SMi 2015 Oil and gas cyber security conference, Oslo

NIST/DoE capability maturity model. Oil and gas cyber security information sharing center. Secure-NOK’s cybersecurity for drilling handbook. FBI on the Havex virus. Iguana’s ‘Blue Box.'

SMi’s Oil and Gas Cyber Security proved a rich source of information on various initiatives underway to protect oil companies’ business and control systems’ networks from what is perceived as a growth threat. Donna Dodson from the US National institute of standards and technology outlined the 2013 presidential executive order 13636 which sparked off Nist’s cross-industry voluntary framework for reducing cyber risks to critical infrastructure. The US Department of energy has been named as the energy sector-specific agency and has worked to adapt the framework to energy sector owners and operators. The DoE has produced a guidance document from the framework which includes a capability maturity model for self-testing.

Michael Lewis outlined Chevron’s involvement in the DoE initiative and introduced the Oil and natural gas information sharing and analysis center, created to ‘provide shared intelligence on cyber incidents, threats, vulnerabilities, and associated responses present throughout our industry.’ Also of note are the API’s IT security subcommittee and a similar initiative from the American gas association.

These initiatives were analyzed by Siv Hilde Houmb, a ‘white hat’ hacker who heads-up Norwegian cyber security specialist Secure-NOK. There has been criticism of the ‘voluntary’ aspect of Nist compliance. Over the next decade it is likely that the framework will become the de facto industry standard. It is expected that increased regulatory powers will make reporting of cyber breaches mandatory for SE-regulated companies, even if no damage is done as this is deemed ‘material information.’ Moving to the EU, Houmb cited work done by the Netherlands-based WIB whose security requirements for process control leverages the Wurldtech/Achilles methodology. Secure- NOK has also produced a Cybersecurity drilling guidebook.

James Morrison of the FBI ran through the many ways in which hackers hack. Distributed denial of service and phishing being the main hostile acts. One company, Wombat, provides simulated phishing as part of staff (including senior execs) awareness training. Attacks on scada networks are on the rise as witnessed by the 2014 Havex virus which uses remote access Trojans to attack electricity grids and oil pipelines. Unfortunately, according to a study by Frost & Sullivan, ‘Cyber security is currently not a spending priority among oil and gas companies.’ And attacks on oil and gas companies are underreported.

An alternative solution to process control was presented by Iguana Security’s Keith Chappell who is a ‘certified ethical hacker.’ Iguana’s ‘Blue box’ is a hardened alternative to the conventional router that is built in the UK using ‘no far eastern chipsets!’ The unit is claimed to move the attack surface away from the process network and onto a trusted device. More from Iguana and from SMi Conferences.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.