‘Treat yourself as a potential target, because you are’

Lior Frenkel

Lior Frenkel co-founded Waterfall Security Solutions in 2007. Waterfall Security’s Unidirectional Security Gateways is designed to provide 100% protection against operational technology (OT) security threats and online attacks in various sites such as airports, railway systems, and power plants.

The company’s growing list of customers includes national critical infrastructures and utilities, power plants, nuclear plants, offshore platforms, refineries, pipelines, pharmaceutical, chemical and manufacturing plants. Deployed throughout North America, Europe, the Middle East and Asia, Waterfall products support a range of industrial and remote monitoring platforms, applications, databases and protocols in the market.

The energy industry has become the second most prone to cyberattacks with nearly three-quarters of U.S. oil & gas companies experiencing at least one serious cyber incident annually. A modern cyberattack on a pipeline network or an LNG terminal can result in severe consequences to human and environmental safety in the form of ruptures, explosions, fires, releases and spills.

Here is a Q & A with Frenkel about cybersecurity in the oil & gas market. The interview has been edited for length and clarity.

Q: How big of a challenge is it to protect oil and gas assets from cyberattack given they’re oftentimes in remote locations?

A: That’s a great question. And the answer is it is and it isn’t. The oil and gas industry is not different from many other industries in the sense that industrial sectors, water systems, power gen and railways, from a cybersecurity perspective, they’re all the same. Of course, there are differences. But the commonality is bigger than the difference. Each of these industrial verticals, they have computer networks that controls physical processes and that’s the entity that you need to protect and it needs to be protected in a way that keeps the physical processes up and running at peak performance and in a safe manner. That is industrial cybersecurity. When you’re talking about banks or “regular” companies, you don’t have that computer network that controls a physical process. So the big divide is, are we protecting information, like in a regular company, quote unquote, where the assets and what is being processed by the network is information? Or if it’s a physical process, machinery, stuff like that.

When you have an industrial company, like an oil and gas asset like an offshore platform-- it’s physically there. You

ave the pumps and all the machinery pumping oil and gas from the deep sea and if it’s not working, you’re out of production. You don’t have a backup offshore platform that you can just put in its place. For those “regular businesses” their assets aren’t physical and can be backed up and that is the basic assumption of every IT security regime. In the end, even in the worst case scenario, you still have a backup of the files and information. On the industrial cybersecurity side, we don’t have that backup. If something got onto your network, and now we need to go over and reinstall everything. At that point, you’re not operating; the trains stopped, production stopped, manufacturing stopped. And if this is an offshore platform, and some part of your machinery broke, you can be down for three, four months because the asset that we are processing and controlling does not have a backup. Being able to shut down your production where you do not have a backup gives a cyberattacker so much leverage that you would pay whatever he asked for.

Q: Even the best cybersecurity measures are only as good as the people using them.

A: That’s true, but it’s just part of the picture. When your security posture is very low, and you don’t have a robust security regime, every mistake a person makes can lead to something bad. On the other side, you can install the best security regime, pour in billions of dollars, buy the best products in the world, implement them the best way possible. But if your people don’t know what to do, don’t understand what’s at stake, they don’t have the training—it doesn’t matter how much money you put in, they will make mistakes that will poke holes in your security. It would be wrong to just put all the focus on the people at the company; you need to build a good security and train the people and make sure that the awareness level is high and enforce things that you need to enforce and you will be in the best situation possible.

Q: Attacks on oil and gas infrastructure can be driven strictly for monetary reasons but also because of political ones. What kind of attacks do you actually see in the oil and gas industry?

A: What we see mainly are criminal based attacks; I would say nine out of 10 are for money just because it’s a really good criminal activity. You know, the criminal sits somewhere in a different country than the company he’s attacking without any personal risks. Hacking a site, asking for money, getting that money and moving forward and nothing happens to you. So why go and rob a train, why do piracy on the seas, where you can get killed. It’s a really good business if you’re a criminal.

Industrial types of customers such as oil and gas are a very good target because of what I said before: I can shut down your production and that’s a disaster. We also see state-backed or terrorist-backed types of attacks. From my perspective, we see less than that in the U.S. than hen in other places like Eastern Europe. But it’s there. In the U.S., it’s more about intel gathering. There are not a lot of states that seriously say, “let’s shut down part of the U.S. infrastructure”. They might think about, they might even plan for that. They want to steal information, they want to gather intel for an attack, they want to steal intellectual property. So that we do see, it’s not so much trying to shut down or interfere with production, but sometimes it happens as a side effect. So the risk is there.

