API Oil and Gas IT Security Conference

Some 175 attended the 4th American Petroleum Institute’s Oil and Gas IT Security Conference in Houston to hear of ‘nightmare scenario’ planning, SCADA system security and the security aspects of social networking tools. Boardwalk Pipeline is moving to segregate SCADA and business systems.

Lt. General Harry Raduege’s (retired—now with Deloitte and Touche) keynote traced the history of cyber-security from the first hacker attacks in 1979 to the findings of the Center for Strategic International Studies (CSIS) Cybersecurity Commission. These include the necessity of securing Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems for industries like upstream oil and gas and refining. While the specifics of the report are classified, it is understood that recommendations include background checks on personnel working on pipeline SCADA systems. The theft of laptops from executives traveling overseas is now ‘a matter of national security.’ Raduege warned, ‘if your DBA is driving a Ferrari, check your network security’ and concluded that the prevalence of consortia and universities in the oil and gas industry, ‘makes the probability of data leaks even higher.’

Michael DuBois (Colonial Pipeline) described a hypothetical ‘nightmare scenario’ plan involving an attack and ransom demand on a major US Pipeline. Pipelines used to be secured through ‘isolation and obscurity.’ But today, adding Microsoft Active Directory to SCADA systems or even just running an operating system patch can open security holes. Industry needs the government to provide more specifics on threats. A study found that less than 1% of successful attacks resulting in actual data loss came from outside the organization, 19% were perpetrated by disgruntled employees and 80% were accidental. Funding of pipeline security remains a priority despite market downsizing. DuBois advocates vetting of personnel, partnerships with labs and ‘at least’ yearly simulations and drills. He closed by wondering if the best strategy was not to go back to isolation.

Brian Gore recounted Boardwalk Pipeline Partners’ participation in a 12-hour drill that included a ‘mind numbing constant attack.’ The specifics of the exercise are secret, but Gore revealed that one team was given a 30 minute head start to implement security by running Nmap, Wireshark, TCPDump, and OpenVAS to baseline the network traffic and then develop a list of firewall rules, ports to lock down and routes to change. The drill included corporate ‘resistance’ to the shutting-down of business systems and corporate ignorance of the danger level. As a result of the exercise, Boardwalk is now engaged in a plan to completely segregate its SCADA system from the business network, with the ability to deploy security and lock down the pipeline system and then open connections as needed. Gore now advocates monthly simulated attacks and redundant ways to communicate and operate. He concluded by emphasizing the importance of SCADA compared to business systems observing that ‘if a report doesn’t go out, no one is going to die, but are we OK with blowing up a town?’

Ivan Skeri of Baker Hughes made a business case for server virtualization. Advantages include cost and complexity reduction and ‘resource isolation’ that brings improved reliability and security, better services levels, automated server provisioning, better hardware and energy utilization. Storage, network and application virtualization plays a role in security, especially for containment and quarantine during attacks. Virtualization can help isolate the issue and limits impact by creating Internet access and network monitoring partitions. A ‘honeypot’ can be implemented to trap attempted attacks and for ‘self-testing’ exploits in a contained environment.

The CIO panel included Zhanna Golodryga, CIO of Global Petroleum at BHP Billiton, Jim Green (Chevron), Kevin Campbell (Hunt Oil), Mike Perroni (Halliburton) and Don Worley (Marathon downstream). Moderators were Dan Chisum (ConocoPhillips) and Paul Huttenhoff (Chevron). First question was ‘What are the CIO’s biggest challenges?’ For Marathon they were keeping the assets running and maintaining visibility of security issues up to Board level. Halliburton saw customer data security as a priority especially as most security issues relate to manual processes. Chevron emphasized that sustainable compliance procedures, not just reactions to events, were key as well as making every user aware of their security environment. A follow up question asked how CIOs could ‘educate’ the CEO? For BHP this meant explaining the balance of risk and trust against the ability to work. This meant, for Marathon, making regular security reports to the Board and presentations to C-Level managers—especially in regard of the take-up of social networking applications. This lead to a discussion on how companies are dealing with social networking. BHP is currently focused on mitigating the risk, but is also looking at the advantages. Hunt currently blocks Facebook and Twitter but is running a pilot program with college interns. Chevron is still asking where the value of social networking actually is! Halliburton blocks all social networking sites for productivity reasons.

