Oil IT Interview—GE cyber security guru Susan Peterson

GE Measurement & Control unit’s product line manager speaks of control system security and server virtualization. Focusing on turbomachinery makes for a nuanced posture re the digital oilfield.

At the GE Oil & Gas forum in Florence (more next month), remote monitoring was the big topic. How do you assure cyber security in this environment?

Actually, the measurement and control unit is not directly responsible for remote diagnostics although we are involved with the Florence I-Center. M&C is a part of the control solutions business unit where we cover oil and gas, power gen and nuclear. Our cyber security services are leveraged in new builds and upgrades of major facilities with attention to security risks and change management, planning what infrastructure needs to shut down and for how long. We test for operating system vulnerabilities with anti-virus signatures, host intrusion detection and alignment with new regulatory requirements. We are now addressing network optimization, minimizing latency. In 2010 we introduced central account management with all of the above running for a central device that also controls update and backup.

So this is mostly about green field sites?

Actually even in the retrofit market, real estate is at a premium. Hence the importance of our October 2012 CAP Update release which introduced new virtualization technology along with a combined outer perimeter defense and firewall device.

What does virtualization mean on an offshore platform?

Space saving—in one such environment we have moved from 4 servers to 2 physical machines driving all the above services plus a roll-over capability. All integrated with the client’s architecture.

Does this mean integration with business systems and networks?

We tend to stay in the control systems space. But sure, these systems can broadcast information up to business systems. But you have top be careful here. You really don’t want to put commodity solutions in control systems. For one thing, very few people have the combined control systems and security background necessary to manage such a complex environment.

What operating system is used here is it a specialist real time system?

We use a core Microsoft operating system that we have hardened and tested to ensure that every control system works.

A few years back we reported from a cyber security event where the debate turned on ‘perimeterization’ vs. ‘deperimeterization.’ What’s the thinking on this today?

The focus is still on protection. Oil and gas companies in general follow the Purdue ‘defense in depth’ posture for control systems. This divides networks into protected segments and provides four layers of protection with different focus. Some parts of the network will only allow unidirectional data flow. Systems can be hardened or loosened up as needed. The mesh network approach uses ‘daisy-chain’ filtering with embedded controls.

Tell us more about the CAP Update.

The new release reflects our continuous process improvement effort adding central patch management, patch/tag inventory, push updates and reporting. We have added a common vulnerability scoring system (CVSS). This evaluates the criticality of fix, whether a reboot is required and how long this took in the lab.

What’s the service level, do you assure protection against anything?

No! The thing is that customers struggle with foundational security. There are lots of scary threats out there, customers are being targeted. Things are complicated further with BYOD and users accessing external media on the web. Employees can be a strong risk. So we support customers in their attempt to maintain a secure posture. Cyber security challenges are shared by vendors and customers alike. We advise on issues like allocating a security budget and partner selection. But no we can’t guarantee protection against all and any threats. We help customers understand their changing systems. But clients are the stewards of their assets.

And what of third party kit?

We operate on common control technology for turbomachinery and take a holistic approach to security. We do manage some third party components but our business is to provide a secure system. This requires a very good level of control over what is deployed and domain-specific knowledge in our field, rotating equipment, turbo compressors, gas/steam turbines and generators.

It sounds as though the ‘digital oilfield’ ideal is receding when a this subset alone requires such focus.

There are plenty of challenges in understanding and operating this kind of equipment properly. We can communicate information out to other, central systems. Also we do integrate from our sub domain out to other systems. But always in the context of overall plant security.

Do you advise on new builds?

Our role is in securing GE kit and helping integrate with other stuff. We are not really in the consulting space but will offer input and advice to clients, often reaching out to consulting specialists to make sure they have the required expertise.

Can you name a flagship client?

It is hard to get people to talk in the security space. We work across several verticals globally. There are some very closed security conferences, reporting on this topic is a challenge!

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.