Data Diodes Offer Cost-Effective Way to Secure Oil & Gas Networks from Assets to the Cloud

By Larry O'Brien

Summary

COVID-19 has left the oil and gas industry short on demand, capital spending, and resources.  The drive to reduce cost is intense, with companies like Shell announcing the intention to reduce its cost of production by 40 percent.  The industry Data Diodeswas already experiencing the “great crew change” well before 2020, with large numbers of baby boomer workers retiring and nobody in line to take their place.  This, and the massive layoffs brought on by the global pandemic, increase cyber risks for oil majors and other companies.    

Many oil and gas companies already struggle with a shortage of skilled cybersecurity professionals to secure and maintain critical plant control systems.  Reductions in staff will further compromise efforts to perform the required, ongoing maintenance of traditional cyber defenses.  Meanwhile, cyber-attacks have become increasingly sophisticated, placing safety systems - the last line of defense for health, safety, and the environment - at risk.  Additional cybersecurity challenges related to remote access, Industrial IoT (IIoT) technologies, and edge computing will only further add fuel to this already critical situation.    

In this tenuous time of limited resources and increased threats, companies must reduce cybersecurity-related operational and maintenance requirements.  ARC Advisory Group recently sat down with Owl Cyber Defense to discuss how data diodes can help address this critical need across oil and gas applications. 

What Are Data Diodes ?

Data diodes, also known as unidirectional security gateways, can help ensure secure, safe, and reliable one-way communication between two networks or domains.  These devices physically restrict communications, so messages can only flow in one direction, away from the protected system.  This means there is no physical way that a message could be sent back into the protected system.  They also have high security network interfaces to manage transfers across internal non-routable interfaces and packet conversions.  So, while the protected system can share information with others, it remains completely isolated from external cyber-attacks. 

Data Diodes

The simplicity of this approach removes the need for ongoing maintenance of firewall rules and concern about the firewall software vulnerabilities that frequently occur in conventional network security solutions. 

Data diodes can also be used to build high-security bidirectional communication interfaces.  In this case, independent data diodes are used to tightly control communications in each direction without providing any pathways for conventional protocol exchanges that might carry malware. In addition, communication can still only be initiated on the high security or “trusted” side of the network, mitigating the risk of the data transfer being hijacked for malicious purposes.

Data diodes have a long history of use in the oil and gas industry, primarily as a high-security perimeter defense for remote monitoring.  Replicating historian data to IT networks and the cloud is another common application.  But developments in the industry and data diode technology have broadened the opportunities for oil and gas companies to leverage this powerful, cost-effective, maintenance-free technology. 

Owl Cyber Defense

Established in 1999, Owl Cyber Defense is a US-owned and operated company headquartered in Columbia, MD.  Owl is a global supplier of data diode and cross-domain network cybersecurity solutions. With a focus on customers in the military, government, critical infrastructure, and commercial communities, Owl has customers around the world, including multinational oil and gas majors.

Owl has developed a variety of data diode cybersecurity solutions to address oil and gas industry pain points.  The following sections illustrate some of these applications.    

Securing Industrial IoT Communications with Data Diodes

The oil and gas industry was one of the first to adopt Industrial IoT technologies all the way down to the sensor or end device level.  The industry is undergoing a fundamental shift from traditional centralized control systems to widely distributed systems consisting of connected sensors and assets.  These sensors are connected to a variety of networks and edge computing devices and associated sensor-to-edge and edge-to-cloud computing platforms.  Many formerly “dumb” assets are suddenly becoming digitized and connected, bristling with sensors, all of which transmit myriad data points. 

Data Diodes

Protecting these connected assets, particularly “mission-critical assets” that have an impact on safe operations, is a huge challenge. The conventional IT network technologies commonly used to connect these sensors lack the security capabilities needed for critical industrial applications.  Devices can also use protocols, such as MQTT, that lack inherent mechanisms for high-security network communications.  As ARC learned, Owl offers cost-effective, data diode-based solutions for this critical problem that require minimum installation, configuration, or ongoing maintenance. 

Data Diodes in Process Safety Systems

The oil and gas industry is one of the largest users of process safety systems.  Today’s mounting cyber threats to safety systems were highlighted by the 2017 cyber-attack on a process safety system at a Middle Eastern refinery. That attack launched the TRITON malware package, with the goal of reprogramming the process safety system so it would not perform its intended function of shutting down the plant in a safe manner in an abnormal situation. 