Q: How do you balance the need for security with the need to get work done? Can security measures be so onerous that they make it hard to do day-to-day work efficiently?

A: So there’s no answer for that. Think of it in a different way. The reason people ask about that is they don’t fully understand the risks. The example I’ll give you is, when you want to go on an offshore platform, you need to wear a hardhat and you need steel-toed boots and you need to wear a life vest sometimes. Then they will put into a safety training class for an hour; how to evacuate, and what to do in this case or in that case, and what not to do. Where to smoke and where not to smoke. But no one asks about that, or considers that to be too onerous, because we understand the risks.

And another thing with safety protocols is there’s enforcement. I can’t say I don’t give a beep. I’ll just go without the vest or without the hat. They will tell me you’re not getting on my platform because it’s not safe. When people start to understand the risk better—and it’s getting there, but too slowly—they don’t ask about the balance you mentioned. They want to avoid the risk and they’re OK paying a bit more money to avoid that risk. So the process will take a bit longer, but it will be safe.

Q: Tell me about your company and what your value proposition is, especially for this industry.

A: Waterfall Security is an industrial cybersecurity company and we are focused on operational technology security—this is what we do. And our technology, which is called Unidirectional Security Gateway, allows in a very safe and secure way to share information out of control networks to the outside world. Would you like to get on a train where the network that controls the train and the railway is accessible from the internet? Probably not. Would you like to give your kids food that came from a production line that is accessible from the Internet? But the majority of them are. It’s that way because of a lot of reasons, because a lot of these systems were designed and implemented years ago when cybersecurity wasn’t much of a risk.

When you connect a control network to the outside world, everybody knows that you put in a firewall. That’s the right answer when both networks are information networks, are IT networks. That’s what firewalls were designed for and they do their work perfectly. They were never designed to have the Internet on one side and a turbine on the other side. But when there were no alternatives, you put in a firewall because that’s what you had—there was no other way. We developed an alternative solution for firewalls, at the perimeter between control networks, OT networks and the outside world. Dedicated hardware that we design and manufacture and software that operates it, that gathers information from the OT network. Let’s say that you want to remotely monitor your compressor station. You want to know what’s going on, you know, alerts, alarms, rates, everything you want to know. Our system knows how to gather all the information that you need, send it out through the hardware, where the hardware is physically built in a way that it can only move information in one direction. The software gathered the data, sends that out through the one-way only hardware and our software on the outside gathers that information, and then sends it to whatever recipients that need to have it. This is why we call the company Waterfall. Our technology is like a waterfall—it only goes one way and there’s a physical barrier that prevents it from going back.

So you put our systems configure them and all of the data that you need is now available outside, you can use it with your systems, you can send it out to a cloud service, you could send it to the vendor of the equipment for creating a preventative maintenance program. You can do whatever you want with the information with zero risk—not low risk, with zero risk—that anything will or can get back in through that link. So the risk of remote control, the risk of malware propagation, ransomware, all of that is off the table. We are deployed widely in oil and gas and pipelines, but mainly upstream and midstream. Pipelines, oil rigs, offshore platforms, compression stations too. We are also deployed in practically every type of critical infrastructure and industrial vertical, from power gen to water systems and water utilities and chemical plants and railways, subways, airports, you name it.

Q: One overall question, is there anything we haven’t talked about that you think is important for the oil and gas industry to know about your company or about security in general?

A: I think the notion that oil and gas is outside of the game was never true. But today, it’s even less than true. We would talk with oil and gas companies five years ago and they would tell us, “We understand the technology, but we don’t see the risk. We understand firewalls won’t save us; we understand everything. But who cares about us?”

And that has changed not just because of the Big Bang, which was the Colonial Pipeline attack. That’s a good showcase. But a lot of our customers in oil and gas became our customers because they were hit. Not because they are preparing, not because of the TSA directive, not because somebody told them to, but because they were hit. Either paid ransom and nobody heard about it, or just were lucky and that sometimes—the attack wasn’t successful.

Treat yourself as a potential target because you are. Yeah. And call us up.