Nell’iperspazio con Rocket: il Framework Web di Rust!
Cybersecurity Presentation at WVONGA spring meeting 2018
1. Presentation to WVONGA
Cybersecurity Vulnerabilities and Process
Frameworks for Oil and Gas
Jack L. Shaffer, Jr.
Business Transformation Director
vCIO / vCISO
2. Ransomware
Wanacry, NotPetya, and Bad Rabbit.
Verizon – Security lapse exposes 14 Million
customers data
Uber – 57 Million customers data exposed
Equifax –145 Million Americans impacted
Yahoo Breach expands to 3 Billion users
2017 Cybersecurity in the news
3. Cyberattack Shows Vulnerability of Gas
Pipeline Network - 4/4/2018 – New York
Times
Compromise and service interruption of Latitude
Technologies
Nomination / EDI system
Hackers halt plant operations in watershed cyber
attack - 12/14/2017- Reuters
Hackers likely working for a nation-state recently
invaded the Triconex safety system – widely used
in the energy industry, including nuclear and oil
and gas plants.
Energy industry under attack
4. Lack of Awareness and Training
Employees with a lack of training are likelier to commit errors that leave the system open to attack.
Especially true for field personnel as the internet of things (IoT) proliferates.
Remote Work
Although this technology places people away from harmful locations and tasks, the exchange is
more vulnerabilities in cybersecurity. Enables a hacker to gain access and perform tasks an
employee can, without detection.
Using IT Products with Known Weaknesses
Opting to use IT products with known weaknesses because of economics or vendor in-
attentiveness to patching or updating systems. Old systems are more vulnerable as the
vulnerabilities have been more widely distributed.
Cybersecurity Culture Is Limited
Even in a very technological culture, cybersecurity remains a niche sector. In field operations even
more so.
What makes the Oil and Gas Industry vulnerable to
cyber attacks?
5. Data Network Separation Is Insufficient
An insufficient separation of data networks provides more avenues for cybersecurity attacks. I.E. SCADA
or EM systems on the same computer network as accounting systems.
Lack of complete asset inventory
Not know what your assets are, what technology platforms, software versions, etc. is an opening for
attackers. You can’t protect what you don’t know about.
Software Weaknesses
When choosing software to aid with cybersecurity, the oil and gas industry should be wary of the
lowest bidder. Not all software is the same when it comes to security.
Outdated and Aging Control Systems
Cybersecurity threats constantly evolve, with hackers working to exploit systems old and new. Whereas
at least the new systems have recent threats in mind during their development, outdated systems may
not be equipped to handle newer issues. Technology continues to develop at a rapid pace, and hackers
are adapting. The oil and gas industry needs to adapt as well, requiring frequent updates of its control
system software and infrastructure. (I.E. Patches/update)
What makes the Oil and Gas Industry vulnerable to cyber
attacks?
7. ISO 9000 -
ISO 9000 is a set of international standards on quality management and quality assurance developed to help
companies effectively document the quality system elements to be implemented to maintain an efficient
quality system. They are not specific to any one industry and can be applied to organizations of any size.
ISO 9000 can help a company satisfy its customers, meet regulatory requirements, and achieve continual
improvement. However, it should be considered to be a first step, the base level of a quality system, not a
complete guarantee of quality.
ISO 14001 -
ISO 14001 is the international standard that specifies requirements for an effective environmental management
system (EMS). It provides a framework that an organization can follow, rather than establishing environmental
performance requirements.
Part of the ISO 14000 family of standards on environmental management, ISO 14001 is a voluntary standard
that organizations can certify to. Integrating it with other management systems standards, most commonly
ISO 9001, can further assist in accomplishing organizational goals.
Natural Gas Standards / Frameworks
8. ISO/IEC 27000 Family (27001/27002)
The ISO/IEC 27000 family of standards helps organizations keep information assets
secure. Using this family of standards will help your organization manage the
security of assets such as financial information, intellectual property, employee
details or information entrusted to you by third parties.
https://www.iso.org/isoiec-27001-information-security.html
Center for Internet Security (CIS) Critical Security Controls
CIS Controls Version 7 - https://www.cisecurity.org/controls/
National Institute of Standards and Technology (NIST) Framework for
Improving Critical Infrastructure Security
Framework for Improving Critical Infrastructure Cybersecurity Ver 1.1 Draft 2 – Dec.
2017 - https://www.nist.gov/cyberframework
Payment Card Industry (PCI)
PCI Data Security Standard (DSS) – Ver 3.2 – Apr. 2016 -
https://www.pcisecuritystandards.org/document_library?category=pcidss&docume
nt=pci_dss
Energy Industry developed:
Cyber security in the oil and gas industry based on IEC 62443
DNVGL-RP-G108 - https://www.dnvgl.com/oilgas/download/dnvgl-rp-g108-cyber-
security-in-the-oil-and-gas-industry-based-on-IEC-62443.html
Cybersecurity also has frameworks
9. Information Security is a PROCESS not just a
firewall!
Annual Risk
Assessment
Security Awareness
TrainingPolicies and
Procedures
Threat Management
Security Event
Monitoring
Change and Configuration
Management
Access
Control
10. Work with your IT department during all phases of a project, not
just implementation
The reality is that most devices have internet connectivity today. (Internet of Things IoT)
Train your field personnel on cybersecurity awareness
Conduct a true security risk assessment
Implement a security information and event management (SIEM)
system to monitor all network activity
Asset inventory with technical details
Action Items -
11. Push current vendors to acquire and evaluate
new vendors that have Security Related
CyberSecurity Certifications and Frameworks,
like NIST
Work with your IT department to implement
and merge ISO / NIST standards for field
operations and cybersecurity
Provides a complete best practice set of frameworks
Action Items -