Getting an industrial site started on the cybersecurity road can be hard. In the Oil & Gas industry, while many major players have deployed cutting edge solutions, and were instrumental in driving cyber standards and methodologies, many small to medium-sized companies are only just starting out on their cybersecurity journey. Matt Malone of Yokogawa joins us to look at strategies to shake loose funding, trigger conditions that can jump-start investments, common stumbling blocks and how to address them.
Listen now or Download for later
THE INDUSTRIAL SECURITY PODCAST HOSTED BY ANDREW GINTER AND NATE NELSON AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS
About Matt Malone
Matt Malone has been an industrial cybersecurity consultant with Yokogawa for about 3 years, has a master’s degree in IT project management, and a GICSP certification under his belt. At Yokogawa, Matt’s focus is on industrial cybersecurity, where his primary role is providing consultation and completing upgrade and maintenance projects that reduce the overall cyberattack threat level for his clients’ control systems. He is also a US Navy Veteran, a proven team leader, and a lifelong learner eager to pass on the knowledge he’s gained in cybersecurity and other areas he has become an expert in.
The Oil and Gas Cybersecurity Disparity
The topic for this episode is the oil and gas industry, and specifically oil and gas cybersecurity for small to medium-sized facilities. That a lot of such facilities have very little cybersecurity now is a surprise to some industrial cybersecurity veterans, who might recall that API 1164 was the first industrial cybersecurity standard published, even preceding the first ISA SP99 / IEC 62443 publication. Matt explains that while most major oil and gas companies are on the bleeding edge of cybersecurity adoption and deployed technology, most small to medium sized companies have a fledgling program, if there even is one at all. However, he adds that “I think we’ve passed the point of inflection in the industry though where it’s a realized concern now. We’re starting to put people and budgets towards this issue.”
Shake Loose Oil and Gas Cybersecurity Funding
During this podcast episode, Matt talks about the challenge at small to medium sized oil and gas companies to find the financial means to begin and fund initial deployment of, upgrades to, and maintenance for cybersecurity systems. He talks about the financial challenge in the industry to even begin with the basics: the initial cybersecurity assessment. In the upstream and downstream oil and gas industries, budgets can be very tight, and contract delivery prices can be decided one to two years beforehand. Everybody wants to improve their cyber-defenses, but you need to find funding for oil and gas cybersecurity first. Matt explains that one of the ways to do so is to borrow from the strategy used by health, safety, and environment (HS&E) professionals. It costs less to implement safety programs that reduce HS&E risks and costs, than to pay for HS&E incidents and penalties after they occur. Bluntly, it’s in a company’s best long-term interests to find funding for cybersecurity:
It’s a moral decision to protect your folks, but also a very good financial decision. The same can be said for industrial cybersecurity… that a financial argument has been made that protecting our sites is going to be in our long-term interests.
Impediments to Progress
Besides shaking the money loose, Matt reports that the term “air gap” is a real impediment to progress at a lot of sites.’ Rather than “air gap,” Matt would very much prefer another term. “Let’s use a term like [network] segmentation,” Matt says. “Air-gapping provides a false sense of security and is thrown around a little too liberally without people understanding the true situation.” The reality, Matt says, is that modern control systems exist in an almost universally-connected world, especially in the era of IIoT (Industrial Internet of Things).
During this discussion on air gapped networks, our co-host Andrew Ginter provides a personal anecdote about presenting Waterfall’s Unidirectional Gateways as a cybersecurity solution to a large power generating company, only to be rebuffed with the argument that the solution was not needed, because the generating station’s networks were “air-gapped.” A year and a half later, Andrew reports that was called back in to the customer by a regional partner, to give the presentation again. The partner explained that a subsequent security assessment showed that the fleet of generating stations was not air-gapped after all. In the episode, Matt agrees with Andrew:
I wish that term [‘air-gapped’] would just fall out of use. It’s a warm fuzzy blanket that is a lie to hide behind, and at the end of the day you’re just putting off the inevitable.
We can’t give it all away! In this episode, Matt lays out concrete steps as to how to secure funding and launch a cybersecurity program if a small or medium sized company does not know where to begin. Matt also lays out team-building strategies with an eye to effecting positive change from the inside out, and also digs into new angles to qualitative vs. quantitative risk assessments, again with an eye to shaking loose funding.
So please tune in to this podcast for the conversation with Matt Malone and to learn more about starting cybersecurity programs for small and mid-sized Oil and Gas companies.