By Butch Pinkham, BHGE Global Cyber Security Sales Leader
Recently, I met with a customer in the oil & gas industry who had used their IT department to handle the cyber security for their operations side, more commonly known as OT. The decision to do this was mainly because there was not an OT security team in place and budget wasn’t available to create one. The results were not positive, and they had some concerns as to their true readiness for a cyber attack.
Although cyber security has been a concern for several years, developing and applying an effective program is still relatively new to many organizations. As news continues to reach us on global attacks such as the WannaCry ransomware attack, the crippling of the Ukrainian power grid in 2015 and 2016, and the recent attempts to infiltrate nuclear power plants in the United States, cyber security for critical infrastructure is a new top priority. But, it’s important to recognize that it is just as important, if not more important, to implement the RIGHT security solution, rather than just putting any solution in place. Understanding the differences between IT and OT environment is the critical piece to ensuring the availability of critical assets in power plants, oil refineries and other major infrastructure operations.
When people hear the word "cyber," a typical reaction is that this is an issue for IT. While IT departments have extensive experience in successfully implementing security solutions for enterprise systems, they are not necessarily experienced in OT environments and the specific needs that come with a Process Control Network (PCN). In my experience, when IT is asked to handle the PCN security, they stick with what has worked in the past and with what they know. After all, nobody ever got fired for buying Cisco, right?
The problem is, the OT environment is very different than the IT environment. IT networks have different protocols and manage very large packets of data that are transferred from one location to another. Typically, these packets are not time sensitive and don't contain command code. Networks that manage the data are shut down on a regular basis for patches and updates. In addition, data security is key to the IT environment. It’s the single most important piece of the data triad. However, for OT, availability is most critical. If the plant or refinery isn’t fully operational, the business loses money.
Using these tools designed for an IT network will be effective some of the time. But, they will not provide the level of security needed to protect an OT environment properly while ensuring no interruptions to operations. Having the proper tools for the job is key. You can use a rock hammer to build a house. However, if you use a proper framing hammer, you will drive all the nails properly and will most certainly build a stronger home much quicker.
When implementing security in an OT environment, you need to implement solutions specifically designed to protect that environment. This typically means a solution designed to handle smaller, faster and more time-sensitive packets and protocols containing command code. You need a solution designed to keep the networks and the assets running without the need to shut down on a regular basis for patches and updates. In addition, you need an experienced team supporting these solutions that understands the criticality of maintaining operations.
Baker Hughes, a GE company has been in the OT security business for more than 10 years. We have some of the industry’s leading experts in OT Security with experience across oil & gas, power generation, petrochemical, manufacturing, healthcare and transportation. Our solutions have been specifically designed to meet the rigorous needs of an industrial OT environment. If you are just beginning your OT cyber security journey, download our Where to Start whitepaper here.