If oil and gas companies weren’t already on notice, recent events should have hammered home the message that they need to shore up cyber defense protections of their digital networks. As information technology, operations technology and IoT departments – and the hardware and software systems they access – continue to converge, the need for digital security becomes even more critical as an exposure in any one area can spill over to others.
In a similar fashion, oil and gas companies have a complex ecosystem of partners, suppliers and service providers, many of whom have connected computer networks. If any one of these third parties experience a cyber breach, it can endanger the systems of the oil or gas company with whom they’re doing business.1
What’s more, cyber criminals are continuously evolving, becoming more creative and devious, and wreaking more havoc on businesses, consumers and governments. And oil and gas companies are particularly susceptible.
Their headquarters, operations and power plants, production sites, gathering systems, refineries, chemicals processing sites, and midstream pipelines, as well as their wider partner, supplier and services interconnections, are often spread out over wide geographic areas around the globe, leaving them precariously exposed. And because many locations and sites involve more than one firm – for example, one company owns an oil platform, but another operates it – the lines for responsibility for security get blurred.
What’s more, their digital networks and physical equipment are frequently in need of updating for cyber security purposes; while they were built to last and operate for a long time, the downside is that its cyber protection is outdated. And in addition to the usual “in-it for the money” cybercriminals, the oil and gas industry has to contend with environmental “zealots” who are not above trying to sabotage business operations by hacking into computer systems.2
That’s why it’s high time for the oil and gas industry to likewise evolve and take the next step forward in protecting their business, employees and customers by adopting a “zero trust” approach. The zero trust approach enables you to set up adaptive and continuous protection for users, data and assets that proactively manages risk through key enforcement points enabling you to potentially continue operating your business even while under attack
More companies suing zero trust 80% of new digital business applications opened up to ecosystem partners will be accessed through zero trust network access by 2022.
So, for example, the zero trust approach could have significantly mitigated damages in the Colonial Pipeline incident. Colonial could have simply walled off the part of their operations infected with the “ransomware” and continued to operate while simultaneously fighting the cybercriminals; but since it couldn’t be certain that the “infection” wouldn’t spread, it opted to essentially shut down its entire business operations.3
Although the zero trust concept has been around for quite some time, only recently has the technology caught up to it and made it feasible. In other words, since zero trust typically relies on cloud/hybrid cloud adoption, identity, and network modernization, only recently has it become conducive for companies to realize the full potential value of zero trust. In this report, we will explore the zero trust journey, what it is, how it works, and how to design and implement a program.
Cyber crime is big and growing
Opportunities for cyber breaches have expanded exponentially over the past several years. New, more mobile working arrangements, innovative cloud technology, and increased business dealings with vendors and other third parties have created a more porous perimeter, increasing the attack surface and exposing vulnerabilities (i.e., more opportunities) for cybercriminal attacks. In the face of these developments, the traditional “cyber security perimeter” defense has become far less effective, enabling cyber criminals and other “bad actors” to exploit weaknesses and holes with more frequency and do far more damage.
By 2025, global cybercrime damage is expected to reach $10.5 trillion annually.4 And in the U.S. in 2020, the average data breach cost organizations $8.64 million.5 Aside from a purely dollars-and-cents damage, these breaches can also have worker safety as well as environmental and safety implications on the surrounding communities. They can also jeopardize a company’s brand and reputation, undermining its customers’ trust in the reliability of the company and the safety of their private data. In addition, these breaches also expose the company to litigation and regulatory penalties.
For oil and gas companies, the stakes can be even higher. Considering the essential role they play both nationally and globally, and depending on the nature and severity of a breach, a company’s ability to survive as an ongoing entity can be called into question.
