SMi Conferences - Oil & Gas Cyber Security

CERT-UK on cyber resilience. CiSP security portal. Imperial College on plethoric UK cyber initiatives. Most incident down to ‘latent conditions.’ Energy and utilities losses put at $13 million a year.

Speaking at SMi’s Oil and gas cybersecurity conference in London last month, Chris Gibson, director of CERT-UK told of the government’s work with the oil and gas sector on ‘cyber resilience.’ Cert acts as an incident management center and provides support and education. The threat landscape is evolving as Scada systems are now ‘internet facing’ and although easier to use, are more susceptible to attack. Increasingly sophisticated industrial control systems are getting harder to secure. Ironically, older systems are ‘probably easier to lock down.’ It can be hard to secure employees’ own equipment in the face of the ‘bring your own device’ movement exposing workers to mobile malware.

There is no magic bullet, but Gibson summed up the basic tenets of cyber security as follows – know, log and analyze your network traffic, install patches as they come in, and provide clear guidance to staff as to what they should and should not do. CERT-UK works with the energy sector via CiSP, a joint government and industry initiative that shares threat intelligence.

Chris Hankin (Imperial College) enumerated various UK cyber R&D programs for ICS risk analysis (Mumba), resilience (Caprica), threat evaluation (Sceptics) and others. While there is a real need for operations technology-targeted security, the fact ‘appears to have escaped many in the C-suite.’

Awais Rashid (Lancaster University) followed up with a potted history of recent incidents. While human error is widely recognized as a problem, most incidents are due to the exploitation of what James Reason described as latent conditions (design-induced mistakes) rather than active failures (real errors).

On the subject of human error, Bernadette Palmer of the Security Company reported that most advanced attacks rely on exploiting human rather than system flaws. There is no point spending millions on defense if your staff can be tricked into giving away their credentials. The energy and utilities sector suffered the highest losses from cybercrime although it wasn’t very much, a mere $13.2 million!

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.