The document discusses cybersecurity risks in the oil and gas industry. It outlines critical systems used in upstream, midstream, and downstream processes like burner management systems, metering systems, and tank inventory systems. These systems connect to enterprise applications like SAP, which could be compromised through vulnerabilities, misconfigurations, unnecessary privileges, or custom code issues. The connections between IT and operational technology (OT) systems also create an attack surface, such as with SAP Plant Connectivity (PCo) and SAP xMII. Potential cyber attacks could include sabotaging equipment, disrupting production, manipulating data for fraud or espionage, or exploiting other vulnerabilities for further access into control systems.
Process Safety Life Cycle Management: Best Practices and ProcessesMd Rahaman
Learn how to transform your current process safety program to deliver intelligent and integrated safety solutions that can directly affect the bottom line, while simultaneously improving process and personnel safety.
AGENDA:
- About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA
- Best Practices and Cloud Implications for Integrated Compliance within IT Standards/Regulations
- Challenges in the Integrated Compliance Space
- Q&A
Process Safety Life Cycle Management: Best Practices and ProcessesMd Rahaman
Learn how to transform your current process safety program to deliver intelligent and integrated safety solutions that can directly affect the bottom line, while simultaneously improving process and personnel safety.
AGENDA:
- About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA
- Best Practices and Cloud Implications for Integrated Compliance within IT Standards/Regulations
- Challenges in the Integrated Compliance Space
- Q&A
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
There is a new ISO 27001 coming out later this year. It sets new requirements to your information security management systems (ISMS). This slide deck presents how the updated standard impacts your IT Risk Management processes. The slide deck is also presented in this webinar: http://www.neupart.com/events/webcasts
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...Living Online
COPY THIS LINK INTO YOUR BROWSER FOR MORE INFORMATION: bit.ly/1Htp9ZC
For project managers and engineers involved with hazardous processes, this workshop focuses on the management, planning and execution of automatic safety systems in accordance with IEC 61511, the newly released international standard for process industry safety controls.
IEC 61511 has been recognised by European safety authorities and by USA based process companies as representing the best practices available for the provision of automatic safety systems. The new standard captures many of the well established project and design techniques that have been described since 1996 in ANSI/ISA standard S84 whilst introducing many newer principles based on the master standard IEC 615108. The newly released standard IEC 61511 (published in 3 parts) combines the principles of IEC 61508 and S84 into a practical and easily understood code of practice specifically for end users in the process industries.
This workshop is structured into two major parts to ensure that both managers and engineering staff are trained in the fundamentals of safety system practices. The first part of the workshop, approx the first third, provides an overview of the critical issues involved in managing and implementing safety systems.
WHO SHOULD ATTEND?
Automation/machinery design engineers
Control systems engineers
Chemical or energy process engineers
Instrument/electrical engineers and technicians
Instrument suppliers technical staff
Maintenance supervisors
Project engineers and project managers
COPY THIS LINK INTO YOUR BROWSER FOR MORE INFORMATION: bit.ly/1Htp9ZC
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Mike Boudreaux
In San Antonio, Emerson Exchange 2010 featured a new Meet the Experts concept that provides participants to interact with recognized experts on focused topics. Emerson’s Mike Boudreaux provided a 2 hour session on Safety Lifecycle Management. This was an interactive short seminar that has been designed to help business leaders and managers in the process industries have a general understanding of existing industry standards and best practices for safety instrumented systems. This seminar provides a practical overview of the safety lifecycle, including key considerations for each phase. In addition to the typical design concepts related to safety instrumented functions and safety integrity levels, important concepts such as organizational design, competency management, planning, and continuous verification will be discussed.
Part 4 describes the Analysis Phase and explains the managment considerations for hazard and risk assessment, layers of protection analysis, and safety requirements specification.
The combustion process has always been considered having the potential for a hazardous event which could lead to personnel injury or loss of production. To mitigate this risk, the process industry is now implementing Safety Instrumented Systems which can identify hazardous operating conditions and correctly respond in such a way to bring the combustion process back to a safe operating condition or implement an automatically controlled shutdown sequence to reduce the risk of operator error causing a catastrophic event. Oxygen and combustible flue gas analyzers are now being utilized in these combustion Safety Instrumented Systems (SIS) to identify hazardous operating conditions and automatically return the process to a safe state. The standards of IEC 61511 and API RP 556 will be reviewed as they apply to flue gas analyzers, as well as the process variables of the oxygen and combustible analyzer available for implementation into the SIS system for combustion monitoring, and the resultant actions required to return the process to a safe condition.
