Safeguard your digital environments from all angles

What’s more, cyber criminals are continuously evolving, becoming more creative and devious, and wreaking more havoc on businesses, consumers and governments. And oil and gas companies are particularly susceptible.

Their headquarters, operations and power plants, production sites, gathering systems, refineries, chemicals processing sites, and midstream pipelines, as well as their wider partner, supplier and services interconnections, are often spread out over wide geographic areas around the globe, leaving them precariously exposed. And because many locations and sites involve more than one firm – for example, one company owns an oil platform, but another operates it – the lines for responsibility for security get blurred.

What’s more, their digital networks and physical equipment are frequently in need of updating for cyber security purposes; while they were built to last and operate for a long time, the downside is that its cyber protection is outdated. And in addition to the usual “in-it for the money” cybercriminals, the oil and gas industry has to contend with environmental “zealots” who are not above trying to sabotage business operations by hacking into computer systems.²

That’s why it’s high time for the oil and gas industry to likewise evolve and take the next step forward in protecting their business, employees and customers by adopting a “zero trust” approach. The zero trust approach enables you to set up adaptive and continuous protection for users, data and assets that proactively manages risk through key enforcement points enabling you to potentially continue operating your business even while under attack

For oil and gas companies, the stakes can be even higher. Considering the essential role they play both nationally and globally, and depending on the nature and severity of a breach, a company’s ability to survive as an ongoing entity can be called into question.

That’s why more companies are taking a zero trust approach to shore up their cyber defenses. Even the U.S government has strongly endorsed the zero trust concept. The Biden Administration recently rolled out a zero trust mandate for federal agencies, and the fall out is expected to ultimately filter down to private industry.⁶

With zero trust, you establish what is often referred to as a “perimeter-less” defense system⁷ based on the principal of never trusting and always verifying individuals and devices, regardless of whether they are inside or outside of the organization. Before access to a system or app is granted, the person or device seeking access must be identified, assessed verified and authorized. And this authentication process takes place each and every step of the way. However, from the user’s perspective, the process is quick, easy and seamless - unless issues are detected.

This stands in marked contrast to the traditional “castle and moat” cyber security defense, where once a person (or device) manages to cross the moat and enter or breach the front door or wall of the castle, there’s relatively easy access to the “crown jewels.” That approach is no longer enough in this new world environment where cyber criminals are more cunning then ever and more employees - as well vendors, contractors, suppliers and even business partners – need immediate access to data from enterprise apps and systems located anywhere in the world and from any device via the internet.

With zero trust, whomever (or whatever) attempts to access your systems – along with the device they’re using – is identified, assessed, authenticated and authorized in light of the system they are trying to access, and that session is continuously monitored. And when they seek to access another system, the process is done all over again.

So using the castle analogy, once individuals manage to cross the moat, they would have to go through a reauthorization process to get through the front door. And the same thing would occur whenever they attempted to move to a different part of the castle. In some cases, depending on the individual’s approved authorization, he or she would only be allowed to go directly to a particular room; in fact, the individual wouldn’t even have visibility into any other room in the castle. (Think hotel or building elevator that only takes you to a particular floor.)

Taking it one step further, with the right zero trust model that is implemented properly, an individual would only be able to go directly to the bathroom off of a particular guest bedroom (assuming the bathroom was the intended destination). And with today’s powerful computer capabilities, the identification/authentication/authorization process would occur seamlessly and nearly instantaneously (or at least quickly).

Key potential benefits of a zero trust approach are that (1) it prevents bad actors from getting authorized and then accessing your system and (2) in the event of an initial breach, your company would be able to detect and isolate the intruding person, device or “bug” and turn off its access to the system, not allowing it to pivot or escalate the attack.

For example, one of the world’s leading shipping companies, was brought to a standstill by cybercriminals who installed ransomware on a local office server in the Ukraine. The virus then spread throughout the company’s entire global network, causing an estimated $250- $300 million in damages. But a zero trust approach, with its multiple reauthentication security and continuous session monitoring process, could have limited the damage to the Ukraine and not caused a company-wide shut down.⁸

Similarly, in 2021, a state-owned oil company was the victim of a cyber attack. The perpetrator accessed confidential data through the system of a third-party contractor with whom the company did business. Although its business operations weren’t interrupted, the cybercriminal demanded $50 million from the company or threatened to sell the information to any other party for $5 million. Had the company been operating a zero trust strategy, it’s unlikely its systems would have been breached.⁹

There are a host of other potential benefits to be gained by a zero trust approach. For example, it can:

• Improve network visibility, breach detection, and risk vulnerability management.
• Break down interdepartmental siloes as IT, HR, marketing, operations compliance and others need to work together to get it right
• Reduces both capital and operational costs in the long-term.
• Enables and supports digital business transformation and improved business agility.

