IoT has revolutionized processes throughout oil and gas operations, but the increased connectivity it provides also leaves systems more vulnerable to cyberattacks than ever before. To sufficiently combat the growth of threats in both number and sophistication, combined with the scarcity of security talent, the oil and gas industry needs a stronger approach to cybersecurity. AI-based solutions for cybersecurity can monitor and protect not only the IT infrastructure, but also the OT network.

1. Using a Cognitive Analytic Approach to Enhance
Cybersecurity on Oil and Gas OT Systems
Philippe Herve

2. OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve
Communication with OT systems has traditionally been limited
▶ OT systems are old and outdated, and generally have a low degree of
connectivity between systems
▶ OT physical assets and control systems typically do not come with
adaptors for linking to IT networks
▶ The information used by one level of an OT system cannot be
understood by another
▶ OT design prioritizes safety, efficiency, and constant availability—not
confidentiality
▶ Volatile drilling environments and the need for constant production
can both make minor technical issues catastrophic

3. IoT is increasing connectivity of OT systems
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

4. The old paradigm for security is no longer scalable
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

5. Evolving Landscape: With the number of connected devices and new threats growing exponentially
each year, machine scale is required to keep up with the evolving threat landscape
Number of connected devices
that will need to be secured in
2020, up from 9B in 2012
Cyber attacks originate from
the endpoint and propagate
through the network
Number of new malicious
threats created last year by
hackers around the globe,
up from 47M in 2010
Of connected devices
will be IoT
Ransomware payments were made
from corporations to hackers in 2015
325M
Expected increase in ransomware
payments in 2016
4x
The initial detection rate of newly
created malware by traditional
(signature based) antivirus solutions
<25%
The time it takes most traditional
antivirus vendors to detect a new
virus
4 weeks
50B
600M
50%
95%
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

6. The signature-based approach to endpoint protection is
broken. A new approach is needed to keep up with the
evolving threat landscape.
Traditional perimeter detection can no longer
keep up with the greater number of outside
connections in OT networks
Traditional endpoint detection can no longer
keep up with the proliferation of new sensors
and endpoints to guard
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

7. Combine anomaly detection with machine learning for more robust
cyber protection
This is most effective when powered by machine learning.
OT systems are designed for repeatable communications. The
expected signals and behaviors of OT components are well defined,
making anomalies particularly uncommon—and particularly easy to
identify.
Anomaly detection is designed to monitor the behavior of
endpoint devices within the network and flag any unusual
behaviors or abnormal signals being sent out.
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

8. Machine learning is inspired by how the human brain operates
Enables machines to
penetrate the
complexity of data to
identify associations
Presents powerful
techniques to handle
unstructured data
Continuously learns,
not only from previous
insights, but also for
new data entering the
system
Provides NLP support
to enable human to
machine and machine
to human
communication
Does not require
rules, instead relies on
hypothesis generation
built on analyzed data
Processes
information
Draws
conclusions
Codifies instincts &
Experiences into learning
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

9. Subtler cyberattacks may involve unusual behaviors that still fall
within the normal rules of operation.
EX: A control system suddenly tells a device that regulates valves
to close a valve that is usually left open. This is a normal type of
message sent between the correct devices—but the content and
timing is statistically unusual.
Rules-based anomaly detection would not catch this, but a
machine learning system would.
Machine learning is inspired by how the human brain operates
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

10. How machine learning-powered anomaly detection could
have caught Stuxnet
A learning anomaly detection program could have caught Stuxnet at a variety of stages:
Operates outside PLCs, so would not have
been fooled by Stuxnet’s false signals from
PLCs that operations were normal and
would have detected anomalous
operations in centrifuges
Initial propagation of Stuxnet worm
between nodes in system would have
been flagged as anomalous before it could
reach the targeted programmable logic
controllers
Would have recognized that a worm had
found its way into the device and blocked
it from executing, therefore preventing it
from sending sabotaging orders to Iran’s
nuclear centrifuges
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

11. Case study: Identifying anomalous
traffic with a learning algorithm
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

12. The problem
We were contracted by an industrial leader in gas, technologies, and services to investigate
their Intranet traffic in August of 2016.
Using a proprietary profile-based threat detection algorithm, a sample of the client company’s
firewall logs were examined.
Sample:
A single firewall
200,000
Cisco ASA
log lines
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

13. Approach
The threat detection algorithm was trained on the firewall’s activity to build a profile of normal traffic
patterns. The log data given to the cognitive security company contained information as follows:
The algorithm then created a
profile of suspicious or
potentially malicious behavior
by studying the behavior
patterns of blocked traffic.
▶ Total Events – 200,001
▶ Blocked Events – 20,037
▶ Allowed Events – 105,000 (Connection Terminated)
▶ Other – 74,964 (Connection Created, Trans. Slot Deleted/Created, etc.)
▶ Distinct Client IP addresses in block vs. allow events – 945
▶ Most Common Client IP Address – 172.21.71.48 with 40,771 events
▶ Distinct Server IP addresses – 236
▶ Most Common Server IP Address – 172.21.66.37 with 40,363 events
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

14. Methodology
The algorithm built its models by analyzing all inter-IP communication and building a feature set of each IP
address, including but not limited to the following created features:
▶Average time of access
▶Standard deviation of access time
▶Number of events
▶Number of distinct servers accessed
▶Number of client ports used
▶Percentage of server ports that were 80
▶Percentage of client ports that were
80
▶Percentage of time where server port
was different from client port
The dynamic model of suspicious behavior was then built off of these features using an automated model building
solution that included logistic regression, Bayesian tree-based models, support vector machines, and neural networks.
▶Number of distinct client hostnames
used
▶Number of distinct server ports used
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

15. Results
The company’s OT network was not air gapped and was in
communication with outside entities. What resulted was an
algorithm that presented two potential conclusions about
any suspicious network activity:
traffic that should have been
blocked, but was not
traffic that was blocked,
but should not have been
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

16. Results
▶ The model only agreed with 79%of the classifications
made by the client’s firewall.
▶ 1,749 IP addresses that the firewall monitored during
the time period of traffic under examination were false
negatives that should have been mitigated instead
▶ Only 29% of events associated with these suspicious IP
addresses were blocked
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

17. Results
Example of threat caught by algorithm:
This turned out to be an
employee using VPN
against company
regulations.
Source: whois.arin.net
IP Address: 70.196.67.207 (United States)
Name: WIRELESSDATANETWORK
Handle: NET-70-192-0-0-1
Registration Date: 6/10/04
Range: 70.192.0.0-70.223.255.255
Org: Cellco Partnership DBA AT&T
Org Handle: CLLC
Address: 500 Jefferson Valley Drive
City: Bedminster
State/Province: NJ
Postal Code: 07039
Country: UNITED STATES
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

18. Conclusion
IoT is changing the face of cybersecurity for OT in oil and gas. These changes in the structure of systems—as
well as the growing onslaught of new malware and zero-day attacks—require a change in the approach to
cybersecurity, both for perimeters and endpoints.
This case study demonstrates that while traditional security solutions can no longer protect OT systems,
machine learning solutions can.
As both our devices and our
threats become more intelligent,
so must our security systems.
OTC-27895-MS • Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas OT Systems • Herve

19. Acknowledgements / Thank You / Questions