Cyber security round-up

Trend Micro on oil and gas cyber risks. CSTB workshop on artificial intelligence and cyber security. Cegal on IT/OT convergence and its ‘connect@plant’ solution. McAfee on risks of cloud APIs. Ultra Petroleum deploys Datrium ransomware protection. Mol selects MobileIron’s security. Baker Hughes/Nexus Controls adds Tripwire threat monitoring to SecurityST. EU cybersecurity taxonomy. Ken Munro hacks a MODU. NIST reports on supply chain cyber risk management. Yokogawa gets ISASecure certification.

A report from Trend Micro Research investigates the cyber risks that face the oil and gas industry and its supply chain. Trend Micro finds that geopolitics and espionage motivate attackers targeting the oil and gas industry. While attacks are not always sophisticated, they often target and impact production, causing real-world damage. Trend Micro recommends deployment of a range of defensive strategies including two factor authentication for changes to DNS settings, data integrity checks, implementing DNSSEC, SSL certificate monitoring and training. Read the complete report here.

The US National Academies Press recently published the proceedings of a workshop on the implications of artificial intelligence for cybersecurity, a free, 99-page PDF download. Interest in artificial intelligence (AI) and machine learning (ML) have boomed in recent years. At the same time, the computing and communications technologies present serious security concerns. The report provides a potted history of cyber security and AI. Notable prior art includes the Lockheed Martin cyber kill chain, the DARPA High-assurance cyber military systems program and others. While AI’s role in cyber defense has yet to be established, its role in cyber attack is evidenced in authentication-based attacks (spoofing voice-activated systems) and in spear-phishing. DARPA’s Cyber Grand Challenge competition investigated the potential for AI to ‘assist deeper’ into the cyber kill chain. Tuft’s Kathleen Fisher observed that ‘AI has the potential to fuel a cyber arms race as cyber weapons operate much faster than humans’. The workshop was held under the auspices of the National academies of science Computer science and telecommunications board.

Cegal’s Henrik Skandsen blogged recently on the importance of asset and plant security. Previously operational technology (OT) and industrial control systems (ICS) were separate from an organization’s IT systems. The advent of Industry 4.0 and the Industrial Internet of Things (IIoT) are making for IT/OT convergence and new security threats. The SANS Institute* 2019 State of OT/ICS Cybersecurity Survey found that over 50% of respondents perceived OT/ICS cyber risk as either severe, critical or high. Skandsen recommends leveraging three cybersecurity standards, IEC 62443 (OT security), ISO 27000 (IT security) and the NIST Cyber Security Framework. Operators can either plough through this voluminous paperwork (ISO 27000 alone has 46 parts) or call on Cegal whose Connect@Plant security solution will do it for you.

* SysAdmin, Audit, Network, Security. See also the upcoming SANS 2020 Automation and integration survey panel discussion.

The risks associated with API access to the cloud are highlighted in McAfee Labs2020 Threats Predictions Report. 2020 will see APIs exposed as the weakest link leading to cloud-native threats, particularly as API security readiness lags behind other aspects of application security.

Wyoming-based oil and gas producer Ultra Petroleum has selected Datrium’s ‘DRaaS’ (disaster recovery as-a-service) to combat ransomware and recover from disasters with Datrium. DRaaS provides VMware workloads with a built-in backup and instant recovery service. Ultra Petroleum now uses the cloud for disaster recovery ‘at a fraction of the cost of a second data center’. More from Datrium

Mol Group has deployed MobileIron’s ‘zero trust’ mobile security platform to provide employees with secure access to remote resources. The unified endpoint management solution was deployed by MobileIron partner S&T Consulting.

Nexus Controls, a Baker Hughes business, is to add Tripwire’s industrial cybersecurity solution to its SecurityST cybersecurity offering for operational. SecurityST offers proactive protection and centralized reporting to manage cyber risk and comply with global security standards. Tripwire adds expanded threat monitoring and mitigation with passive data collection and advanced logging capabilities. Tripwire also helps detect configuration drift and maintains system integrity and compliance with industry standards such as IEC 62443 and NIST SP 800-82. More from Tripwire.

The EU Commission has issued a proposal for a European Cybersecurity Taxonomy, to align cybersecurity terminologies, definitions and domains into a coherent and comprehensive taxonomy to facilitate the categorization of EU cybersecurity competencies.

Ken Munro (Pen Test Partners), speaking at the 2019 OilComm conference in Houston, gave a keynote talk on ‘hacking a mobile drilling platform’. Most ships and MODUs are connected to the internet and are likely visible with a tool like Shodan, possibly exposing sensitive information like passwords. Vessels can be tracked in real time with live AIS data. Satcom systems and other onboard hardware including IoT devices represent a multiplicity of attack points unless password access is configured correctly. By default, this is unlikely. System upgrades may reset passwords to ‘admin’. Some hydraulics and industrial control systems have no security at all, a fact that does not seem to trouble the vendors unduly! Marine electronic chart displays have been spoofed to make vessels appear to be 1km wide ‘blocking’ shipping lanes. Autopilots have been hacked. Checkout Munro’s blog for advice on satcom systems security hardening and to get a security audit of your rig from the experts.

The US National Institute of Standards and Technology has also been investigating cyber risks across the supply chain. A draft publication, ‘Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276)’ proposes strategies to cybersecurity issues posed by systems built using components and services supplied by third-parties.

Yokogawa has obtained ISASecure security development lifecycle assurance (SDLA) certification from the ISA Security Compliance Institute. The certification, obtained through a third-party evaluation, assures that Yokogawa’s development processes meet the requirements for developing secure control system products. Yokogawa previously obtained ISASecure for its Centum VP integrated production control system and ProSafe-RS safety instrumented system. Certification was granted on the basis of an examination to verify compliance with the IEC 62443-4-1 standard and certain other requirements.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.