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
SIL = Safety Integrity Level
•Safety systems are becoming increasingly instrumented
•Depending less on human intervention and operator’s ability to respond correctly in a given situation
•Depending more on instrumentation and programmable systems
•SIL requirements are intended to ensure the reliability of such safety instrumented systems
Oil and Gas iQ’s Cyber Security for Oil and Gas event will bring together relevant stakeholders to discuss the most pressing cyber security issues facing the oil and gas sector. Presentations will examine threat trends, identify immediate and long-term needs, and reveal up-and-coming technologies for use in evolving threat environments. Security managers, IT strategy implementers, and industry partners will gather in Houston, TX to network, share best practices and explore potential paths to mitigate the threat of energy-focused attacks from cyber adversaries. For more information visit http://bit.ly/1cwasCO
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
There is a new ISO 27001 coming out later this year. It sets new requirements to your information security management systems (ISMS). This slide deck presents how the updated standard impacts your IT Risk Management processes. The slide deck is also presented in this webinar: http://www.neupart.com/events/webcasts
Practical Safety Instrumentation & Emergency Shutdown Systems for Process Ind...Living Online
COPY THIS LINK INTO YOUR BROWSER FOR MORE INFORMATION: bit.ly/1Htp9ZC
For project managers and engineers involved with hazardous processes, this workshop focuses on the management, planning and execution of automatic safety systems in accordance with IEC 61511, the newly released international standard for process industry safety controls.
IEC 61511 has been recognised by European safety authorities and by USA based process companies as representing the best practices available for the provision of automatic safety systems. The new standard captures many of the well established project and design techniques that have been described since 1996 in ANSI/ISA standard S84 whilst introducing many newer principles based on the master standard IEC 615108. The newly released standard IEC 61511 (published in 3 parts) combines the principles of IEC 61508 and S84 into a practical and easily understood code of practice specifically for end users in the process industries.
This workshop is structured into two major parts to ensure that both managers and engineering staff are trained in the fundamentals of safety system practices. The first part of the workshop, approx the first third, provides an overview of the critical issues involved in managing and implementing safety systems.
WHO SHOULD ATTEND?
Automation/machinery design engineers
Control systems engineers
Chemical or energy process engineers
Instrument/electrical engineers and technicians
Instrument suppliers technical staff
Maintenance supervisors
Project engineers and project managers
COPY THIS LINK INTO YOUR BROWSER FOR MORE INFORMATION: bit.ly/1Htp9ZC
Part 4 of 6 - Analysis Phase - Safety Lifecycle Seminar - Emerson Exchange 2010Mike Boudreaux
In San Antonio, Emerson Exchange 2010 featured a new Meet the Experts concept that provides participants to interact with recognized experts on focused topics. Emerson’s Mike Boudreaux provided a 2 hour session on Safety Lifecycle Management. This was an interactive short seminar that has been designed to help business leaders and managers in the process industries have a general understanding of existing industry standards and best practices for safety instrumented systems. This seminar provides a practical overview of the safety lifecycle, including key considerations for each phase. In addition to the typical design concepts related to safety instrumented functions and safety integrity levels, important concepts such as organizational design, competency management, planning, and continuous verification will be discussed.
Part 4 describes the Analysis Phase and explains the managment considerations for hazard and risk assessment, layers of protection analysis, and safety requirements specification.
The combustion process has always been considered having the potential for a hazardous event which could lead to personnel injury or loss of production. To mitigate this risk, the process industry is now implementing Safety Instrumented Systems which can identify hazardous operating conditions and correctly respond in such a way to bring the combustion process back to a safe operating condition or implement an automatically controlled shutdown sequence to reduce the risk of operator error causing a catastrophic event. Oxygen and combustible flue gas analyzers are now being utilized in these combustion Safety Instrumented Systems (SIS) to identify hazardous operating conditions and automatically return the process to a safe state. The standards of IEC 61511 and API RP 556 will be reviewed as they apply to flue gas analyzers, as well as the process variables of the oxygen and combustible analyzer available for implementation into the SIS system for combustion monitoring, and the resultant actions required to return the process to a safe condition.
Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally.
Main points that will be covered are:
• The scope of ISO 27001 & associated other standards references
• Information Security and ISIM Terminologies
• ISIM auditing principles
• Managing audit program & audit activities
Presenter:
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience.
Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
SIL = Safety Integrity Level
•Safety systems are becoming increasingly instrumented
•Depending less on human intervention and operator’s ability to respond correctly in a given situation
•Depending more on instrumentation and programmable systems
•SIL requirements are intended to ensure the reliability of such safety instrumented systems
Oil and Gas iQ’s Cyber Security for Oil and Gas event will bring together relevant stakeholders to discuss the most pressing cyber security issues facing the oil and gas sector. Presentations will examine threat trends, identify immediate and long-term needs, and reveal up-and-coming technologies for use in evolving threat environments. Security managers, IT strategy implementers, and industry partners will gather in Houston, TX to network, share best practices and explore potential paths to mitigate the threat of energy-focused attacks from cyber adversaries. For more information visit http://bit.ly/1cwasCO
Cyber Security IT GRC Management Model and Methodology.360factors
A discussion and presentation on cyber security trends in oil and gas, the benefits of an IT GRC Management System, and IT GRC Management Model and Methodology.
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
Joint presentation with Accenture that illustrates the significant time savings, security enhancements & cost reductions in implementing ICS cyber security.
In this presentation from the recent AWS Oil & Gas event in Aberdeen we introduce the AWS cloud, its benefits and some of the organisations that are using AWS today.
We also cover some specific use-case and case-studies in the oil and gas sector.
Visit http:aws.amazon.com/hpc for more information about HPC on AWS.
High Performance Computing (HPC) allows scientists and engineers to solve complex science, engineering, and business problems using applications that require high bandwidth, low latency networking, and very high compute capabilities. AWS allows you to increase the speed of research by running high performance computing in the cloud and to reduce costs by providing Cluster Compute or Cluster GPU servers on-demand without large capital investments. You have access to a full-bisection, high bandwidth network for tightly-coupled, IO-intensive workloads, which enables you to scale out across thousands of cores for throughput-oriented applications.
2015 Oil and Gas Digital and Technology Trends Surveyaccenture
The latest digital energy survey by Accenture and Microsoft reveals the resilience of digital technology investment in the oil and gas industry – despite volatile oil prices.
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
Ten Things You Should not Forget in Mainframe Security CA Technologies
Given the current state of security and breaches in the news every day, you won’t want to miss this session. We will cover the top 10 areas that you should be reviewing as a security practitioner that most organizations overlook. With the knowledge taken from this session, you will be able to better educate your staff and auditors about how to take security to the next level for your business and protect z/OS®.
For more information, please visit http://cainc.to/Nv2VOe
5 real ways to destroy business by breaking SAP applicationsERPScan
SAP is the most popular business application with more than 263000 customers worldwide.
SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 5 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
Atti del convegno
Project financing e grandi gare: master plan Abbanoa 2017
Le tecnologie a basso impatto ambientale per il risanamento e rinnovamento delle reti idriche: aspetti progettuali, nuovi materiali, soluzioni tecniche.
Cagliari, 30/06/2017
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. #RSAC
About ERPScan
2
The only 360-degree SAP Security solution - ERPScan Security
Monitoring Suite for SAP and Oracle
Leader by the number of acknowledgements from SAP ( 250+ ) and
Oracle (40+)
80+ presentations key security conferences worldwide
30+ Awards and nominations
Research team – 20+ experts with experience in different areas of
security from ERP to ICS and Mobile
Offices in Palo Alto, Amsterdam, Copenhagen, Sidney
4. #RSAC
How does traditional VAPT works
4
A company hire experts for VAPT service or Product
Those specialists run some pentesting tools
They (may) manually test vulnerabilities, escalate privileges and
as a result write report about vulnerabilities
Report looks like
“we found vulnerability X on the server Y
look at the black screenshot with command line”.
6. #RSAC
Why?
6
Everybody know that there are vulnerabilities in almost every
system
The question now
how dangerous are they
how easy is to exploit them
what can happen after the exploitation?
and what kind of REAL risks to YOUR organization it provides.