On the topic of what security metrics are deployed, Hunt stated that it looks at security metrics the same way as it views insurance—balancing exposure and consequences. Halliburton has good metrics for the percentage of transactions that are blocked. On the topic of cloud computing and software as a service (SaaS), Chevron said it was bullish but still assessing the risks. BHP has concerns about providers’ liability is are looking at internal provision first. Marathon uses SaaS following a formal risk assessment.

For Fabio Ottolini (Schlumberger) the biggest challenges to security are external storage and multiple connectivity routes. Supporting different device models, features, network coverages and roaming charges can be problematical. The answer is user awareness of costs, expectations and policies, supported by documentation, quick guides, testing and change management. A standard operating system is desirable, but pressure from the C-Suite for the latest device can sometimes drive purchase decisions. The best bet is to involve local procurement specialists and set user expectations for support, since device management is never global or complete. Schlumberger uses data encryption, expiring PIN’s, remote wiping and self-destruct technologies. Other considerations are backups and certificates, with the knowledge that for attackers, mobile devices may be the path of least resistance.

Jim Heaton (Baker Hughes) noted that mobile devices mean ‘really rough’ gaps in security. Baker Hughes approaches the problem by addressing the human factor with onboarding and offboarding procedures, mandatory training and scorecards. They also employ external audits and a ‘poison pill’ that disables devices after days of without connectivity. Network security zoning is used for untethered PC protection and can shut down USB ports in the field. A mobile security ‘Market Based Reference Model’ is used to evaluate vendors. But it is recognized that application and session control may not be as mature as other capabilities. In preparation for next-generation technologies, Baker Hughes is evaluating Bluetooth security, geo-fencing for access based on location, and cloud backup technologies.

Sujeet Shenoi (University of Texas) has been working with Williams Pipeline Natural Gas, analyzing ModBus on TCP traffic. This demonstrated that 22 of 29 possible attacks are at ‘severe’ risk level. Using the DNP3 protocol for electrical systems, the number of possible attacks goes to 91, and the possibility of smart grid devices would make the curve exponential. Companies at risk can isolate, encrypt, authorize, and secure their SCADA services. Alternatively they can be proactive and use threat assessments and situational awareness for anomaly and intrusion detection, incident response and risk management. Some security threats can have massive costs, such as the ‘tromboning’ of call packets to lengthen telecommunications into higher rates. Future proactive measures must include multi-layer defense in depth strategies, leveraging historian data for forensics.

Jim Reavis of the Cloud Security Alliance (CSA) acknowledged that cloud computing has been hyped. But some of the hype is justified as witnessed by the acceptance utility computing in oil and gas. Governance challenges include the possibility of the provider going out of business, failure to achieve SLAs, or poor business continuity planning. There are also questions of financial stability, data centers in countries with unfriendly laws, proprietary lock-ins with technology or data formats and the fact that mistakes made by the cloud provider’s internal IT security can be orders of magnitude more serious. It is analogous to the comparative risk and exposure of a car crash vs. a plane crash. Cloud computing threats include un-vetted ‘innovations,’ publicly-known cloud architectures and the fact that the load management itself can be used as an attack. Cloud computing also opens up new avenues for attacks such as poisoned AMI images. The Cloud Security Alliance was set up to facilitate the adoption of security standards and to provide pragmatic guidance in domains such as governing and operating in the cloud. Principles include secure location of data, the right to audit on demand and the need for retention policies to meet e-discovery standards. The cloud can open up vulnerabilities and there is a need to ‘compartmentalize’ during incident response. Data encryption keys should not be available to cloud providers. The concept of federation must be standardized—‘common sense is not optional.’ Conference proceedings on links/1001_9.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.