Oil and gas companies have two key areas of concern when addressing cybersecurity, especially in their unmanned remote facilities. They have to supply physical security that denies access to the cyber-physical assets, and they sometimes must employ several cyber defenses depending on the device or system in question. So when you are looking at doing a Zero Trust deployment for critical infrastructure protection (CIP), it is important to be mindful of the fact that a site’s physical security is typically the easier of the two to breach.
Once the attacker has physical access to devices attached to the network, how you have zoned off assets and applied endpoint protections where applicable will determine how far the attacker will get with data theft or exploitation of the cyber-physical assets.
Older facilities and process networks in Oil and Gas often lack segmentation, which is now a best practice in today’s networking design. As own operators of pipelines move forward with digital transformation, segmentation will be key in safeguarding their cyber assets, both local and remote.
Segmentation based on business criteria
Segmentation is not just breaking apart the network based on the IP-Address space. True segmentation requires identifying and grouping devices into Zones or Enclaves based on meaningful business criteria to protect better vulnerable devices found within the address space. Access to devices in the zone needs to be restricted by users, groups, protocols, networks, and devices. In some instances, you may even consider restricting access by time of day.
IoT/IIoT is beginning to take hold in the energy industry, which means there are going to be more devices attached to these networks gathering information and possibly running on a vendor’s proprietary software and hardware, which more than likely will not be managed or patchable by the operator of the system. So O&G needs to have a definite plan on how they will address this growing trend, and a zero trust-based strategy offers the best means of doing this integration in a safe, secure, and, most important, reversible manner.
Camera and sensor security
Segmentation will also include the zoning of radio frequency (RF) technologies like Wi-Fi, Microwave, satellite, and cellular. ICS and SCADA systems operators must remain mindful of the possibility of an upstream attack by threat actors who have managed to compromise their RF facilities. Remote facilities and devices often have cameras and sensors to alert when a door has been opened. Still, because they are remote, attackers have time to enter the facilities and plant a device that can go completely unnoticed.
Another option physical access affords them is the opportunity to compromise the runtime operating systems and/or OS of the devices they find. The only way you will find these would be to do a physical search of the facility or cabinet and run an audit of the OS to ensure nothing has been tainted.
Zoning limits damage
So the reason why the zone trust segmentation (zoning) is so important is if you don’t have the time to perform these acts to confirm that the site is not compromised. With proper zoning enforcement, you can limit and isolate the damage to a region or just that location.
Zones in a Zero Trust network also serve as an inspection point for traffic entering and exiting the enclave. The enabling of IPS, IDS, and virtual sandboxing technology can be applied on a per-zone basis, allowing for customized protection for the vulnerable devices contained within. Implementing these security measures is a best practice even on zones where devices can receive updates and have some form of endpoint protection.
With proper design and device consideration, zoning with the different inspection technologies enabled can also be a remediating factor for those devices in your network that cannot be patched, updated, and even those that are end-of-life. In short, zoning with inspection technology enabled helps to ensure IT and OT network systems’ safe operations. In even the most secure environments, it is never safe to assume that data traffic transversing the network is free of a potential threat.