That’s why more companies are taking a zero trust approach to shore up their cyber defenses. Even the U.S government has strongly endorsed the zero trust concept. The Biden Administration recently rolled out a zero trust mandate for federal agencies, and the fall out is expected to ultimately filter down to private industry.6
Zero trust basics: The perimeter-less border
With zero trust, you establish what is often referred to as a “perimeter-less” defense system7 based on the principal of never trusting and always verifying individuals and devices, regardless of whether they are inside or outside of the organization. Before access to a system or app is granted, the person or device seeking access must be identified, assessed verified and authorized. And this authentication process takes place each and every step of the way. However, from the user’s perspective, the process is quick, easy and seamless - unless issues are detected.
This stands in marked contrast to the traditional “castle and moat” cyber security defense, where once a person (or device) manages to cross the moat and enter or breach the front door or wall of the castle, there’s relatively easy access to the “crown jewels.” That approach is no longer enough in this new world environment where cyber criminals are more cunning then ever and more employees - as well vendors, contractors, suppliers and even business partners – need immediate access to data from enterprise apps and systems located anywhere in the world and from any device via the internet.
With zero trust, whomever (or whatever) attempts to access your systems – along with the device they’re using – is identified, assessed, authenticated and authorized in light of the system they are trying to access, and that session is continuously monitored. And when they seek to access another system, the process is done all over again.
So using the castle analogy, once individuals manage to cross the moat, they would have to go through a reauthorization process to get through the front door. And the same thing would occur whenever they attempted to move to a different part of the castle. In some cases, depending on the individual’s approved authorization, he or she would only be allowed to go directly to a particular room; in fact, the individual wouldn’t even have visibility into any other room in the castle. (Think hotel or building elevator that only takes you to a particular floor.)
Taking it one step further, with the right zero trust model that is implemented properly, an individual would only be able to go directly to the bathroom off of a particular guest bedroom (assuming the bathroom was the intended destination). And with today’s powerful computer capabilities, the identification/authentication/authorization process would occur seamlessly and nearly instantaneously (or at least quickly).
Key potential benefits of zero trust
Key potential benefits of a zero trust approach are that (1) it prevents bad actors from getting authorized and then accessing your system and (2) in the event of an initial breach, your company would be able to detect and isolate the intruding person, device or “bug” and turn off its access to the system, not allowing it to pivot or escalate the attack.
For example, one of the world’s leading shipping companies, was brought to a standstill by cybercriminals who installed ransomware on a local office server in the Ukraine. The virus then spread throughout the company’s entire global network, causing an estimated $250- $300 million in damages. But a zero trust approach, with its multiple reauthentication security and continuous session monitoring process, could have limited the damage to the Ukraine and not caused a company-wide shut down.8
Similarly, in 2021, a state-owned oil company was the victim of a cyber attack. The perpetrator accessed confidential data through the system of a third-party contractor with whom the company did business. Although its business operations weren’t interrupted, the cybercriminal demanded $50 million from the company or threatened to sell the information to any other party for $5 million. Had the company been operating a zero trust strategy, it’s unlikely its systems would have been breached.9
There are a host of other potential benefits to be gained by a zero trust approach. For example, it can:
- Improve network visibility, breach detection, and risk vulnerability management.
- Break down interdepartmental siloes as IT, HR, marketing, operations compliance and others need to work together to get it right
- Reduces both capital and operational costs in the long-term.
- Enables and supports digital business transformation and improved business agility.
KPMG helps global retailer implement zero trust program
Due to the COVID-19 pandemic, a global retail client’s entire workforce started working remotely from home and connecting to their network through virtual private network (VPN). The employees were using a cloud-based collaboration platform to work with their teams. In addition, the company started leveraging more cloud-based applications and platforms to support the business.
This led to a significant increase in VPN traffic, poor network performance, and a poor user experience. What’s more, the increased work from outside the office from a variety of devices increased the potential for a cyber breach.
Client solution: KPMG helped the client implement a zero trust process that enabled it to secure the new cloud environments by shifting away from one-time binary access decisions to contextual, risk and trust-based decisions. This allowed remote users to access their data and resources securely over the Internet while also reducing the amount of VPN traffic and providing a better user experience.
