Oil & Gas IQ Infographic interpretation - Fox-IT

Oil & Gas IQ Infographic interpretation
In a recent OGIQ survey it showed that most concerns are aimed on Hackivism (61%) and
State actors (espionage (20%) & cyber warfare (8%)).
Fox Interpretation: Hacktivists are the low-hanging fruit (easy pickings) to defend against. If
you are not fully confident you can keep hacktivists out, then your defense against state actors
and corporate espionage will probably not effective either. To keep hacktivists out, the first
thing to do is own up to the vulnerabilities and make sure your OT environment cannot be
attacked from the internet. You cannot demand from OT to "just upgrade to the latest patches"
as this may impact continuity and will require downtime. So segregating is the first step. Do it
properly, and use data diodes. For the networks where you can enforce updating and patching
procedures, you do need to stay standby in case an incident does occur. And you actually need
to know when an incident occurs. How will/can you know? By using a reliable network
monitoring tool: ProtACT
And how confident are you that your defense mechanisms can handle/detect State
Actors/APTs? (APT=Advanced Persistent Threat)
Fox Interpretation: State actors and APTs are backed with a lot of knowledge, money and
patience when subverting your infrastructure. However, they prefer the lazy approach, and will
target the easy pickings, which is the digital infrastructure because they do not even have to
leave their offices to launch an attack. When there is no network segregation, they can just walk
in. When there is a firewall in place, some effort will be needed to circumvent it but it is still doable. The only way to protect your OT network against online attacks is by using an air gap or a
data diode. For all networks, monitoring is key to detecting anomalies, in particular when
preventive measures like air gaps and data diodes have not been applied.
For the OT networks, use a Fox DataDiode to stop outside attacks.
For the IT networks, use ProtACT to see what is happening and be able to react quickly when
something happens.
Have you segregated your IT network from your OT (IT = Information Technology) and
OT is (Operational Technology) network?
Fox Interpretation: The above figure shows that it is perceived that installing a Firewall is
sufficient to safeguard ICS systems against hackivism and APTs. Using a firewall is always better
than having no separation at all, and it is an indication that it is understood that the OT
environment is a particularly valuable asset to protect against attacks. However, firewalls are not
an adequate solution. Often, firewalls are left open, because the administrators fear that closing
the firewall further may harm the continuity. Also, maintaining a firewall requires a lot of know
how. When outsourcing the firewall management, the keys to opening your OT network are
handed over to external parties. Technically, a firewall is only a moderate hurdle being put up.
By definition, it allows data to flow into the OT network, including malicious data. Moreover,
firewalls are essentially complex software with bugs and holes, just due to their sheer size.
So we see the use of a firewall as an acknowledgement of the need for protection, however
without the protection that your OT environment needs. Consider the use of a Fox DataDiode,
which does not have any of the drawbacks of a firewall.
From within your IT network, to what kind of data and/or devices do you need to have
access to in your OT network? (Multiple answers possible)
Fox Interpretation: Sharing data generated in production environment (ICS), be it from SCADA,
Historian, RTU's or HMIs in real time with corporate (IT) network has become necessary for
business analysis and interpretation of data. Integration means that connections are set up.
These connections could be used for purposes other than data sharing between the production
environment and the corporate network, e.g. malicious purposes. Corporate networks are
connected to the Internet and therefore can be infected and hacked into. When connections
exist between corporate networks and ICS production environments, these systems become
vulnerable to malware and attacks. Ultimately, if this vulnerability is exploited, availability and
integrity of production systems and critical assets are at risk.
Placing a Fox DataDiode between the corporate networks and the production networks,
guarantees integrity of the production systems as only data flowing from the production
systems to databases or monitoring stations in the corporate network is possible because of the
one-way network connection. ICS assets that facilitate production are protected against cyberattacks, abuse and even mistakes from the corporate network. Furthermore, threats operating
through the corporate network, for example malware that has entered the corporate network
through an Internet link or hackers conducting targeted attacks, cannot reach the production
Are you monitoring your network? (Multiple answers possible)
Fox Interpretation: Security is always a fine balance between preventive controls and detection.
Since you cannot prevent everything you will most certainly need to implement some form of
detection capabilities. It is very concerning that more than a quarter of the organizations are in
the dark, having no idea or warning if/when their preventive controls fail. It is positive that some
organizations have taken steps with an IDS or other detective controls such as a SIEM or host
In what timeframe do you need to make (additional) investments in (cyber) security
solutions as a result of regulatory compliance?
Fox Interpretation: The numbers show cause for concern as one cannot help but wonder if the
stakeholders are aware of the urgency in which they need to address the need to secure their
ICS networks sooner rather than after the attack has become a paralyzing fact.
In the last three years, how often have you been confronted with a serious ICT cyber
incident? (ICT = Information and Communication Technology)
Fox Interpretation: Cybersecurity incidents are a daily occurrence. Even though serious incidents
occur less often, they are common enough to be a serious cause of concern and to be
something to be prepared for. The results of this questionnaire confirm this: close to one third
of the respondent have been confronted with a serious cybersecurity incident in the last three
years. This means that two thirds have not yet fallen victim to a serious incident yet, or, more
importantly, do not know it.
How fast do you think it is necessary to be able to respond on a (cyber) security incident?
Fox Interpretation: There are a number of factors that help increase the quality of response to
an incident. Timeliness is one of these factors. Other factors are: timely escalation, appropriate
communication, thorough investigation and good mitigation. It is always important to be able
to respond quickly to an incident, even though the resulting process of investigation and
mitigation may take weeks or even longer.
Does your organization have an Incident Response Plan in place?
Fox Interpretation: A good response plan, which includes having a trusted investigator under
speed dial, helps improve the quality of response and helps drive down the overall costs of
If you had to make an estimate of the costs involved to recover from a cyber-attack, what
estimate would that be?
Fox Interpretation: Numbers speak for themselves, everyone realizes that when an ICS
environment has been attacked that the consequences are financially devastating.