Oil and Gas
In this industry, one important factor for competitiveness is to operate as efficiently as possible, digitally. The problem with this trend though is, that cahllenging factors arise simultaneously: the physically distant endpoint tools, the complex production management systems and the need for continuous and undisturbed availability.
Difficulties raised by digitalisation
Challenges
Network of networks
These companies use a wide range of technologies, different tools manage central processes, end points or automation, and often are legacy systems. However, the security inventory of many of these devices is incomplete, they are the products of many different vendors and can be decades old. These networks are part of a single large network, and are now converging towards more centralised, digitised and automated structures. The problem is centralization and automation are in contrast with security, because it is easier to make lateral movements for an attacker within a centralised system. Cyber attacks against such infrastructures have increased as a consequence of economic and political pressures in recent years, oil and gas companies should really pay particular attention to their security posture.
Maintenance and availability
For infrastructures of this scale, maintenance is often carried out in decade-long cycles. In fact, the lifecycle of an asset can be up to 100+ years, during which time new security challenges will emerge. Maintenance is therefore a very time and resource intensive activity, which we can significantly reduce by our experience in cyber-physical systems, and we are familiar with the most important industry protocols and standards. Our products are able to provide an inventory of used assets and their security risks.
CIA versus AIC
Normally, the CIA triad works as a rule of thumb in an organization as a model to guide policies for information security - confidentiality is the most important factor to consider here. However, infrastructures this huge and important cannot consider to compromise Availability even for a short period of time. CIA becomes AIC when it comes to cyber-physical systems, and this shift in perspective often requires a completely different set of skills from cybersecurity experts.