Getting started on your zero trust journey
A critical element in designing and implementing a zero trust architecture is understanding that it may represent a cultural change and challenge to your organization. Therefore, you will need commitment from senior management to help overcome resistance to it.
And while the CIO and the cybersecurity department may lead the effort, you also need the buy-in and cooperation of the entire organization – including information technology, operational technology, IOT, HR, compliance and regulatory, and sales and marketing – to get it right.
The zero trust security architecture must integrate with the organization’s security and IT environments to enable speed and agility, improve incident response, and to support policy accuracy and the delegation of responsibilities. At the same time, the authentication and reauthentication measures cannot unduly burden the normal operations of the business, particularly in terms of wasted time.
Here are some key steps to help you get started on your journey:
- Determine what you’re trying to achieve: Don’t start with the solution. Determine what needs improvement and which zero trust components make sense. Also, keep in mind that the zero trust model doesn’t have to be implemented all at once; it can be phased in and tailored to your organization’s level of maturity.
- Identify and prioritize which data and assets are most valuable: Collect as much information as possible about the current state of assets, network infrastructure and communications. Also, classify the level of “sensitivity” of each asset - for example, the customer database, source codes, confidential or proprietary information (e.g., business process) and the HR portal - as “restricted,” “highly restricted,” and so on.
- Map data flows cross your network. This step is a primary reason why you need the input and cooperation of multiple departments and not just cybersecurity and IT; the zero trust approach impacts everyone. The data flows include:
- North-South traffic, such as from a front-end web portal to back-end servers.
- East-West traffic, such as purchase information to fulfillment and accounting systems within the corporate network.
- Group assets with similar functionalities and sensitivity levels into the same micro-segment. This will help you determine when and where authentication and reauthentication may be needed, so you can
- Deploy a segmentation gateway: This can be virtual or physical and will enable you to achieve control over each segment.
- Define a “least privilege” access policy to each of these assets, whereby access to services is granted based on context and the risk profile of users and devices (e.g., a public device, based in a suspicious location or on company premises), and all access must be authenticated, authorized, and encrypted.
- Select the right technologies and services to support zero trust: The cybersecurity team will be instrumental in this decision, but will certainly need input from other departments, including finance. It’s critical to build in flexibility that will be needed to adapt to everchanging risks and the ability to conduct real-time monitoring and continuous assessment and anomaly detection.
- When making the presentation to senior management or other decision makers, be prepared with a final estimate of resources needed as well as the proposed timing for implementation.
If done correctly, a zero trust approach doesn't just block cyber criminals and bad actors from doing things they shouldn’t be able to do; it enables people to do their jobs better – with less friction and a higher degree of security
Continue on your zero trust journey – or start today
The oil and gas industry is a particularly inviting target for cybercriminals. It is a financially lucrative enterprise, it plays an outsized role in meeting the needs of billions of people around the world, its operations are widely dispersed, and its accumulated technology debt and outdated cyber defense systems have left it vulnerable. It’s time to move forward and reimagine these defensive capabilities by utilizing a zero trust approach.
Zero trust is flexible enough to be adapted to meet the needs of your organization, its culture and its workforce. Most O&G companies already have some manner of zero trust enabled technologies within their network environments. So for them, it’s a matter of building on what they have already towards a stronger, more complete zero trust world. Whether you have parts of a zero trust program in place or are starting from scratch, keep in mind that it can be matured over time depending on your resources and readiness level. But the key is to get started or continue your journey.
How KPMG can help
KPMG firms can help organizations implement zero trust models starting with strategic business case orientation, helping create roadmaps leading all the way up to technology integrations and implementations. Our professionals understand oil and gas systems, processes, and complete cyber challenges. Our first-hand experience with industry operations and cultures can help determine the best method and technology options to solve the most complex and urgent cyber security challenges while strengthening your organization’s ability to handle emerging and evolving threats.
Cyber security regulation, malicious actors, acts of nature, and accidents will not slow down while organization’s leaders are thinking about their next cyber security steps. Start planning or continuing your zero trust model implementation now so your organization is more prepared for what might happen next.