Digital Energy special session on oil and gas cyber security

Lockheed Martin on ‘advanced persistent threats,’ Chevron—‘everything is connected,’ Shell—‘Microsoft losing dominant client role,’ Oxy—‘physical separation of network and plant,’ Emerson—‘Don’t pick up USB sticks in the parking lot.’

Lockheed Martin’s Ken van Meter noted similarities between gas transmission and his specialty, the ‘smart’ electricity grid. While the smart grid is a necessity to replace the current ‘worn out’ system, the advent of around 440 million ‘hackable points’ by 2016 means that the new system will need serious protection against attacks like Stuxnet, the Slammer worm and the Aurora event. The recent hack of security solutions provider RSA shows the extent of the problem. RSA was the victim of an ‘advanced persistent threat’ that likely came from ‘a nation state or criminal.’ Utilities, used to the relative safety of legacy SCADA systems are unprepared for this. But attackers like small vulnerable entities where they can try stuff out before going prime time. Today, everything is connected—so if you hack a small utility this can be a route into much bigger targets. This is a ‘serious problem,’ but one that can be solved. The North America Electric Reliability Corp’s NERC-CIP ( is a good start. But van Meter also recommends separate routers for electricity and IT and real time monitoring and forensics. The Department of Homeland Security’s Defense Industrial Base ( proved a good forum for sharing information on threats.

Chevron’s Peter Breunig picked up on ‘everything is going to be connected’ theme as geoscientists, traders and others increasingly push for access to ‘all the information all the time.’ But the connected enterprise, as well as exposing users to attack, allows IT to mine information and detect risks. IT ‘situational awareness’ includes probing your own systems, seeing how long it takes to recover from an attack. Better make it fast because, ‘you will be hit!’ The balance between presenting and preventing access to information, just like connectivity, is a ‘risk game.’

Shell’s Johan Krebbers sees authentication as a key area—especially with the increasing use of services in the cloud. Windows is losing its role as the main client operating system as users bring in novel devices. You can no longer trust the ‘endpoint’ which may be privately or company-owned. Authentication needs to move to the cloud too, perhaps with a standards-based protocol like SAML ( and single sign-on procedures. Krebbers notes, ‘the last thing you want is to be in bed with Microsoft or another proprietary system.’ Joint venture entitlements need to be ‘application and data driven,’ rather than by a firewall whose perimeter may evolve. Data encryption will get far more important, likely leveraging the Oasis key management interoperability protocol ( Current systems are not up to scratch for logging and forensics—we need better real time complex event processing—going way beyond ‘just logging.’

Don Moore, Oxy’s ‘chief cyber security guardian’ used to feel comfortable about IT security—now he ‘works constantly’ to improve it. There is a ‘lot of tension in the industry and in Oxy and concern at executive and board level about how information is shared. Companies need to protect against ‘crazies,’ their own employees and ‘sophisticated nation state-based attackers.’ Oxy gets 400 million spam/virus infected emails per year and up to 400,000 unauthorized access attempts per day. Cyber security needs a refresh as the world is full of smart devices, phones and iPads. Digital canopies and expert systems are deployed fast, thanks to $100 oil, ‘but you need to balance speed with security.’ As part of the US National Critical Infrastructure, oil and gas is being ‘lent on’ by the Feds. The digital oilfield has ‘changed and raised’ the profile of cyber security. Moore proposes physical separation of network and plant. For SCADA systems, ‘80% of the payoff is from physical separation.’ Today, ‘data is flowing all over the company.’

Cynthia Johnson provided some more details of how Oxy is implementing its security. The key is network separation with de-militarized zones between plant and office and between office and internet. These can limit connections so that for instance, the SCADA delivers only 24 hours of data at 10pm to the office system. Even this involves complex data flows across many paths. But as Moore stated, the lion’s share of security is assured by physical separation. Authentication choices need ‘tuning’ to user accounts and devices. But these can be spoofed and need constant monitoring. User credentials can be constrained to place and time and correlated with other events to identify unusual patterns of use. Inside threats can be mitigated by constraining users to authorized activity. While it’s impossible to know where all attacks will come from, the above is a good starting point.

Peter Zornio described his company, Emerson, as operating in the ‘last mile’ of cyber space—where the valves and chokes that cause things to happen are located. In the old days, we had security by obscurity, with bespoke operating systems and applications. Since the mid 1990s, for better or worse, things have evolved to a prevalent ‘Wintel’ environment. Likewise, digital energy means that business value is derived from interconnection of business systems and the plant. Until last year these issues were discussed in automation forums. Then there was Stuxnet. Zornio had to write his CEO to explain why ‘what happened to Siemens could not happen to us—although we are by no means invincible!’ How do you protect control systems from targeting with viruses? By isolating from the business network and through patch and device management and white listing deices and applications. There is lots of good technology, but the reality is that ‘people are the weakest link.’ ‘Don’t pick up USB sticks in parking lot!’ Read Ronald Krutz’ book on ‘Securing SCADA Systems’ ( And join the ISA-99 Control Systems Security group ( Zornio confessed surprise at the slow take-up of cyber security and at the fact that it is not used as a selection criteria.

For more on oil and gas cyber security, read The Data Room’s Technology Watch report from the 2008 API Cyber Security Conference ( and the 2005 SPE Digital Security Event ( 

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.