IQPC Oil & Gas Cyber Security Canada

Chevron on securing partners’ and supply chain systems with identity and access management. Fluor/Strategic Petroleum reserve and the web traffic ‘kill chain.'

Speaking at the recent IQPC Canadian oil and gas security conference, Chevron’s Zoltan Palmai outlined the complex security challenge of a major operator. An extended supply chain, joint operating agreements and reporting means that corporate systems are not only exposed to direct attacks, but also potentially at risk from multiple third party systems. Palmai advocates a clear analysis of roles and responsibilities. The process starts with a risk-based evaluation of partners that will inform an IT operating model which is included in joint venture and other contracts. Joint ventures are positioned in a value at risk/likelihood of breach matrix. Risks can then be ranked and an appropriate IT mitigation strategy applied.

The key to accessibility from multiple stakeholders is identity and access management (IAM). ‘Understanding and managing who has access to what is core to IT security.’ Today IAM is at an inflection point as mobile users, cloud-based systems and endpoints with different operating systems are commonplace. Happily identity federation is maturing and novel protocols can deliver IT services securely across system boundaries. HTTP-based applications can support a wide range of devices and trust frameworks from third vided identity source providers.

Oasis’ security services (SAML) has matured to the extent that it ‘no longer requires an encryption expert.’ Many popular languages now have a SAML API and third party providers offer IAM orchestration solutions. Nevertheless, few individuals are conversant with the technical details of the new IAM and explaining the change to management ‘has proved challenging.’

If there remains any doubt as to the risks that large organizations run, these were dispelled by Chris Shipp (Fluor/DoE Strategic petroleum reserve) who cited a 2014 hack that cause ‘massive damage’ to a German steel factory. Shipp offered practical advice on specific risks from mobile devices or from hacks that come in from a vendor’s compromised network. He suggests an email sandbox to check dodgy links as a component of a web traffic ‘kill chain.’ Companies spend a disproportionate amount of their security budget on prevention. More should go towards remediation and recovery with a structured incident response. Shipp recommends a Valve Magazine analysis as bedtime reading. More from IQPC.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.