ECIM keynote and interview - Patrick Reidy, CSC

Computer Sciences Corp. chief information security officer warns ECIM conference, ‘Cyber risk is a chronic disease that needs to be managed.’ In a follow-up interview with Oil IT Journal he discusses the risks of the cloud, of ‘free’ search, cyber standards and the risk from scada control systems.

In his keynote address to the 2015 ECIM data conference in Haugesund last month, Patrick Reidy, VP global cybersecurity with CSC traced the evolution of cybersec thinking in oil and gas. Companies can no longer rely on just deploying a security patch and getting on with life, ‘the threats are way better than our defenses.’

Today’s CIOs are ‘disruptive innovators’ deploying mobile, ‘third platform’ apps to ‘millions of users and billions of things.’ ‘Smart’ pipelines may offer great leak detection but their scada systems were not designed for security. Industrial control systems in Iran and Germany have been breached causing physical damage. Drones too now represent a ‘huge new attack surface.’ The techniques once only available to government agencies (Reidy used to work for the FBI) are ‘moving down the criminal food chain.’ ‘Black hat’ sites such as Antidetect provide low cost identity masking and IP spoofing.

The average time from a threat’s arrival to its detection is a whopping 229 days - the longest 2,000 days. Reidy stated that the oil and gas sector is ‘47% penetrated and getting worse.’ Yet energy spends a measly 2% of its IT budget on cybersec (finance spend is 17%). Energy cybersec maturity is low and falling behind general industry.

For Reidy, the solution is to ‘integrate intelligence’ into your cybersec stance and to stop treating it as an IT problem. This involves asking ‘who are your enemies? What do they do and how?’ It is no longer possible to ‘stop the bad guys’. Cyber risk should be seen as a chronic disease that needs to be managed with a focus on assets and potential threats. In this context, useful resources include the Cyber intelligence tradecraft project at Carnegie Mellon and the Ponemon Institute’s incident response service. The days of a ‘moat and castle’ defense are over, with some 5 billion devices connected to the internet of things.


What risks does the cloud pose?

Possibly from an individual who’s just been fired uploading files to the cloud. This may be infrequent but can be extremely damaging.

What about information leaking out of a company, say by employees searching for sensitive information with Google?

If a service is free then you are the product! Search term analytics could be used to see where a company’s next hot prospects are located.

We have a hard time tracking the many US government initiatives in cybersec...

In the US, NIST and the Department of Energy are having an existential crisis. Folks are wondering who regulates what. To my way of thinking, it is the government’s job to regulate with high level standards although some are concerned with this approach. Cybsersec is expensive, so why not go elsewhere.

We have reported on process control cybersec as it has swung from ‘deperimeterization’ and back to ‘reperimeterization.’ Where are we now?

Everything is connected. Pipelines are connected to control systems which are connected to the internet so you can send people to the right place. But these systems are not ready for the challenge and threats. Some of these things people do are dangerous.

What do you think of data diodes?

They are OK for read-only applications. But the real value is in communications with the control system so that, for instance, you can shut down a gas leak. Usability will always win over security even though I’m not sure this is a good thing! Companies want automation and machine to machine interaction, taking people out of the loop, lowering costs and raising efficiency.

This is something like a counsel of despair. There seem to be more problems than solutions.

Actually no. In the internet of things there is a finite amount of things that say, a pipeline or plant should do. So it is actually easier to protect than some consumer environments. A pipeline will never visit Yahoo or browse the Internet. So you can check the outgoing traffic or for a control system, see if the commands are coming from Russia!

But these can be spoofed à la Antidetect above…

There are ways of spoofing IP4 packets. But at a higher level, attackers are unlikely to have enough context to spoof convincingly. You can also add protection from e.g. biometric technology as used in healthcare. In the end though, given enough resources, anything can be spoofed. More from CSC.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.