AUGUST 2019
SPECIAL REPORT – LAST WORD
30
oilandgasmiddleeast.comMANAGING
DATA RISKS
Axel Hauer, director of
EMEA enterprise sales,
IAMS at HID Global,
on facing the risks
that accompany rapid
digitalisationThe oil and gas and critical infrastructure
industries were the #1 targets by nation-state
sponsored cyberthreat actors in 2017-18.
Cyberattacks pose a signifi cant threat causing
major business disruption, downtime and loss
of intellectual property. Rapid digitization of
production tools across the industry can also
increase the threat landscape unless properly
mitigated.
Several nation-state attacks have high-
lighted the necessity for a risk-based approach
to cybersecurity, protecting and managing
how control systems and data are accessed.
According to researchers, Russian state-spon-
sored hackers are actively targeting oil and gas
industrial control systems (ICS). Known attacks
by Russia-linked malware shut down an oil
refi nery in 2017.
One known malware, Triton, appears to have
been developed to disable plant safety and fail-
safe mechanisms, opening the door to physical
attacks on infrastructure. When successful,
this malware is used to shut down the safety
instrumented system (SIS) — disrupting plant
operations and causing service downtime. Typ-
ically, adversaries lurk undetected in the target
network for nearly a year before gaining their
access to engineering workstations connected
to critical ICS systems.
The Triton actors follow a common pattern
seen in sophisticated ICS-related intrusions:
moving from corporate information technology
(IT) to operational technology (OT) networks
through systems that are accessible to both
environments.
Secure IAM for the Oil and Gas Industry
Establishing secure digital identities within
your IT and OT systems is a fundamental step
toward enforcing best practices of identity and
access management (IAM). IAM grants visibility
of the persons and things accessing the sys-tems and helps keep bad actors from breaching
networks across multiple sites.
In today’s threat landscape, passwords
alone are insuffi cient. Multi-factor authenti-
cation (MFA) adds a layer of security to help
protect organizations from stolen or misused
credentials.
The guide, “General Best Practices the
Department of Homeland Security and the FBI,”
recommends using two-factor (or multi-factor)
authentication for authentication of employ-
ees, contractors, visitors and IoT devices, and
implementing solutions which can detect the
malicious use of legitimate credentials
A Modern Approach to Identity Assur-
ance
Trusted identity is foundational in today’s
highly connected zero-trust environments. Oil
and gas companies are being proactive with
strong multi-factor authentication and creden-
tial management solutions. Taking a modern
approach to digital identity means incorpo-
rating an adaptive, composite authenticationsolution. A composite identity combines tradi-
tional MFA — what you know (PIN), who you are
(biometrics) and what you have (smartcard)
— with risk-based factors such as physical
gestures, geo-location and time frame.
Modern composite authentication solutions
are much easier to use than traditional complex
passwords. The assurance that users have a
frictionless and continuous authentication
experience is a key contributor to success in
the fi eld.
Combined Security for Physical and
Logical Access Control
As most oil and gas sites are perimeter
restricted, employee/contractor physical access
management controls and real-time data are
required for suitable risk mitigation. Data ana-
lytics enables companies to take the power of
their physical security data beyond traditional
reporting and use it to predict possible physical
security risks. A system that combines physical
and logical access controls and analytics and
is easy to deploy and adopt across distributed
sites is required. To block attackers from lever-
aging stolen credentials, trusted digital identity
and strong authentication is the foundation of
protection across distributed physical assets
and intellectual property.Axel Hauer, director EMEA enterprise sales, IAMS at HID Global“ESTABLISHING SECURE
DIGITAL IDENTITIES
WITHIN YOUR IT AND
OT SYSTEMS IS A
FUNDAMENTAL STEP
TOWARD ENFORCING
BEST PRACTICES OF
IDENTITY AND ACCESS
MANAGEMENT.”