Today’s oil and gas industry is no stranger to cyber attacks. The 2012 hack of Saudi Aramco – during which the oil giant’s computer network was almost completely compromised, forcing staff to resort to typewriters and faxes for months and sending company executives on buying sprees for hard drives – could have easily bankrupted a smaller organisation. And all it took was one click on a bad link in a scam e-mail.
Given the risks involved in an increasingly IT-driven industry that operates in a safety-critical environment and which is high on the target list for malicious or geopolitically inspired attackers, the industry has woken up to the importance of cyber security, and its suppliers are responding. In May, industrial giant Siemens announced a new partnership with innovative cyber security firm Darktrace to help bring the latter’s AI-driven Industrial Immune System technology to customers in the utilities and oil and gas industries.
By combining Darktrace’s digital tech with Siemens’s operational technology (OT) security expertise and strong industry presence, the partners are hoping to offer a comprehensive solution for oil and gas companies. We caught up with Darktrace director of technology Dave Palmer to discuss cyber risks to offshore oil firms, and how sophisticated cyber security systems can help secure their most sensitive infrastructure.
Chris Lo: Could you start by describing Darktrace’s Industrial Immune System technology, and what makes it different from other cyber security systems on the market?
Dave Palmer: I guess you can think of the majority of the cyber security industry as being preventative. So most things on the market have an awareness of previously seen attacker techniques, and they work in different ways to try and block them, which is a perfectly reasonable idea. And on top of that, there’s a much smaller number of products out there that try to detect the things that have gotten past your defences. But often it’s based on the same idea, so it’s really doing the same thing again, just having another look for what previously known attacks have looked like. Unsurprisingly that’s not super-successful, because if something was different enough or novel enough to get past the defences in the first place, then it’s probably not going to get picked up by using the same idea again.
So in order to do better at picking up an in-progress attack, we just flipped the idea around, so instead of having an awareness of what attacks are like, let’s learn what the normal business is like, let’s learn about all the different people and devices, whether it’s something as common as a laptop or an iPhone, or a completely bespoke piece of machinery that doesn’t exist in any other pipeline or manufacturing system in the world. What that means for the attackers, then, is if they want a successful attack, they have to be clever enough to get past all the existing defensive systems that are in place, but they can’t look different at all from the way the normal business operates, otherwise we’ll pick them up. Those two ideas side-by-side are incredibly powerful.
CL: How did the partnership with Siemens come about? Is it useful to have a very established partner like Siemens when introducing your services to a famously cautious industry?
DP: Of course, Siemens is such a massive part of this sector. I think, really, we caught their attention. Rather than ringing them up every week and saying, ‘Hey, this is a great idea, you should try it,’ we worked really hard on proving the idea again and again with Siemens customers. So because we’ve got that self-learning aspect, we never needed to do a partnership in advance of being able to work with Siemens customers because the system would just learn and operate successfully.
CL: What work have you been doing to integrate Darktrace and Siemens’ services and technologies to create a single, comprehensive solution?
DP: I guess there are two strands. There’s basically a go-to-market piece, where Siemens are basically helping us describe and advertise to their customers how they can get some of the benefits from Darktrace and what that would really mean in a Siemens-type environment. And that’s pretty classic for us; it’s what we’ve been doing for a few years now, but it’s great to have their support and great to have them continuing to inform us of what would be useful for their customers.
But I’m also really excited about their push into offering cyber security as a service, and Darktrace is going to be a cornerstone of that managed service that they’re going to provide. Repeating the mistakes of the IT industry, where we’ve tried to get every small law firm and mid-size business in the world to become cyber security experts, isn’t particularly helpful.
CL: As well as onshore data centres and the like, is there an increasing cyber risk to upstream facilities such as offshore production platforms?
DP: What’s interesting from my perspective is the vast geo-survey data, sensing data – information collection that goes on in all sorts of formats, whether it’s [a] satellite or stuff being towed through the ocean or distributed sensors being put over land to generate views, of course, of where there might be resources under the surface that are worth going after. If you make decisions worth potentially tens or hundreds of millions of pounds based on relatively small pieces of information that have ended up in your data centre, it’s worth thinking about the whole information supply chain, where that data has come from and how it might have been manipulated along the way.
If I was a bad person and I really wanted to try and increase harm against your organisation, I would attack your view of the world – I would make your view of the world incorrect, and essentially try to influence you into buying drilling rights in the wrong places, and I would do far more monetary harm to your organisation than I would by powering off an oil rig for three days.
CL: What are the main challenges involved in securing oil and gas infrastructure that is complex and geographically widespread?
DP: I think the primary challenge is that in a lot of businesses, it’s okay to interrupt things on the basis that it’s better to stop it and then assess whether that was okay or not, than it is to let it continue. Of course, in safety-critical environments, you don’t want to be just randomly stopping strange stuff happening in the environment, because the reason why that anomaly has occurred might be because someone’s just pressed the ‘emergency stop’ button, and the last thing you want is your cyber defences preventing a safety-critical system from operating.
That said, I think what we’re seeing in the industry is a faster breakout from data and information and controls being in the OT to coming back into just being corporate. So rather than extending OT networks deeper into the onshore world, what we’re seeing is that OT networks are more quickly offloading whatever they need to say or do, or the information they need to pass on, into conventional IT and then we’re back on to nice, non-safety-critical ground.
CL: How important is it to secure buy-in and educate offshore/onshore staff on the fundamentals of cyber security?
DP: Most of the things that go wrong and become cyber security incidents start off with someone either making a mistake that results in a weakness, or because someone’s been tricked into trusting something that they shouldn’t. Because while there is of course technical cleverness in what goes on from the bad guys, frankly a lot of it is what’s now nicknamed ‘social engineering’, or just taking advantage of the psychology of us all as people who trust our colleagues around us, and people that would get used to seeing things on our own screen and naturally trusting it and having a bias towards it. It’s definitely not like the movies where it’s just people punching through firewalls anymore. That kind of era is over.
CL: What kind of early feedback or interest have you received from the oil and gas industry since you announced the partnership with Siemens?
DP: It’s been pretty good so far; we’re lucky to have a few oil and gas customers that speak well of us to their colleagues in the sector. To be honest, what’s really bringing people to us is two things. One, they know they’re really struggling with their own complexity. So we try not to pitch ourselves by saying, ‘It’s you versus the hackers’. We try very much to explain that for most businesses, it’s the security team just trying to get their heads around everything that they’ve got and what might happen. You can almost stop thinking about the hackers in that regard.
I think the other reason people are really seeking us out at the conferences and the places where we meet up is they’re looking so hard at the benefits of unmanned or autonomous systems, of massively distributed information sensing networks, and you can’t go and buy an anti-virus and run it on there. So when the security teams are getting asked how they can help organisations move forwards with these cool, new, much more effective technologies, I think these AI-based security approaches are just really helpful to give an answer, that they can feel good about moving forward with some of this exotic new stuff, because we’ve still got a way of being able to see and understand what it’s all doing, and we’ve still got a way of handling things if it starts to go a bit wrong.