, those who work in design and implementation of security and intrusion systems for critical industries and infrastructure, like oil and gas, shoulder a lot of responsibility. Advanced surveillance systems are a necessary aspect of modern security practices to ensure oil and gas operations can safely exist and operate. The physical protection of these sites is important to prevent malicious entities from gaining unlawful access to critical systems, but digital protection has become just as important in recent years. By 2025, it is estimated that global cybercrime costs will reach $10.5 trillion USD, up from $3 trillion USD in 2015. Couple this rise with the average time—277 days, according to IBM—that it takes to identify and contain a data breach, and we’re faced with an issue that will require all members of the value chain to work together to solve. From design to specification supply, utilization, and finally, decommissioning, cybersecurity needs to be at the forefront of concern.

A changing oil and gas environment

The Canadian oil and gas sector is not immune to cybersecurity threats. Because they are considered critical infrastructure and an essential to the Canadian economy, they are routinely targeted by cyber attackers. A Canadian Centre for Cyber Security report reveals that the country’s energy industry is particularly vulnerable to cyber threats, with attackers aiming to disrupt operations, steal intellectual property, or obtain sensitive information for financial gain. Furthermore, experts in the field note that the industry has experienced an increasing number of cyberattacks, particularly those involving ransomware, phishing, and data breaches. A study by the Ponemon Institute found that the average cost of a data breach in the oil and gas industry is $419,000.

A recent scenario of a cyberattack on a Canadian oil and gas company involved the company’s computer system reportedly being taken over by a cybercriminal. An incident like this highlights the need for increased vigilance and effective cybersecurity measures within the industry. Even systems that are not part of critical or day to day operations need to be cyber secure, otherwise they can provide a potential vector of attack.

Getting off to a good start: Cybersecurity at the beginning of the value chain

The initial stages of the value chain, including research and development, design, and procurement, are crucial for determining the overall security of a surveillance system. Cybersecurity risks at this stage include intellectual property theft, supply chain attacks, and data breaches.

The best surveillance system manufacturers take cybersecurity seriously from conception by implementing a secure development process involving threat modelling, vulnerability assessments, and regular security training for developers.

It is also beneficial to be in control of the SoC’s (System on Chip) that serve as the main processors of the device, to ensure full control of the components that go into each product. Further, a program which ensures suppliers and sub-suppliers adhere to agreed standards for cybersecurity ensure the integrity and traceability early in the value chain.

Keeping up the momentum

The intermediate stages of the value chain, including production, marketing, and distribution, are also exposed to cybersecurity threats. Ransomware attacks, phishing scams, and insider threats are common risks in these stages.

High-quality surveillance systems ensure secure production and distribution by securing their devices throughout their lifecycle, from production to decommissioning. They implement secure boot and signed firmware to prevent unauthorized modifications and use. Signed firmware involves a software vendor signing a firmware image with a secret, private key which forces devices to validate firmware updates they receive to prevent malicious software being loaded onto devices. Employing additional measures for the most cyber-conscious customers like the Trusted Platform Module (TPM), which is ubiquitous in computing for cryptography ensures that devices can co-exist in a larger cybersecurity framework and ecosystem.

Finishing strong

The final stages of the value chain, including sales, use, and decommissioning, are not immune to potential risks like hacking, data destruction, and unauthorized access. To reduce these risks, leading surveillance system manufacturers incorporate built-in cybersecurity features like IP address filtering, HTTPS encryption, and user access management.

Within a surveillance system, or any network for that matter, having devices on the network that are no longer supported or have published, unpatched vulnerabilities is a serious security risk. Additionally, sensitive data remaining on devices after disposal presents a security concern as discarded devices can be powered back on to discover network settings, etc. for a user’s network. High-tier surveillance system manufacturers offer tools to manage the lifespan of devices in a network by alerting users to product discontinuation and providing end-of-support information. When decommissioning old hardware, proper device sanitation procedures are essential. At the very least, all decommissioned devices should be factory reset before they are disposed of.

Best practices throughout the value chain

Implementing best practices for cybersecurity at each stage of the value chain can significantly reduce the likelihood of an oil and gas breach. Employee training, network segmentation, data encryption, and access control are crucial measures that can be taken to ensure a comprehensive security approach.

Continuous monitoring and risk assessments are essential for identifying potential vulnerabilities and responding to emerging threats. Surveillance system manufacturers that adopt effective cybersecurity practices, including multi-factor authentication, threat intelligence sharing, and incident response planning should be considered when procuring a system. These measures help enhance security, improve compliance, and increase customer confidence.

It’s essential for security and IT personnel in the oil and gas sector to work with vendors that have robust cybersecurity measures in place. When selecting surveillance equipment, consider the following best practices:

1. Choose products with built-in security features, such as secure boot, signed firmware, and encrypted communications.
2. Evaluate the vendor’s commitment to cybersecurity by reviewing their development processes, vulnerability management, and incident response plans.
3. Develop a comprehensive security policy that includes network segmentation, access control, regular updates, and employee training.
4. Ensure that your surveillance system can be remotely managed and updated, enabling you to patch security vulnerabilities quickly.
5. Establish an incident response plan in case of a security breach, outlining the steps to take for containment, recovery, and future prevention.

Collaboration from all members

To achieve comprehensive cybersecurity throughout the surveillance system value chain, it’s essential to encourage collaboration among all stakeholders, including surveillance technology manufacturers, vendors, integrators, and end-users. This collaborative approach helps create a more secure environment and raises the overall standard of cybersecurity across the industry.

1. Manufacturers of surveillance solutions should prioritize secure design, development, and production processes, providing regular updates and patches for their products.
2. Vendors and integrators should offer additional cybersecurity services, such as consulting, risk assessments, and incident response planning, to help end-users secure their surveillance systems.
3. Critical oil and gas end-users should maintain an ongoing dialogue with their vendors, providing feedback on potential vulnerabilities and requesting information on emerging threats.

Conclusion

The importance of cybersecurity throughout the surveillance system value chain cannot be overstated, and the Canadian oil and gas industry must prioritize it to prevent the potential consequences of a security breach at any stage. As the threat landscape evolves, these organizations must invest in appropriate security tools and technologies and build a culture of security awareness and compliance.

The future of cybersecurity in surveillance systems will be influenced by the emergence of new technologies, the proliferation of mobile and IoT devices, and the increasing sophistication of cybercriminals. By fostering collaboration across the value chain and adopting best practices, the Canadian oil and gas industry can protect its assets, operations, and customers from the ever-growing threat of cybercrime.

 

 

 

 

Jason Chiu is the professional services group manager with Axis Canada. He has a background in IT and networking and has spent over 15 years in the security industry, from being an integrator, consultant, and manufacturer.

Share This:

---

More News Articles