11. #RSAC
Upstream: Critical processes and systems
11
Extraction (Drilling)
Gathering (From earth to separators)
Separation (Separate oil, gas and water)
Gas compression (Prepare for storage and transport)
Temporary Oil Storage (Temporarily store before loading)
Waste disposal (Water disposal)
Metering (Calculate quantity before loading)
12. #RSAC
Midstream: Critical processes and systems
12
Terminal management (Obtain oil from upstream)
Gas Processing (Separate natural gas and NGL)
Gas Transportation (Transfer gas to storage via pipelines)
Oil transportation (Transfer oil to storage via pipeline/Truck/Barge/Rail)
Base load Gas storage (Temporary and long-term)
Peak load Gas Storage
LNG Storage
Oil Storage (Long-term oil storage)
13. #RSAC
Downstream: Critical processes and systems
13
Refining (Processing of Crude Oil)
Oil Petrochemicals (Fabrication of base chemicals and plastics)
Gas Distribution (Deliver gas to utilities)
Oil Wholesale (Deliver petrol to 3rd parties)
Oil Retail (Deliver petrol to end users)
19. #RSAC
When we speak about securing oil and gas companies we should cover
Operational Technology security
Enterprise Application security
Connections security
Three aspects of Oil and Gas Cyber Security
19
21. #RSAC
Oil and Gas Cyber-Security (OT part)
21
3 Areas:
Upstream
Midstream
Downstream
20+ processes:
Separation
Drilling
………
100+ System Types:
Burner Management
Fiscal Metering
….
1000+ Solutions
from hundreds of vendors:
Emerson
Rockwell
Siemens
….
22. #RSAC
Lets look at those systems
22
Burner Management System (Gas Oil Separation)
Metering (Fiscal Metering System (Metering)
Tank Inventory System (Oil Storage )
23. #RSAC
Gas Oil Separation
23
Risks:
Product Quality, Equipment damage, Plant Sabotage, Production
Disruption, Compliance violation
Details
Separate Oil, Gas and Water using multiple stages
Systems
Burner Management Systems (BMS)
Compressor Control System (CCS)
Vibration Monitoring System (VMS)
24. #RSAC
SEPARATION: Burner Management System
(BMS)
24
Description
Used in a variety of applications: Separators, tanks, heaters,
Incinerators, flare stacks, etc.
Systems:
Management: Emerson’s DeltaV SIS, Invensys BMS, Honeywell’s
BMS, Combustex BMS-2000, Allen-Bradley, Siemens SIMATIC
BMS400F
PLC vendors: GE, Modicon, Allen-Bradley, Koyo, Siemens
Flame sensors: Fireye, PPC, Honeywell, IRIS, Coen
25. #RSAC
SEPARATION: Burner Management System
(BMS)
25
Simple Burner Management System
https://cache.industry.siemens.com/dl/files/036/109477036/att_856487/v2/109477036_Burner_Application_Example_TIAP_DOC_v102_en
.pdf
27. #RSAC
SEPARATION: Burner Management System
(BMS)
27
If an attacker wants to commit sabotage and stop operations
by destructing burning process, he needs to control any of
the sources of flammable mixtures
28. #RSAC
Flammable mixture sources:
28
Oil or gas leaking into the combustion chamber through the burner as a
result of leaking fuel shut off valves.
insufficient combustion air resulting unburnt fuel in the dust collector.
oil is not properly purged
Quenching of the flame by cold dust entering the furnace
Fuel entering the furnace as a result of repeated unsuccessful ignition
attempts. This is the significant risk with oil firing, A typical cause is a
cold oil remaining in pipes during a shutdown
29. #RSAC
SEPARATION: Burner Management System
(BMS)
29
The main function of the BMS is to allow and ensure the safe
start-up, operation, and shutdown of the Fired Heater.
Unauthorized access to BMS can lead to multiple risks including
Explosion.
The simplest attack on BMS System is to turn off the purge.
Cold oil left in pipes during previous shutdowns can burn and
damage the equipment.
30. #RSAC
Metering
30
Risks:
Product Quality, Monetary loss
Details
Analyzes density, viscosity of content, temperature, and pressure
Divided into several runs
Systems
Fiscal Metering System
Liquid Flow Metering
Gas Flow Metering System
Wet Gas Metering System
31. #RSAC
Fiscal Metering
31
Description
Custody transfer, or fiscal metering, occurs when fluids or gases
are exchanged between parties.
Payment is a function of the amount of fluid or gas transferred.
A small error in measurement leading to financial exposure
Over a year, the 0.1% error would amount to a difference of
$50m.
The engine of a custody transfer or fiscal metering installation is
the flow computer.
