There were interesting papers presented at the Prospero 3rd cyber and scada security for oil and gas event held earlier this year in Amsterdam. Unfortunately, the ‘Chatham House’ rules that govern the event prevent us from reporting who said what or acknowledging anyone but the conference organizers.
One Norwegian service company has deployed Microsoft’s InTune company portal to securely manage its mobile users’ devices. All devices (corporate or BYOD*) must have the InTune software running to communicate with the corporate network.
An EU gas distribution network operator showed how the security of its trans-national scada network has evolved over the last 25 years or so. Initially, scada systems were protected simply by isolating them from external traffic. Over the years the network has been opened up to more and more services and systems have been hardened. In the last few years, a new operational model has deployed that necessitates more calculations and services that are consumed by geographically dispersed users. Data use has extended from operations to invoicing. In the meanwhile, the operator has decommissioned its legacy ABB Spider scada control system. This has been replaced with ABB’s Scada Network Manager. Security in the new environment is assured by homologated ICCP protocols between control centers, secure gateways and by real time monitoring and analysis of network traffic. The operator considers ICCP as a necessary but not sufficient condition for its cyber protection. This has been further bolstered with the use of IPSec communications across the board. The company is keeping a close watch on evolving EU regulations touching on cyber security of critical infrastructure including oil and gas distribution.
Two presenters emphasized the need for network segmentation as a means of reducing the attack perimeter and limiting the impact of a possible hack. Segmentation involves dividing the network into smaller segments and isolating critical infrastructure. While this help prevent unauthorized access and restricts the spread of malware, the challenge is then how to assure access for authorized users and to re-establish connections for essential systems. In which context the Nixu cyber defense center got a brief plug.
A major EU refiner also insisted on the need for network segmentation and a strong separation between the enterprise information system and the industrial control system. Communications between the two environments must pass through a ‘physical firewall’ and dual-attached devices that span both systems are prohibited. Great attention is placed on the physical security of ICS components which are assessed to assure appropriate degrees of protection and equipment redundancy. Wireless connections for control and safety functions is proscribed. While suitably robust wireless devices are authorized in some circumstances, such networks are considered potentially ‘hostile’ and must be isolated from process control at least through a level 1 dedicated firewall. The refiner is about to add further protection to its systems with the deployment of next-generation Intel/Stonesoft firewalls. These include intrusion detection, deep packet inspection, application-level control and a secure VPN. Other tools mentioned included Wireshark, Nessus (vulnerability scanner) and Nmap.
* bring your own device.
© Oil IT Journal - all rights reserved.