Speaking at the recent IQPC Canadian oil and gas security conference, Chevron’s
Zoltan Palmai outlined the complex security challenge of a major
operator. An extended supply chain, joint operating agreements and
reporting means that corporate systems are not only exposed to direct
attacks, but also potentially at risk from multiple third party
systems. Palmai advocates a clear analysis of roles and
responsibilities. The process starts with a risk-based evaluation of
partners that will inform an IT operating model which is included in
joint venture and other contracts. Joint ventures are positioned in a
value at risk/likelihood of breach matrix. Risks can then be ranked and
an appropriate IT mitigation strategy applied.
The key to
accessibility from multiple stakeholders is identity and access
management (IAM). ‘Understanding and managing who has access to what is
core to IT security.’ Today IAM is at an inflection point as mobile
users, cloud-based systems and endpoints with different operating
systems are commonplace. Happily identity federation is maturing and
novel protocols can deliver IT services securely across system
boundaries. HTTP-based applications can support a wide range of devices
and trust frameworks from third vided identity source providers.
Oasis’ security services (SAML)
has matured to the extent that it ‘no longer requires an encryption
expert.’ Many popular languages now have a SAML API and third party
providers offer IAM orchestration solutions. Nevertheless, few
individuals are conversant with the technical details of the new IAM
and explaining the change to management ‘has proved challenging.’
If there remains any doubt as to the risks that large organizations run, these were dispelled by Chris Shipp (Fluor/DoE Strategic petroleum reserve) who cited a 2014 hack
that cause ‘massive damage’ to a German steel factory. Shipp offered
practical advice on specific risks from mobile devices or from hacks
that come in from a vendor’s compromised network. He suggests an email
sandbox to check dodgy links as a component of a web traffic ‘kill
chain.’ Companies spend a disproportionate amount of their security
budget on prevention. More should go towards remediation and recovery
with a structured incident response. Shipp recommends a Valve Magazine analysis as bedtime reading. More from IQPC.
© Oil IT Journal - all rights reserved.