Business Model Canvas (BMC)- A new venture concept
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
1. Classification:
The State of Control Systems Cyber Security 2022
for Digital Oilfields
1
Michael Holcomb, Fellow – Cyber Security, CISSP, GRID, GICSP, ISA/IEC 62443
michael.holcomb@fluor.com
2. Classification: General
Why Are We Here?
Examples of Real-World ICS Attacks
What Are We Protecting In Cyber Security?
Who, What, Where and Why
Protecting Our Sites
So Why Does it Matter?
GV20181311-004
2
Overview
4. Classification: General
1982: Trans-Siberian pipeline explosion
2003: SQL Slammer brings down the Davis-Besse plant
2009: Conficker infects power plants in the U.S.
2010: Stuxnet discovered
2015: Ukrainian power grid taken offline
2016: Ukrainian power grid taken offline (yes, again)
2017: Attackers compromise Safety Instrumented Systems (SIS)
2021: Major gas pipeline taken offline due to ransomware
GV20181311-004
4
Examples of Real-World ICS Attacks
5. Classification: General
2013: Several rigs knocked offline when employees downloaded
infected pirated videos to their personal laptops over the rigs’
satellite Internet connections
2020: Oil rig manufacturer taken offline by ransomware
GV20181311-004
5
Examples of Real-World ICS Attacks (Oilfields)
9. Classification: General
Dragos, founded by Rob M. Lee, is one of the global leaders in
ICS security
– Rob M. Lee established the ICS monitoring group for the United States’
National Security Agency (NSA)
Covers four different aspects of ICS security:
– Threat Actors
– Vulnerabilities
– Incident Response
– Industrial Cybersecurity Strategy
GV20181311-004
9
Dragos’ “Year in Review” Reports
Source: https://dragos.com/year-in-review/
10. Classification: General
Information gathering and espionage
Operational disruption
Reputational loss
Cyber terrorism
Impact Safety
Money
GV20181311-004
10
Why Are They Attacking?
Nation-State Actors
Commodity Malware
11. Classification: General
Attacks are significantly increasing in frequency and impact
New nation-state and other attack groups with advanced capabilities
are being identified each year
Majority of control environments have operations impacted by
commodity malware infections which start in the enterprise or third-
party networks
Most attacks leverage “Living off the Land” which bypass traditional
detection means
Supply chain compromises continue to be on the rise
GV20181311-004
11
What and Where Are They Attacking?
12. Classification: General
86% of environments did not have the visibility required to effectively
identify an intrusion
77% of penetration tests resulted in initial access being obtained in an
easy manner
44% of networks had shared credentials between the IT network and
the ICS network
70% of IR engagements involved ICS networks which were accessed
from the Internet
58% of ICS facilities had a solid Incident Response Program
GV20181311-004
12
ICS Environment Assessment Observations
14. Classification: General
Network Segmentation
– Use the Purdue Model to ensure that the control network and other network
segments at the facility are properly segmented with restrictive firewalls
configured to block all traffic by default
Increase Detection Capabilities
– Deploy passive detection capabilities which identify any abnormal activity on
the control network for immediate investigation
Increase Response Capabilities
– Build an Incident Response program specific to the ICS environment to be able
to effectively contain and eradicate incidents in a timely manner
GV20181311-004
14
Protecting Our Industrial Facilities
15. Classification: General
Conduct Risk Assessments
– Leverage existing frameworks such as ISA 62443 to identify gaps in the
environment’s cyber security and physical engineered controls
Awareness Training
– Ensure all computer-based users at a facility receive security awareness
training, especially in identifying and not falling victim for phishing emails
Secure Remote Access
– Use Multifactor Authentication (MFA) to secure remote access. Use other
security controls such as dial back and monitored jump hosts as alternatives
when necessary.
GV20181311-004
15
Protecting Our Industrial Facilities (cont.)
16. Classification: General
Please reach out at any time with cyber security related
questions!
Michael Holcomb
michael.holcomb@fluor.com
864.281.5958
linkedin.com/mikeholcomb
GV20181311-004
16
Thank You!
Editor's Notes
Don’t forget to add the classification in the footer.
How to add the classification:
Click “View” tab
Select “Slide Master”
Select the first slide (push pin will appear to the left of the master slide)
Click the “Classification” text box at the bottom of the slide and add the classification
Save and select “Close Master View” in the task bar at the top (far right)
Data Classifications:
Public – Data/ information is publicly accessible
(e.g. Welcome to Fluor, who we are, what we do, job openings, etc.)
General – Data available to all Fluor employees and is for internal use only
(e.g. Fluor policies, job duties, login ID’s, etc.)
Restricted – Data available to specific groups of Fluor employees and have increased restrictions to access
(e.g. personal email address, non-confidential Client information, Fluor-developed or trademarked tools, Procurement documents, etc.)
Confidential – Data available to specific individual Fluor employees and access is granted on a need-to-know basis
(e.g. individual personal data (SSN, DOB, home address/phone); government issued ID’s; trade secrets; patent applications; corporate financials, pre-release; Client confidential information; contract information; etc.)
How to add the classification:
Click “View” tab
Select “Slide Master”
Select the first slide (push pin will appear to the left of the master slide)
Click the “Classification” text box at the bottom of the slide and add the classification
Save and select “Close Master View” in the task bar at the top
Data Classifications:
Public – Data/ information is publicly accessible
(e.g. Welcome to Fluor, who we are, what we do, job openings, etc.)
General – Data available to all Fluor employees and is for internal use only
(e.g. Fluor policies, job duties, login ID’s, etc.)
Restricted – Data available to specific groups of Fluor employees and have increased restrictions to access
(e.g. personal email address, non-confidential Client information, Fluor-developed or trademarked tools, Procurement documents, etc.)
Confidential – Data available to specific individual Fluor employees and access is granted on a need-to-know basis
(e.g. individual personal data (SSN, DOB, home address/phone); government issued ID’s; trade secrets; patent applications; corporate financials, pre-release; Client confidential information; contract information; etc.)