Protecting network assets for improved cyber security
In today’s "new normal" environment, advanced persistent threats (APTs) are designed to target the control systems of critical infrastructure with frequency and ease. The motivations range from financial gain, physical damage, and operational disruption, or a combination of all three. Adversaries such as cyber terrorists and nation-states are seeking the most opportunistic targets to meet their objectives.
For the past 15 years, cyber security and risk management professionals have warned of the oil and gas industry being a prime target for cyber attack, yet evidence of events was few and far between. Recently, however, incidents around the world have brought legitimacy to this proposition, and, as a result, the oil and gas industry is on high alert.
If you were to ask an engineer or operator of industrial oil and gas facilities, refineries, and pipelines about their cyber security concerns, asset management is, and has been, at the very top of the list. Whether or not the engineer or operator is formally trained in cyber security or he or she has inherited this newfound burden of responsibility, maintaining the integrity and availability of assets are now part of everyone’s commission.
Defining the problem: IT vs. process control
While the security challenges are fairly simple to understand, they are in fact complicated to mitigate, no less to prevent. Oil and gas facilities, both onshore and offshore, have a multitude of nodes attached to their networks and usually a number of distinct network segments. These nodes are split up to ensure that normal business, or IT, traffic is separated from control systems and ancillary data to ensure both networks have the required level of security. The business network, commonly offshore, may have many different devices including bring-your-own-device (BYOD), and often these are networks that are more open. However, these networks, although internal and unregulated, have strict policies and procedures to limit what and how employees connect to them.
In contrast, the process control network, which is used to transmit operational information to and from supervisory control and data acquisition (SCADA) systems, is normally an isolated network. As such, there are often significant restrictions on what can connect since the opportunities for rogue or misconfigured devices to disrupt fragile environments are abundant. While IT networks were built with security as a primary concern, these networks are often fluid with devices continually joining and leaving. Process control networks are strategically designed for reliability and availability in terms of both assets on the network and the connections they make. In other words, these environments shouldn’t change much, if ever.
Understanding the risks: Upstream, downstream, and everywhere in between
Nodes, or connection points to the process control network, are prevalent onshore and offshore and present a variety of complicated risks to asset management. Both downstream and upstream, the presence of physical security is often impressive; however, the cyber security risks are high as a result of large numbers of employees and visitors with direct access to operations and networks. Insufficient training and skills of on-site personnel also often complicate the risk exponentially.
Under today’s threat landscape, asset management is most susceptible to cyber attack in the midstream—the pipelines, transportation vessels, and storage facilities that are central to the oil and gas production ecosystem. Often, the facilities are small and remote from the corporate offices and operated by engineers who are unlikely to have formal cyber security training. The midstream represents a springboard of opportunities for adversaries who have the resources and time to infiltrate networks via remote access points. Once network access is obtained, adversaries can cause events such as operational shutdowns, pivot into the main corporate networks, and even gain control of pressure systems. These scenarios represent huge risk for an industry in which availability and integrity is of the utmost importance.
Seeing adversaries before they attack
The stability of process control networks opens the door for utility deployment that can improve the security of networks as well as give early warnings of potential problems that may be occurring—such as misconfiguration or unauthorized access. For example, the introduction of a new device on the process control network should be infrequent enough to alert an operator immediately, so that he or she can confirm its authenticity or begin remediation. Other early warning signs that any engineer or operator can look for include:
- Devices that disconnect and reconnect to networks
- New communications between devices
- Whether or not devices match those identified on the inventory or tag list
- Unauthorized messages (Microsoft Windows update pop-ups, etc.)
- The presence of firmware updates downloaded to controllers or programmable logic controllers (PLCs).
Visible assets the key to defense-in-depth
In an industry absent of regulations or universally accepted standards and guidelines, each and every oil and gas company must be responsible for its own governance and incident response planning. In today’s cyber security environment, a defense-in-depth strategy—the use of multiple security measures to combat sophisticated threats-is highly recommended.
For the oil and gas industry, a defense-in-depth strategy could include firewalls, intrusion detection, penetration testing, and most importantly, situational awareness. Situational awareness is defined as the uninterrupted visibility into network communications. Situational awareness’ proactivity is an effective mitigation tactic to preempt attacks against industrial control systems before such attacks cause a disruption. Gaining situational awareness includes:
- Identification of assets and protocols on a network—Much like building an inventory list, identifying assets and protocols allows operators and engineers to see all devices communicating on a network in real time.
- Deep packet inspection—Deep packet inspection simplifies information gathering of protocols and validates communication between devices. It’s the most seamless way to identify ICS specific malware before it penetrates.
- Asset anomaly detection—Asset anomaly detection identifies abnormalities in communications by measuring them up against a baseline of approved communications.
Situational awareness is beneficial for security professionals who are less formally trained in cyber security, such as many of the engineers and operators of midstream assets.
It’s important to understand that no singular cyber security solution is designed to stop all of the current threats to the oil and gas industry. In fact, threats will undoubtedly get worse. The challenge is not so much stopping attacks; it’s about working to mitigate damage or asset theft whenever any such event occurs.
– Graham Speake is a veteran cyber security expert for the oil & gas industry. Currently, Graham is the vice president and chief product architect at NexDefense and is a lead ICS trainer for the SANS Institute. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, firstname.lastname@example.org.
– See additional stories about cyber security in the oil and gas industry below.