Integrating control systems with process safety systems has been a hot topic of debate in the industry.  Many safety systems today are integrated with distributed control systems (DCSs) in a common environment, with common networks, common operator interface design, and so forth. Still more safety systems are interfaced with DCSs, either through a proprietary gateway or other means that still pose the risk of unsecured bidirectional communication.  In the case of the TRITON malware attack, the DCS and the safety system were not integrated, but were two systems from two separate suppliers with an interface between the safety system and DCS. 

Both integrated and interfaced process control and safety systems promise easier information sharing with operations management and other “Level 3” and enterprise applications.  Safety system data is needed at higher levels for things like reporting and safety lifecycle management applications.

Data diodes can provide a cost-effective and low-maintenance way to ensure secure communications within and outside the safety system.  A secure one-way communication channel from the safety system can provide other systems and applications the information they need without the possibility of intrusion back into the safety network.  Within the safety system itself, data diodes can help ensure secure one-way communication from the safety system to associated operator and maintenance consoles. 

Securing Critical Assets at The Edge: Blowout Preventers

Owl also provides data diode solutions to protect communications with critical edge assets and devices.  This is critical for the offshore oil and gas sector to support remote monitoring and remote operations of crucial, previously unconnected assets and new network sensors.  

Blowout preventers (BOPs) are a good example.  These newly connected critical assets are crucial safety elements in oil and gas production that prevent unexpected back pressure surges from producing uncontrolled releases from wells.   In the past, BOPs were relatively “dumb” assets, designed only to function if the conditions warranted.  But that’s changing rapidly with the introduction of new regulations governing safety.  

Data Diodes

In the wake of the Deepwater Horizon incident, new regulations put into place by the US Bureau of Safety and Environmental Enforcement (BSEE) require regular reporting of maintenance, condition monitoring, and failure data from blowout preventers and their associated control systems.  Maintenance personnel also require condition monitoring information from BOPs.  This monitoring is being done from remote operations centers that, increasingly, look at asset information from many rigs dispersed across a large geographic area.    

The main challenges for end users are to ensure that BOP systems are protected from external attacks and securing the information sent to shore systems without drastic modifications to the system.  This is complicated by complex offshore rig infrastructures that can be owned by multiple end user companies. Equipment on rigs can also include legacy products with old, unsupported operating systems and changes can occur without notification.

BOPs and other rig controls are intended to be “set and forget” systems and the cybersecurity approach should reflect this.  Data diodes are a natural solution as they rarely require maintenance and the security provided is resilient to changes that may occur in the BOP or rig control systems.     

Embedding Data Diode Technology in Systems

The newest frontier for data diode technology is within the systems and assets themselves.  There is no reason why data diodes need to have their own dedicated box, so why not provide it in a single, board-level design that can be integrated into products?  Owl Cyber Defense is looking into embedding data diode technology into modern control and safety systems to supply an extra layer of security where it is really needed. 

Recommendations

Oil and gas extraction, processing, transportation, and distribution operations are critical infrastructure that demand the best possible cybersecurity.   A single incident can have devastating impacts on people, nations, and the environment.  Many oil and gas companies already use data diodes to protect the perimeters of major facilities, but they should be looking for more applications where this technology could be used.  The benefits in better security, reduced costs, and lower resource demands can be significant.  And, as the offerings of Owl Cyber Defense illustrate, cost-effective solutions are available that can be used to address a multitude of common industry challenges. 

Certainly, data diodes do not solve all end user cybersecurity problems.  But ARC believes they should be viewed as a possible solution for securing network infrastructure and devices across multiple levels of oil and gas operations, from critical assets to control and safety systems to Industrial IoT-based solutions.  Other areas that should be explored include terminal automation systems, custody transfer systems, tank farm automation, and oil movement and storage.

Data diodes can also be used to enable other cybersecurity efforts.  For example, Owl Cyber Defense, recently signed a cooperative agreement with Dragos, a threat detection and response provider, to help ensure that secure remote monitoring of critical assets does not open new pathways for attacks.

 

ARC Advisory Group clients can view the complete report at ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us 

Keywords: Cybersecurity, Data Diodes, Unidirectional Gateways, Oil and Gas, Industrial Internet of Things, Remote Monitoring, Owl Cyber Defense, ARC Advisory Group.

Engage with ARC Advisory Group