This SecurityGate.io customer is an oil-service industry leader, specializing in rigs and drilling equipment. For privacy and security reasons, they have chosen to remain anonymous for this case study.
Like most companies in the oil industry, they have implemented a great deal of operational technology (OT) to help monitor the performance of their equipment.
Their Director of Security is in charge of ensuring all the industrial control systems (ICS) are secure and properly assessed for risks. With a lean department, he has turned to SecurityGate.io to perform timely and consistent assessments and provide an in-depth dashboard for executive review.
A cybersecurity professional, their Director of Security has seen a lot of changes throughout the industry. But he notes in particular that over the years, OT has moved increasingly into the cloud as well as closer to corporate IT departments.
“Much of the OT data and KPIs are now stored in the cloud,” he points out. “Internal teams can now log into their drilling rig remotely to look at the pump status, their drilling status and a number of other data points about that drilling rig. It has been surprising to see so much movement of OT to the cloud.” But, with this evolution came a number of challenges that made it increasingly difficult for the organization to conduct an efficient risk management strategy.
OT and IT have historically been separate entities, but the increasing reliance on cloud infrastructure and the hosting requirements for putting ICS online have caused that gap to shrink considerably.
Before ICS devices began coming online, much of the OT was controlled directly on site—they had to physically send employees out to a rig to gather relevant data.
“OT professionals just have a different mindset,” their Director of Security says. “They are purely focused on operations, and it can be challenging to get them to see the full picture. But the modern OT person must consider the importance of cybersecurity and its importance in protecting their systems from attack vectors.”
This inventory does not only include the number of devices measuring data on the rigs; it also includes the components inside the devices that could be compromised by bad actors.
Their director brings up a particular security camera with an NIC card inside that was vulnerable to intruders, stating that “People just don’t understand what they have in their OT infrastructure.” Naturally, this can be problematic in terms of exposure.
To better understand the risk of different OT environments, They perform assessments at different sites and rigs across the company portfolio. However, doing these assessments in-person resulted in numerous challenges for the team.
First, there was the logistical effort: a security employee would have to perform the assessment with operations staff on-premises. Typically, this resulted in travel costs for the company and time away from home for the employee. The process was further complicated by the COVID-19 pandemic when most employee travel was grounded.
Second, the assessments were performed by two individuals who each had their own approach to the process, which, their director notes, meant a lot of room for variability in the results.
Having a lack of consistency in answers will only create problems down the road in truly understanding the company’s risk of exposure. Even though two business units might possess a similar risk, a lack of consistency between assessments could result in the risk posture appearing uneven. While one business unit may be able to remediate a potential deficiency, the other unit may have that same entry point exposed to an outside attack.
Finally, doing the work in person resulted in a tremendous amount of time between when the assessment was performed and when the results were available in a consumable format. Their Director of Security said that after a long day of posing questions to the OT staff, he would have to return to the hotel, collate the information from spreadsheets, rationalize the controls and come up with a statement of risk. Not only was this time-intensive, but it also required him and his team to wade through multiple spreadsheets to piece together insights.
The company realized that the OT assessment process had to be improved. To do so, they turned to SecurityGate.io, the software-as-a-service platform that enables OT cybersecurity teams to do away with spreadsheets and emails and perform assessments in record time.
For this company, the number-one feature of SecurityGate.io was that it provided guided assessments for their team. The platform provides a predefined workflow built with turnkey questions and industry-specific risk scoring. Additionally, the ability for the Director of Security to configure questions to the unique context of their company helps ensure that the same assessment gets performed the same way, every time.
This consistency and ability to perform assessments remotely have empowered them to decrease the lead time for assessments from a couple of weeks to a couple of hours.
Another benefit of SecurityGate.io has been the ability to quickly roll-up reports that give visibility into risk assessments and remediations for the company’s board. Rather than having to scramble across a number of spreadsheets in disparate places to put together a presentation, they can now quickly generate insights and dashboards based on a single source of truth for their executive team.
These data visualizations can include a digestible view into how risk posture has changed for the company over time. Additionally, a stoplight chart of intelligent insights can show ICS events according to risk level—extreme, moderate or minimal—giving decision-makers a clear view of the operation. Finally, SecurityGate.io has the ability to create automated reports that can be customized for specific analysis of assessments and remediations, packaged in a visual format that will impress the C-suite.
Bill is SecurityGate.io’s Chief Information Security Officer. Prior to joining the company he was Vice President and Chief Security Officer for North American Electric Reliability Corporation (NERC). Bill had a distinguished career in the Navy where he flew Tomcats and Super Hornets. He has a computer science degree from the U.S. Naval Academy where he later became the Deputy Director of Character Development and Training and taught courses in cybersecurity. Bill has a master’s degree in International Relations from Auburn Montgomery, and a master’s degree in Military Operational Art and Science from the Air Command and Staff College.