Helmerich and Payne: We’re All Two Hops From the Internet. Rethinking the OT Security Approach

When connected devices and sensors run from the pipeline to IP phone or the drill rig to the board room, we can no longer remain focused on the OT device alone in our security strategy. Attackers see one large enterprise, with many possible attack vectors and pivot points. Security teams today need the ability to monitor all vectors and all devices that might be used as points of entry into the network.

Nathan Singleton, Manager of Cybersecurity at Helmerich & Payne, spoke with Curtis Simpson, CISO at Armis, about the security challenges faced by modern industrial enterprises, the areas of exposure, and the changes needed to protect the modern OT environment.

Quick Excerpts:

Curtis CISO, Armis	One of the things we’re here to talk to you about today is how Nathan looks at this risk, how Nathan’s looked to a partnership at Armis to help manage this risk, and really how Nathan –  and many of our customers at Armis – look to this risk in 2020 and beyond. And with that, I want to take a moment to hand it over to Nathan.
Nathan Manager of Cybersecurity, Helmerich & Payne	Sure thing. Helmerich & Payne, we’re a multinational drilling company. Most of our operations are in the U.S., but we do some work out in South America, and the Middle East. We have offices all over the U.S., Europe and India at this time. We own and operate the big land rigs like you see here in this slide and the previous one. We’ve designed them all, we’ve built them all. And then we also have a few rigs out in the Gulf of Mexico as well, but… we’re transforming ourselves as a company now from a drilling contractor to a drilling technology solution provider. Instead of having the big, dumb iron out there in the rigs that makes the holes and does all the cool stuff that we did, we’re looking at how can we do this more efficiently. How can we drive advanced automation based on real time data collected at numerous points across the rig, including down hole? How do we analyze that in real time again?Drilling’s a very dangerous business, and our goal is to make sure that all of our guys get home safe while providing the maximum value to our customers.
Curtis CISO, Armis	What seems to be the case, and I know in many of these landscapes, it was in mine, it is in more complex oil and gas environments, the visibility into all of these things and how they could potentially impact level one and zero is more important than it’s ever been. And where customers are seeing a lot of value in the likes of a product like Armis, looking at all of these things as devices that could potentially interrupt level zero, level one, and proactively assessing the controls that should be in place versus are.
Nathan Manager of Cybersecurity, Helmerich & Payne	And as we look through all of this, the way the things were set up and designed and configured two years ago, five years ago, 10 years ago, a lot of changes that have occurred since then. You have vendors coming on board, you have customers coming in… Over the years, you just get this history of stuff, just built up over and over again. And there’s really no way beyond the hand-over-hand audit without something like an Armis to go in there and be able to assess what we’ve got… what we needed to do is be able to see from that base level zero up to level five and back down again.
Curtis CISO, Armis	Unmanaged devices are bringing new exposures. We’ve seen many introductions of many different forms of devices into these environments. We’ve seen devices evolve over time, and we’ve seen many of those other devices not evolve over time. And that lack of visibility and the lack of management in many of these cases of these devices, and inability to patch for a litany of different reasons that I know I don’t need to explain to ICS folks, is truly bringing new exposures into these environments. OT devices are targets. We’re seeing this. We’ve seen this most recently with the CISA advisory earlier this year, but OT devices are targets.
Nathan Manager of Cybersecurity, Helmerich & Payne	Just a quick little story… what we did is when we were initially POC’ing Armis, we decided “Yeah, we’ll take a look at your system. Why don’t we see if this thing actually works?” And then that was a big point for us because we’d looked at other systems that we really had a lot of problems with. The stories of Armis being able to plug in, and it works as advertised without a whole lot of setup or configuration and no issues were true. We plugged it in and it worked. We plugged it into our new rig control systems and attached it back to the corporate systems, and it actually worked. Now we’ve done some tuning with it, we’ve gotten really tight, we’ve actually layered out everything. We can see all our different layers from zero to five.