Helmerich & Payne: We’re All Two Hops From the Internet. Rethinking the OT Security Approach.

Helmerich & Payne: We’re All Two Hops From the Internet. Rethinking the OT Security Approach.

When connected devices and sensors run from the pipeline to IP phone or the drill rig to the board room, we can no longer remain focused on the OT device alone in our security strategy. Attackers see one large enterprise, with many possible attack vectors and pivot points. Security teams today need the ability to monitor all vectors and all devices that might be used as points of entry into the network.

Nathan Singleton, Manager of Cybersecurity at Helmerich & Payne, spoke with Curtis Simpson, CISO at Armis, about the security challenges faced by modern industrial enterprises, the areas of exposure, and the changes needed to protect the modern OT environment.

Quick Excerpts:

Curtis
CISO, Armis
One of the things we’re here to talk to you about today is how Nathan looks at this risk, how Nathan’s looked to a partnership at Armis to help manage this risk, and really how Nathan –  and many of our customers at Armis – look to this risk in 2020 and beyond. And with that, I want to take a moment to hand it over to Nathan. 
 

Nathan
Manager of Cybersecurity, Helmerich & Payne

 

Sure thing. Helmerich & Payne, we’re a multinational drilling company. Most of our operations are in the U.S., but we do some work out in South America, and the Middle East. We have offices all over the U.S., Europe and India at this time. We own and operate the big land rigs like you see here in this slide and the previous one. We’ve designed them all, we’ve built them all. And then we also have a few rigs out in the Gulf of Mexico as well, but… we’re transforming ourselves as a company now from a drilling contractor to a drilling technology solution provider. Instead of having the big, dumb iron out there in the rigs that makes the holes and does all the cool stuff that we did, we’re looking at how can we do this more efficiently. How can we drive advanced automation based on real time data collected at numerous points across the rig, including down hole? How do we analyze that in real time again?

Drilling’s a very dangerous business, and our goal is to make sure that all of our guys get home safe while providing the maximum value to our customers.

 

Curtis
CISO, Armis

 

What seems to be the case, and I know in many of these landscapes, it was in mine, it is in more complex oil and gas environments, the visibility into all of these things and how they could potentially impact level one and zero is more important than it’s ever been. And where customers are seeing a lot of value in the likes of a product like Armis, looking at all of these things as devices that could potentially interrupt level zero, level one, and proactively assessing the controls that should be in place versus are. 

 

Nathan
Manager of Cybersecurity, Helmerich & Payne

 

And as we look through all of this, the way the things were set up and designed and configured two years ago, five years ago, 10 years ago, a lot of changes that have occurred since then. You have vendors coming on board, you have customers coming in… 

Over the years, you just get this history of stuff, just built up over and over again. And there’s really no way beyond the hand-over-hand audit without something like an Armis to go in there and be able to assess what we’ve got… what we needed to do is be able to see from that base level zero up to level five and back down again.

 

Curtis
CISO, Armis

 

Unmanaged devices are bringing new exposures. We’ve seen many introductions of many different forms of devices into these environments. We’ve seen devices evolve over time, and we’ve seen many of those other devices not evolve over time. And that lack of visibility and the lack of management in many of these cases of these devices, and inability to patch for a litany of different reasons that I know I don’t need to explain to ICS folks, is truly bringing new exposures into these environments. OT devices are targets. We’re seeing this. We’ve seen this most recently with the CISA advisory earlier this year, but OT devices are targets.

 

Nathan
Manager of Cybersecurity, Helmerich & Payne

 

Just a quick little story… what we did is when we were initially POC’ing Armis, we decided “Yeah, we’ll take a look at your system. Why don’t we see if this thing actually works?” And then that was a big point for us because we’d looked at other systems that we really had a lot of problems with. The stories of Armis being able to plug in, and it works as advertised without a whole lot of setup or configuration and no issues were true. We plugged it in and it worked. We plugged it into our new rig control systems and attached it back to the corporate systems, and it actually worked. Now we’ve done some tuning with it, we’ve gotten really tight, we’ve actually layered out everything. We can see all our different layers from zero to five.

Hear the entire webinar as Nathan goes deeper into managing risk and security from the corporate offices to the oil rig – local or global.

Have our blog posts sent to your inbox.



*** This is a Security Bloggers Network syndicated blog from Armis authored by Armis. Read the original post at: https://www.armis.com/resources/iot-security-blog/cyber-security-for-oil-and-gas/