32. #RSAC
Fiscal Metering Systems
32
Production Accounting System
FlawCall – FlawCall Enterprise (connected with IT)
KROHNE SynEnergy (connected with IT)
Honeywell’s Experion® Process Knowledge System (PKS), MeterSuite™
Schneider Electric InFusion
Schneider Electric SCADAPack
Flow computing
KROHNE Summit 8800, ABB TolatFlow, Emerson FloBoss S600 (previously
known as Daniel DanPac S600), Schneider Electric Realflo
33. #RSAC
OIL STORAGE
33
Risks
Plant Sabotage/Shutdown, Equipment damage, Production Disruption, Compliance violation, Safety
violation
Description
Consist of 10-100+ tanks with 1-50m barrels
Tank Inventory Systems (TIA) collects data from special tank gauging systems
Accurate records of volumes and history are kept for Forecasting for stock control
Tank level deviations can result in hazardous events such as a tank overfilling, liquefied gas flashing,
etc.
Systems
Terminal Management Systems, Tank Inventory Systems, Tank Management Systems
34. #RSAC
Tank Inventory Systems
34
Terminal Management
Honeywell Enfaf TM BOX (connected with IT)
Emerson Syncade Terminal Logistics (connected with IT)
Emerson Rosemount TankMaster WinOpi
View and control commands
Change alarm (Level, Temperature, Pressure)
Send management commands servo tanks (Freeze, Lock)
37. #RSAC
Enterprise usage: Business Applications
37
70 million barrels per day of oil are produced by companies
using SAP solutions
(75% of total Oil production)
38. #RSAC
SAP in Oil and Gas
38
According to SAP:
..platform for operations and
maintenance, to enable you to gather,
analyze, decide, and execute across
the many elements that drive
performance of assets….
39. #RSAC
Enterprise applications VS Oil And Gas
processes
39
PPM (Project portfolio management)
ALM (Asset Lifecycle Management)
LIMS (Laboratory Information Management System)
PAS (Production Accounting System)
ERP (Enterprise Resource Planning)
+ HR, CRM, PLM, SRM, BI/BW, SCM
40. #RSAC
Enterprise applications
40
PPM <-> Exploration
ALM <-> Refinery, Separation, etc.
LIMS <-> Refinery, Separation
PAS <-> Tank Inventory, Metering
ERP <-> Tank Inventory, Metering
+ HR, CRM, PLM, SRM, BI/BW, SCM
41. #RSAC
Project Portfolio Management (PPM)
41
Risks:
Espionage – information about new explorations
Fraud – improper management decisions, lost profits
Advantages:
Enhancing visibility and transparency
Examples:
SAP PPM, Oracle Primavera, MS Project, MS SharePoint
42. #RSAC
Asset Management and Operational Integrity
42
Risks:
Fraud – fake data about asset conditions
Sabotage - Physical damage to production and engineering devices
Compliance Violation – Data manipulation to give an illusion of Compliance
Advantages:
Maintain integrity of your physical assets
Manage emissions, hazardous substances, and product and regulatory compliances
Applications:
SAP PM (Plant Maintenance), SAP EAM, AssetWise APM, Oracle EAM, Avantis, IBM
Maximo, Aspentech PIMS
43. #RSAC
LIMS (Laboratory Information Management)
43
Risks
Fraud – modifying sample data results
Espionage – stealing secret information
Sabotage – publication of non-compliant results, denial of service attacks
Advantages:
quality control of the samples, utilized equipment and inventory
the storage, inspection, assignment, approval, and compilation of the sample data for
reporting and/or further analysis
Examples:
LabWare, thermoscientific, AspenPIMS and In-house developments on Oracle DB
44. #RSAC
Production Accounting
44
Risks
Supply chain Availability – direct impact on cost effectiveness
Fraud – Manipulations with quantities
Advantages:
Production accounting
Automated data collection and validation
Forward looking production planning
Examples
SAP IS-OIL PRA, SAP ERP MM-IM, Honeywell PAR
45. #RSAC
ERP
45
Risks
Supply chain Availability – direct impact on cost effectiveness
Fraud – Manipulations with quantities
Advantages:
Forward looking production planning
Automated data collection and validation
Analyze production deferments
Production accounting
Systems
SAP ECC IS-OIL, SAP IS-OIL PRA, Honeywell PAR, Oracle JDE Manufacturing Accounting
47. #RSAC
Vulnerabilities in SAP and Oracle
47
Only one vulnerability would suffice to jeopardize ALL business-critical data
48. #RSAC
Misconfigurations in SAP
48
~1500 General profile parameters
~1200 Web applications to configure
