According to Total CIO Philippe Chalon, Total’s new global security plan this year involves a change of strategy. ‘China Wall’ peripheral security can make life hard for joint venture partners, service providers and Total’s ‘nomadic’ staff. Total has opted for a three component security architecture comprising secure data centers, secure desktops and encrypted data flows between them. There is no longer any difference (except for performance) between the internet and the secure company intranet. User access is granted according to a user’s profile and the trust level of a device. For instance, you can’t get at reserve data from the public internet in an airport!
Schlumberger Information Solutions president Olivier Le Peuch agreed with Chalon, ‘putting a firewall around every component is not a solution.’ You need to secure processes, not components. Le Peuch backed the suggestion made last January at the Houston SPE Digital Security Conference that an industry security body be set up. Reserves management requires a security-centric architecture, integrated standardized workflows, and identity and access management. One significant SIS initiative is a security-enabled workflow based on an infrastructure of identity mapping, a public key infrastructure (PKI), directory services and role designation. The emerging paradigm of ‘federated identity management’ (FIM) is a possible solution to access management. The idea is to create secure, streamlined collaboration and to eliminate risky third party ID management. Le Peuch suggests a technical working body to design and vet an industry-wide solution for collaboration security. SIS also intends to publish an open source API for petrotechnical application security.
Chevron CTO Don Paul described the increasing ‘digital intensity’ of the industry. A refinery produces 1TB/day of raw data from perhaps 30,000 I/O points and 75,000 model coefficients. A large offshore field produces ten GB/day. A subsurface project portfolio is contained in around 1,000 TB. Chevron totals some four millions transaction and two million emails per day. Corporate data storage is growing at two TB/day—and this is ‘not nearly enough.’ Historically, enterprise, engineering and operations and R&D/technology were three different systems. But today users and data flows cross all three domains. Everything is connected. Everyone, CIO, CFO, CTO and the business ‘needs to get along to make security work.’ Doing nothing is not an option, ‘staying the same means declining security and increasing risk.’ Government R&D can help because government faces the same problems as industry. Paul described Chevron’s involvement in the ‘Linking the Oil and Gas Industry’ (LOGI2C) project, sponsored by the US Department of Homeland Security (DHS) Science & Technology Unit. LOGI2C sets out to improve security and reduce vulnerabilities of pipelines and facilities. The LOGI2C correlation engine has analyzed abnormal events over a 12 month period on a 10,000 mile Chevron Pipeline SCADA network. The project investigated a possible multi pronged cyber attack over a period of time with feints etc. The technique is applicable to digital oil fields now and ultimately, to SCADA systems that interface with the outside world as deployed in the downstream.
SCADA security in BP
Justin Lowe (PA Consulting) and Ian Henderson (BP) stated that improving the security of process control SCADA systems ‘is not a diet but a change of lifestyle.’ In the old days, process control systems (PCS) were ‘clunky’ but resilient, and there was no chance of hacking them. Today, DCS and SCADA are all implemented on Wintel and increasingly on Internet Protocol (IP) standards and share the security risks of such systems. Except that fewer security measures exist for this specialist hardware. Following the Nimbda worm, BP now has a Chief Information Security Officer (CISO) responsible for digital security. To raise security consciousness at BP’s 400 Process Control sites, a group center of excellence was established. Today, BP has ‘built security into PCS engineers’ day jobs.’ In 2004, BP initiated PCS vendor accreditation for antivirus, security patches and secure, remote access methods. Today, anti-virus accreditation is widely accepted. It used to be said that you can’t patch SCADA, you can, now maybe even faster than IT systems.
Secure Joint Ventures, Chevron
Mike Reddy, CIO Chevron International E&P spoke of the increasing demand to access Chevron IT resources by joint venture (JV) partners and other third parties. Current security methods are labor intensive and provide only ‘course grained’ security. Reddy described a Federated Identity Management Technology proof of concept test undertaken this year by Chevron, Schlumberger, Sun, Microsoft and others. Federated identity is a standards-based means of sharing an identity and entitlements across different domains—as between JV partners and their contractors. A test was performed across 30 servers running Chevron’s web-based ‘Operational Excellence’ application and Schlumberger’s Petrel. The demonstrator showed that seismic interpretation could be performed across the firewall using Citrix thin clients. Standard Microsoft Office and web-based applications can be shared securely today. Computer Associates’ eTrust SiteMinder 6.0 also ran.
