Cynalytica expands into oil and gas industry

Cynalitica developed SerialGuard in response to the need to protect serial and non-IP communications systems.

The ongoing need to keep oil and gas assets safe from cyber-attacks has created a key source of growth for a cyber security firm based in Arlington, Virginia. Cynalytica has provided the defense industry ICS cybersecurity capability for several years and is now expanding into oil and gas operators.

Richard Robinson, the CEO of Cynalytica, is acutely aware of risks to physical assets. Robinson was CIO at Lawrence Livermore National Laboratory prior to forming Cynalytica. Lawrence Livermore National Laboratory is a DOE National Nuclear Security Agency providing support to the Department of Energy and the Department of Defense, both of which focus on keeping assets secure.

Prior to that, he worked in manufacturing engineering, where he connected manufacturing cells and CNC machines to networks. “Even back then, I was keenly aware of the potential security implications of connecting industrial control systems to routable networks,” he said.

When the Stuxnet virus, which attacked Iranian nuclear facilities, was discovered in 2010, many industries and security experts became more aware of the risks malware posed industrial control systems and to legacy assets. The virus targeted programmable logic controllers (PLC) and then obscured the operator from what was happening.

“The virus had the ability to tell the operator that everything was fine, when in fact the virus was damaging equipment,” he said. “At the time, there was no viable technology available to monitor the impacts of a Stuxnet kind of malware, which obfuscated the communications between the PLC and a field device. The operator had no idea what was happening.”

One area of interest to Robinson was serial and non-IP based communications -- legacy, non-digital systems that are still regularly used in the oil and gas industry. Most malware and OT cyber security companies only covered TCP-IP communications leaving serial communications unmonitored and vulnerable.

Cynalytica’s expertise is the operational technology and control systems, the confluence of IT systems with OT systems. Robinson stressed that operators need both cyber security as well as situational awareness to protect assets from attack. “To an operator an event is an event, regardless of whether it is cyber-initiated or operational. You want to have control and awareness of your environment. We equate cyber with physical events,” he said.

In response to the need to protect serial and non-IP communications systems, the company developed SerialGuard, a passive serial packet sniffer that enables secure visibility within vulnerable networks. This fail-safe sensor monitors Level 0 and Level 1 serial communications between field devices and controllers, the company said.

Combined with the Cynalytica AnalytICS Engine Platform, it can also reveal and help alert traffic anomalies that could indicate a cyberattack, physical attack, system misconfiguration or operational issue. Legacy serial communications still make up 30 to 60 percent of all U.S. critical infrastructure.

The user interface for the Cynalitica analytics engine.

Until then, no security company had adequately addressed serial communications monitoring since it required development of a new hardware sensor in the industrial control environment that is sitting on a communications bus for that control environment. The serial communications link is a blind spot for many organizations.

“You don’t want to make things worse by introducing a new physical device that could disrupt operations, introduce latency, or introduce a new cyber threat factor,” he said.

With Idaho National Laboratory, from the Department of Energy, Cynalytica developed a passive hardware sensor and software analytics platform to monitor those communications buses in a safe and secure method which now gives the operator data that it would not otherwise have. As a passive device and fail-safe device, its failure would not disrupt physical operations or introduce latency.

“It captures data based on specific industrial control protocols,” he said. The sensor will frame and then encrypt the data on the SerialGuard and send it to the AnalytICS software platform, an analytics engine that can then monitor and alert on events as well as integrate it into other event monitoring platforms the organization or industry might have.

The sensors work on any industrial equipment, regardless of manufacturer, provided the operator sticks to established communications standards. “We’re protocol agnostic,” he said. The device monitors communications data, but it can also capture operational data that is passed through a communications device.

The Department of Defense was aware of the potential risk that legacy communications had and wanted a product which would keep them secure. SerialGuard became available to the Department of Defense and Department of Homeland Security operators in late 2019. The hardware came first, but after some early deployments, Cynalytica recognized the need for enterprise-sized software to track and make sense of the data coming from physical sensors.

“Some of these environments could involve hundreds to thousands of these sensors,” he said. Cynalytica developed a highly scalable sensor analytical software that would integrate with other event monitoring platforms.

The Department of Energy and the Department of Homeland Security were their first customers, but the U.S. Navy, the U.S. Army and the U.S. Air Force have also followed. ONEGas, a midstream operator based in Tulsa, Oklahoma, USA, was the first oil and gas client.

“We wanted to address the non-IP based serial communications, which are very prevalent for energy operators.”

Cynalytica works with customers to set up the system, install the software and then establish baselines that indicate what is normal operating behavior in the communications.

Most clients are familiar with asset monitoring software, but Cynalytica provides them with an inflow of new operational data that they ‘re not used to seeing. The upper management that oversees the operation of many oil and gas assets need some orientation with the new data. Cynalytica helps them collect the data and provide context to the rest of operations.

“They generally only see things on a surface level – is it working or is it not,” he said. “We’re generally very hands on with them.” We want them to be happy customers.”

Generally, the operational application of this data can sometimes require skillsets or resources that maybe not all operators have in house. The Cynalytica platform abstracts away much of that complexity and resource requirement and makes the application and integration of the data very easy and intuitive eliminating the need for additional resources. The platform can easily assist operators in applying machine learning approaches to help identify events and anomalies in the environment. “This is a whole new area for them. They are already familiar with monitoring their equipment,” but in many cases, the operators do not have much history or experience in distinguishing between a cyber event vs a physical event. “How do I use data science. How do I apply machine learning.?”

Second generation

Cynalytica’s work with ONE Gas has driven its second generation of software, which will be deployed in 1Q23. It uses a more powerful and intelligent sensor that also gives it the ability to do custom backhaul communications like cellular or satellite communications. “You’ve got some facilities out in the middle of nowhere and getting that data over existing network can pose challenges.”

The new sensor can also establish baselines for normal operations, which means it will not need to communicate as often with the analytics engine. “It’s intelligent enough to look at something and say ‘this is potentially a problem’,” he said. The more intelligent sensor reduces a lot of traffic between the analytics engine.