~700 web services to secure
~100 specific management commands to filter
~100 specific parameters for each of the 50 modules (FI, HR, Portal, MM,
CRM, SRM, PLM, Industry solutions…)
http://erpscan.com/wp-content/uploads/publications/EASSEC-PVAG-
ABAP.pdf
49. #RSAC
Custom code issues in SAP, Oracle and MS
49
SAP’s - ABAP, XSJS, JAVA, JavaScript UI5
Oracle’s - PeopleCode, PL/SQL
Microsoft’s - X++
http://erpscan.com/wp-content/uploads/publications/3000-SAP-notes-Analysis-by-ERPScan.pdf
50. #RSAC
Unnecessary privileges in ERP
50
Critical privileges and SoD issues
For example: Create vendor + Approve payment order
200-500 Rules for typical application
500k conflicts in typical company after first audit
More on ERP Security:
https://erpscan.com/research/white-papers/
54. #RSAC
From IT to OT. How they connected
54
Historian Process Integration (OT to OT/ OT to IT)
OSISoft PI, Aspen Info Plus 21, Honeywell PHD, Rolta Oneview
Enterprise Service Bus (IT to IT/ IT to OT)
SAP PI
IBM Websphere ESB
Microsoft BizTalk
Oracle ESB
Other (IT to OT/ OT to IT)
SAP xMII
56. #RSAC
SAP SAP xMII overview
56
Connects manufacturing with enterprise business processes, provides
information to improve production performance
On top of SAP Netweaver J2EE (with its vulnerabilities)
Located on the corporate network
Has some vulnerabilities
57. #RSAC
Attack Surface (SAP xMII Security):
57
Database links to xMII from systems such as LIMS
SAP J2EE Platform vulnerabilities (core of xMII)
SAP xMII vulnerabilities
SAP RFC links from ERP to xMII
Shared SSH keys
Similar passwords
Others
59. #RSAC
SAP PCo overview
59
Bridge between the industrial world and SAP Manufacturing modules
.NET application for Windows
Usual pipeline Source→ Processing → Destination
Source:
OPC server (MatrikonOPC, KEPServerEX) or DCS
Destination:
SAP HANA, SAP XI, SAP xMII, LIMS, DB…
Agent: Windows service that does the polling
60. #RSAC
Hacking SAP Plant Connectivity
60
Connections with IT systems (MES, LIMS, PI, Custom)
Domain credentials (if improperly secured)
SAP xMII connections (password decryption)
SAP PCo vulnerabilities
SAP PCo extensions
Similar passwords
61. #RSAC
SAP Pco/SAP xMII Attacks
61
Traffic modification: attacks based on the fact that the MII-PCo
connection is not authenticated by default:
Fake Pco (Fraud)
Kill the actual PCo and show that everything is OK in MII
MITM + selective modification
Steal your oil, but tank level doesn't change
Protocol attack (Sabotage)
XML Protocol parsing on the PCo side
Vulnerabilities found (Kill agent + mem leak) (SAP Note 2238619)
62. #RSAC
62
Now they are inside your OT network
and can do whatever they want.
there is no Air Gap!
63. #RSAC
Post-exploitation: Access to DCS/OPC/SCADA
63
SAP Plant Connectivity interacts with DCS/OPC/PLC
On the same workstation
Required when configuring some DCS/SCADA systems
On the same network
Example: OPC vulnerabilities
KEPServerEX Resource exhaustion https://ics-cert.us-cert.gov/advisories/ICSA-15-055-02
KEPServerEX Input Validation https://ics-cert.us-cert.gov/advisories/ICSA-13-226-01
MatrikonOPC Gateway DoS https://ics-cert.us-cert.gov/advisories/ICSA-13-106-01
MatricanOPC DoS (0-day)
65. #RSAC
Oil and Gas attack vectors
65
Oil market fraud attack:
Imagine what would happen if a cyber criminal uploads a malware that dynamically
changes oil stock figures for all Oil and Gas companies where SAP is implemented.
Attackers will be able to deliberately understate data about Oil in stocks.
Plant equipment sabotage attack
Hackers can spoof a report about equipment status in a remote facility. Companies will
spend a lot of time and money to investigate the incident
Plant Destruction attack
With access to BMS systems, via SAP Pco and SAP xMII hackers can perform physical
attacks.
67. #RSAC
Apply
Step 1 Next Month
Protect your ERPs and other business applications (Automatic: Scanning and
Monitoring tools)
Step 2 Next Quarter
Review all connections (Semi-Automatic/Manual)
Step 3 This Year
Secure connections where possible (Manual)
68. #RSAC
How to apply ERP Security
68
Business security (SoD)
Prevents attacks or mistakes made by insiders
Code security
Prevents attacks or mistakes made by developers
Application platform security
Prevents unauthorized access both within corporate network
and from remote attackers