Disaster planning, Occidental
Don Moore, CIO Occidental, spoke about security and disaster recovery planning. Oxy has been brainstorming to identify potential threats such as a tornado on Tulsa, geological issues (Ecuador-volcanic activity, west coast earthquakes), geopolitics (guerilla activity) and terrorist threats (a dirty bomb in LA). Disaster planning is now a full-time job in IT. Hurricane Rita put Oxy’s planning to the test. With Rita, Oxy learned a lot about shut down, business recovery etc. Three million people tried to leave Houston at the same time. It was taking 27 hours to cover the 220 miles to Dallas. In general, while Oxy’s disaster plans worked, business continuation ‘did not work well at all.’
Identity management, Chevron
Edmund Yee described Chevron’s deployment of a common image for its Windows desktops with automatic update and an enterprise security architecture. This involves all users. Employees, contractors, 3rd parties, JV partners all have managed identities as users or administrators. Devices and services (applications) also have IDs. All business processes use IDs (line of business, SAP, Oracle, network logon, applications etc.) The idea is to ‘unify and simplify physical and logical access with a single corporate ID card.’ This provides a single common process for authentication. The project also delivered enterprise single sign-on (ESSO) and web ESSO where needed. Shell plans to get rid of passwords next year as the necessary IT components become available. Biometrics authentication is available for special groups.
Smart card deployment, Shell
Ken Mann presented Shell’s IT Infrastructure Refresh Project which has reduced the cost of delivering a desktop by 50%. It is based around Windows 2000 and Active Directory. Email is encrypted on the fly depending on its confidentiality level. A Smart Card-based solution ‘gives preference’ to Microsoft-based products. The original goal was to build an out-of-the-box infrastructure ‘without engineering.’ But it ‘didn’t quite work like this,’ even though much functionality was already in the operating system. Shell is moving from the ‘hard perimeter, soft interior’ security model. Schlumberger is to take the smart card management system (SCMS) to market. Microsoft is ‘pushing smart cards hard.’ Both Shell and Schlumberger are early adopters.
SCADA vulnerabilities, NISCC
According to Mark Logsdon of the UK Government’s National Infrastructure Security Co-ordination Centre (NISCC), common-off-the-shelf (COTS) hardware and software has let hackers into water and electricity supply systems—notably with a denial of service (DOS) attack on Israel Electric Corp. In general, terrorism-related incidents are ‘probably under-reported.’ There are risks from hackers and politically motivated individuals. Today, PCS/SCADA vulnerabilities are ‘widely understood.’ NISCC has set up a number of information exchanges, with regular discussions of threats and vulnerabilities. Vendors allow NISCC to manage vulnerabilities in their software and to share the information with members. Companies should ask ‘would you recognize an attack?’ The answer is probably not.
Chris Wright (KPMG) described Sarbanes-Oxley (SOX) as ‘specific to a company’s controls over its financial reporting.’ SOX stipulates that IT shouldn’t have access to live financial data. So some companies have put monitoring in place and then had nasty surprises as to who could see their financial information. Business continuity management is specifically excluded from SOX because SOX is not concerned about the future value of assets. ‘SOX is about the 31st of December.’ It does cover a company’s ability to backup and restore financial data, to ensure that a transaction has completed, been properly recorded and authorized. Note that nine companies in the energy and utilities sector failed SOX. Some failed for ‘creative accounting,’ but others failed for inadequate IT controls—mostly of unauthorized access. Useful resources for SOX compliance include ‘The IT Executive’s Best Practice Guide to SOX,’ a Gartner White Paper. See also www.itgi.org and COBIT’s papers on SOX deployment. Wright also noted that SOX ‘has put an end to the way many people use spreadsheets.’
This article has been taken from a 10 page report produced as part of The Data Room’s Technology Watch Reporting Service. For more information on this service and to request a copy of the original report please email firstname.lastname@example.org.
© Oil IT Journal - all rights reserved.