Chairman David Alexander of Regency IT Consulting, a Cassidian/EADS unit set the scene for the 2012 edition of SMi’s Oil & Gas Cyber Security Conference held late last year in London with a quote from Eric Byres who described control system software as ‘a bunch of vulnerabilities wrapped in some SCADA control code.’ Subsequent presentations from cyber security specialists from oil and gas companies and the vendor community, described a variety of ‘advanced persistent threats’ (APT).
Boldizsar Bencsath from Hungary’s ‘Crysys’ lab described how APTs are identified. Crysys discovered and analyzed the Duqu virus (delivered via a Microsoft Word document) and has developed a Duqu detector toolkit. Crysys also took part in the initial analysis of Flame, the ‘most complex malware ever found,’ some 6MB of information stealing malware that can activate microphones and web cams, log key strokes and ‘call home.’ Perhaps most scarily, Flame infects computers by masquerading as a Windows update, complete with a fake Microsoft certificate.
Bencsath observed that malware ‘need not be technically perfect to be very effective.’ What can companies do? Extend protection beyond signature-based techniques with anomaly detection, heuristics, baits and ‘honeypots.’ Education is key as is forensics. Check suspicious network traffic. You never know what you might find! And put an incident response plan in place.
Finmeccanica’s Simon O’Gorman asked whether cyber risks are hype or reality*. Most attacks target well known vulnerabilities and ‘97% are easily preventable.’ Security has to be done on a risk/appetite basis within an available budget. There is no easy answer to the hype or reality question. Defense from an ‘air-gap’ has proved to be a myth with modern communications and individual behavior. Much SCADA equipment is updated from a USB stick. Wireless communications and mobile devices mean that perimeters no longer exist. Control systems and SCADA networks are open to public networks, witness Night Dragon, Flame, Gauss and Stuxnet/DuQu. So what is to be done? Apply ICT security basics and best efforts? This may be too simplistic. O’Gorman advocates ‘defense in depth’ leveraging frameworks such as those from Tofino Security or the UK’s CESG. Penetration testing is useful but may be difficult in a working plant. The best network is an invisible network, ‘you can’t hack what you can’t see.’
Oskar Wols (Shell) and Marcel Grooten (Information Risk Management) described the changing threat landscape confronting business critical IT and information systems. These include ‘increasingly sophisticated and professionalized attacks.’ But IT can’t fully address such issues. The business needs to be in the driving seat and accept responsibility for the potential consequences. While IT can help to minimize risks, zero risk is never possible. And in the end, it is the business that carries the can. The business needs to take ownership of cyber security, to be fully aware of the risks and be able to react quickly. Data flows need controlling and business processes should be documented along with roles and responsibilities. During execution, ‘each individual step needs to be approved.’ IT needs to be able to continuously monitor business processes and flag deviations or unusual behavior. The authors expect that the technology required to achieve this could be available in five years or so. In the meanwhile, companies should map out their information flows and decide what rules need to be implemented and discuss with industry and suppliers on a common approach.
Iain Brownlie and Olav Mo, both with ABB, reported from the cyber security front line. At Shell’s Ormen Lange and Draugen Norwegian North Sea developments ABB is the single point of contact for all automation-related issues including security. Part of ABB’s role is as enforcer of basic rules governing authorized access, managing and protecting passwords and not leaving computers unprotected. ABB’s secure client server management (SCSM) oversees Microsoft security updates, antivirus, patches and backups. An ‘advanced service appliance’ (from Industrial Defender) automates data collection and monitors operational events.
Waterfall Security’s Colin Blou observed most attacks involve password theft or persuading an insider to ‘pull’ your attack through by phishing or just calling the help desk. If you can trust your users’ workstations, what about their cell phones? Firewalls are software too and have vulnerabilities and ‘zero days.’ Complicated systems may be hard to configure and maintain. Mitigation is costly involving training, management, log reviews, audits and more. The ‘alternative,’ if not the answer, is to deploy industrial security best practices like application control/whitelisting, security information and event management (SIEM)/intrusion detection and unidirectional gateways. Waterfall’s ‘industrial security reference architecture’ is used to protect offshore platforms, refineries and pipelines with secure replication of historian data to the corporate network and remote vendor and IT support. Technologies from multiple vendors can all work together in a secure manner. But operations defense-in-depth is ‘very different from IT defense-in-depth.’
In a similar vein, Christian Probst (Danish Technical University) said we need to ‘mind the (security) gap!’ between IT and SCADA. Probst is working on such issues via the EU ‘Technology-supported risk estimation by predictive assessment of socio-technical security’ (TREsPASS) project. The goal is to develop an ‘analytic approach’ to identify and rank attacks.
GDF Suez’ Phil Jones outlined the UK government’s Cyber security guidance for business. The guidance document was released in September 2012 by CESG, GCHQ’s information security arm. Jones advocates a holistic approach to security with defense in depth, ‘offensive’ action and involving other stakeholders from HR, HSE, Operations and ‘anyone else who might be useful!’ Marius Brekke described how IPnett has developed GDF Suez’ automated, secure access control solution for GDF Suez’ offshore installations. This ‘dynamic’ access control in compliance with OLF104 via IPnett’s ‘Shield’ admission control system. Shield has been successfully deployed on the Gjoa project where it has been used to move five operators from the platform to the shore. Today, the Gjoa IT Manager connects from his cottage. The system is also used on ENI’s Goliat project. More from SMi.
* Gillian Tett writing in the Financial Times reports that they are real.
© Oil IT Journal - all rights reserved.