The inaugural SMi Oil and Gas Cyber Security Conference was held in London late last year. In his presentation on securing industrial control systems against cyber threats, David Alexander (Regency IT) asked ‘How did we end up here?’ with vulnerable software and inconsistent application of patches. People are concerned about the risk of attacks, but generally don’t know enough about mitigation. Meanwhile the business is pushing for remote access to information and fewer people and reduced costs.
Adrian Davis of the Information Security Forum has investigated supply chain security challenges. With the internet, intellectual property can go anywhere in the world quickly—exposing companies to data and information loss as it is now easy to write compromising snooping software. The ‘cloud’ is perceived as a way of ‘getting rid of the IT guys.’ But companies are increasingly dependent on ‘just in time’ supply chains and are critically dependent on information. One problem is that ‘standards don’t talk to each other.’ Davis recommends planning for the endpoint at the beginning—i.e. for receiving data in a format you understand. In which context he suggests leveraging the draft ISO/IEC 27036 Part 3 ICT standard.
Adam Laurie (Aperture Laboratories) recommends ‘going in blind’ to a cyber audit—making no assumptions about what measures are in place. Ask device suppliers for source code or use reverse engineering. But if a supplier doesn’t want to give you the code, you should ask yourself why. Perhaps it is because the code is bad, random number generators are not random or perhaps there is stuff on the silicon that shouldn’t be there!
Justin Searle’s (Utilisec) live hacking demo over the phone showed how much information could be retrieved from a field device when you know how. Depending on what type of information is retrieved, a hacker can adapt his strategy to attack the infrastructure. The same technique as is used to break keys on BlueRay/DVDs can be applied to crack encryption keys.
Danny Berko’s company, Waterfall Security Solutions, offers a range of security technologies including routing tables and physical/IT security. Waterfall offers a link between industrial control systems and the business network that eliminates hacking. This is achieved by a unidirectional communications link using a laser and photocell combination. The Unidirectional Security Gateway allows the control system’s server to be replicated in the business environment, but makes it impossible to write back. Waterfall is in partnership with OSIsoft, GE and Siemens. Berko cited a recent cyber attack on a Norwegian oil company as a wake-up call.
Joel Langhill (SCADA Hacker) reported Stuxnet-type attacks on a US water company that happened the previous week—with a pump being turned on and off! Even control systems which are not connected to the internet are connected to other systems that are! A plant worker can unknowingly launch an attack e.g. via a link in an infected PDF document. Because this happens on an internal network, it is ‘trusted’ and can utilize open communication channels. Siemens was the Stuxnet victim, but this year, GE, ABB and Honeywell have disclosed vulnerabilities. Half of reported vulnerabilities are in Microsoft Windows-based systems, half in embedded systems. But there is hope. These issues can be addressed by simple security e.g. preventing the Acrobat attack with a web proxy, using a unidirectional gateway and by good patch management.
A panel session debated the Stuxnet worm, developed, seemingly, by the Chinese, or was it Israel, perhaps with help from the Americans? The code quality is ‘amazing engineering.’ Iran was not the only victim, US and German systems were infected. The USB-key based attack showed that there is ‘no such thing as an air gap.’
Phil Jones described the increased security burden imposed on GDF Suez’s UK unit as it became an operator. ISO 2700 compliance is critical to keeping a license to operate. For GDF, the security team is ‘everyone in the organization.’ All need to understand security risks and the primary objective, of ‘protecting the lives of the people who work for us’ in other words, security as an HSE issue. Networking everything is ‘not necessarily a good idea.’ Geologists for instance may have their own network. More from SMi Conferences.
© Oil IT Journal - all rights reserved.