Speaking at the SMi Oil and Gas Cyber Security conference in London late last year, GDF Suez’ Phil Jones spoke on the social engineering and threats to the industry. Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. This is an easier option for the hacker than trying to break into the system. Phishing is an example of SE—opening an Excel file titled ‘recruitment plan’ cost RSA $63 million! USB keys dropped in the parking lot are another good way into the network. Individuals are also at risk when they divulge personal information on social media sites and in providing answers to ‘security questions’ to third parties.
Chris Gibson introduced the CERT-UK organization which has a close working relationship with the oil and gas sector. The system was recently put to the test with the discovery in September 2015 of the Shellshock Unix vulnerability with alerts and mitigation advice communicated to stakeholders in under 24 hours. CISP, a joint government/industry cyber security information sharing service has been established and CERT-UK now issues quarterly activity reports. One oil and gas company member recently took part in the ENISA cyber security exercise.
Alessandro Marzi described ENI’s work on an assessment framework for cyber security. The digital oilfield is bringing convergence of IT and operations. While this is driving efficiencies it brings risks of ‘sophisticated complex’ attacks on facilities. ENI’s IT department has been tasked with extending its scope to provide secure digital processes. Enter the ICT security maturity model, a set of tools and processes to provide risk-based, business-driven security. Security is proving to be a bridge between the IT and OT worlds.
Other presentations of note included Troels Oerting from the Eurpol Cybercrime Centre on the EU’s response to threats directed at critical infrastructure and ABI Research’s Michela Menting who introduced the Global Cybersecurity Index which ranks countries’ cybersecurity capabilities.
More from SMi Conferences.
© Oil IT Journal - all rights reserved.