A critical element in designing and implementing a zero trust architecture is understanding that it may represent a cultural change and challenge to your organization. Therefore, you will need commitment from senior management to help overcome resistance to it.

And while the CIO and the cybersecurity department may lead the effort, you also need the buy-in and cooperation of the entire organization – including information technology, operational technology, IOT, HR, compliance and regulatory, and sales and marketing – to get it right.

The zero trust security architecture must integrate with the organization’s security and IT environments to enable speed and agility, improve incident response, and to support policy accuracy and the delegation of responsibilities. At the same time, the authentication and reauthentication measures cannot unduly burden the normal operations of the business, particularly in terms of wasted time.

Here are some key steps to help you get started on your journey:

• Determine what you’re trying to achieve: Don’t start with the solution. Determine what needs improvement and which zero trust components make sense. Also, keep in mind that the zero trust model doesn’t have to be implemented all at once; it can be phased in and tailored to your organization’s level of maturity.

• Identify and prioritize which data and assets are most valuable: Collect as much information as possible about the current state of assets, network infrastructure and communications. Also, classify the level of “sensitivity” of each asset - for example, the customer database, source codes, confidential or proprietary information (e.g., business process) and the HR portal - as “restricted,” “highly restricted,” and so on.
• Map data flows cross your network. This step is a primary reason why you need the input and cooperation of multiple departments and not just cybersecurity and IT; the zero trust approach impacts everyone. The data flows include:
  • North-South traffic, such as from a front-end web portal to back-end servers.
  • East-West traffic, such as purchase information to fulfillment and accounting systems within the corporate network.
• Group assets with similar functionalities and sensitivity levels into the same micro-segment. This will help you determine when and where authentication and reauthentication may be needed, so you can
  • Deploy a segmentation gateway: This can be virtual or physical and will enable you to achieve control over each segment.
  • Define a “least privilege” access policy to each of these assets, whereby access to services is granted based on context and the risk profile of users and devices (e.g., a public device, based in a suspicious location or on company premises), and all access must be authenticated, authorized, and encrypted.
• Select the right technologies and services to support zero trust: The cybersecurity team will be instrumental in this decision, but will certainly need input from other departments, including finance. It’s critical to build in flexibility that will be needed to adapt to everchanging risks and the ability to conduct real-time monitoring and continuous assessment and anomaly detection.
  • When making the presentation to senior management or other decision makers, be prepared with a final estimate of resources needed as well as the proposed timing for implementation.

The oil and gas industry is a particularly inviting target for cybercriminals. It is a financially lucrative enterprise, it plays an outsized role in meeting the needs of billions of people around the world, its operations are widely dispersed, and its accumulated technology debt and outdated cyber defense systems have left it vulnerable. It’s time to move forward and reimagine these defensive capabilities by utilizing a zero trust approach.

Zero trust is flexible enough to be adapted to meet the needs of your organization, its culture and its workforce. Most O&G companies already have some manner of zero trust enabled technologies within their network environments. So for them, it’s a matter of building on what they have already towards a stronger, more complete zero trust world. Whether you have parts of a zero trust program in place or are starting from scratch, keep in mind that it can be matured over time depending on your resources and readiness level. But the key is to get started or continue your journey.

KPMG firms can help organizations implement zero trust models starting with strategic business case orientation, helping create roadmaps leading all the way up to technology integrations and implementations. Our professionals understand oil and gas systems, processes, and complete cyber challenges. Our first-hand experience with industry operations and cultures can help determine the best method and technology options to solve the most complex and urgent cyber security challenges while strengthening your organization’s ability to handle emerging and evolving threats.

Cyber security regulation, malicious actors, acts of nature, and accidents will not slow down while organization’s leaders are thinking about their next cyber security steps. Start planning or continuing your zero trust model implementation now so your organization is more prepared for what might happen next.