Digital danger zone tackling cyber security

Contact john@ifluids.com (or) info@ifluids.com
Contact john@ifluids.com (or) info@ifluids.com , www.ifluids.com
Digital danger zone: Tackling cyber
security
Old Repost from 2012 Arabian oil and gas
The protection of critical national infrastructure has long been a serious concern to
governments in this region, but an all-encompassing approach means achieving this is no
longer limited to physical security. The widespread use of interconnected networks and
control systems in national oil, gas, power, water and electricity sectors, means there is now a
very real and growing need to enhance cyber security, highlighted by an ever increasing
number of international attacks.
Indeed, as a region responsible for much of the world’s energy, GCC countries are placing
cyber defence as one of their priority areas for development. Saudi Arabia has plans to spend
$3.3Bn on oil and gas infrastructure security and Qatar, Oman, Kuwait and the UAE are set
to follow suit over the coming years.
“The cyber security threat to energy installations is surprisingly widespread, running across
utilities and distribution networks to generation, refining, and even drilling and exploration.
Most security professionals now say that if you think you have not had your security
breached then you just haven’t detected it,” says Professor Paul Dorey, director at CSO
Confidential.
“Wherever there is digital technology there is the potential of cyber threat. What can change
between industry sectors is the nature of the motivation of attack. Basic utilities have less
information of commercial value to steal than do exploration companies bidding for assets,
however both have the potential to create widespread disruption if their operations are
stopped or disrupted by attack on critical cyber systems such as Industrial control,” Dorey
adds.

Governments and large corporations all over the world should be wary of a growing cyber
menace in 2012 in particular, according to experts at Kaspersky Lab. Not only will there be a
dramatic increase in the number of targeted attacks on state institutions and large companies,
it is also likely that a wider range of organizations will bear the brunt of the expected
onslaught.
“At the moment, the majority of incidents affect companies and state organizations involved
in arms manufacturing, financial operations, or hi-tech and scientific research activities. In
2012 companies in the natural resource extraction, energy and transport industries will be
affected, as well as information security companies,” warns Alexander Gostev, headed of the
global research and analysis team at Kaspersky Lab. Attacks will range over more of the
world than ever before, spreading beyond Western Europe and the US and affecting Eastern
Europe, the Middle East and South-East Asia.
It has been reported that there was more than a 40% increase across the Middle East in
computers infected by malware in 2011. The threat of such viruses was highlighted by the
discovery in 2010 of the most sophisticated cyber attack to date, Stuxnet. It was a vicious
computer worm with highly specialised malware coded to target specific Supervisory Control
and Data Acquisition (SCADA) systems and disrupt their operational activities but without
the operators being aware of such changes.
“SCADA networks are widely used in all industrial sectors and provide essential services and
commodities in a very efficient manner,” explains Dr Nick Coles, founder and organiser of
the International Forum to discuss the cyber security of energy and utilities sectors in the
Middle East.
“However, they were originally designed to maximize functionality with little attention paid
to security. Consequently performance, reliability and safety of these highly complex and
interconnected systems are invariably robust, but the security is weak, making them
vulnerable to disruption of service, process redirection or manipulation of operational data
that could result in public safety concerns and even loss of life,” adds Coles.
The management need for information and remote control in the modern energy business has
led to the adoption of common network protocols and the connection of many of these
SCADA and Industrial Control Systems (ICS) to the corporate network.
While these changes have resulted in business benefits they also have meant that control
system security is even more prone to the same cyber threats faced by corporate networks.
The Stuxnet worm demonstrated that it can cause real damage to public safety, the economy
and the environment. On the other hand, Stuxnet drew attention to the enhanced cyber
security needs for ICS systems.
As a result of this Stuxnet attack, which had a profound influence on cyber security, countries
have published national cyber strategies and programmes in order to regulate and clarify their

security risks and threats. An example of intergovernmental cooperation is the recent US-EU
joint cyber security exercise to defend against potential attacks.
The cyber threats are by no means limited to the Stuxnet concern. The Night Dragon virus
drew attention to the ability of such viruses to steal highly sensitive competitive information
from oil and gas companies especially, and are now being superseded by a new type of digital
infection, the Advanced Persistent Threat (APT). These viruses can upload and propagate
themselves into IT/ICS systems without any immediate noticeable affect and can collect
intelligence data over a long period of time without detection.
The Night Dragon attacks work by methodical and progressive intrusions into the targeted
infrastructure. Using several locations in China, Night Dragon attackers leveraged command
and control servers on purchased hosted services in the United States and compromised
servers in the Netherlands to wage attacks against global oil, gas, and petrochemical
companies, as well as individuals and executives in Kazakhstan, Taiwan, Greece, and the
United States to acquire proprietary and highly confidential information.
The primary operational technique used by the attackers comprised a variety of hacker tools,
including privately developed and customized RAT tools that provided complete remote
administration capabilities to the attacker. RATs provide functions similar to Citrix or
Microsoft Windows Terminal Services, allowing a remote individual to completely control
the affected system.
Most recently another new virus, Duqu, has appeared in the Middle East and potentially
differs from its predecessors in that it gathers intelligence data such as design documents and
assets from ICS systems for example in order to plan for a future cyber attack.
If Stuxnet was a wakeup call for industry, then Duqu is further evidence of the severity of
attacks. So it can be seen there is an exponential increase in cyber attacks from increasingly
sophisticated malware and what is needed to combat such threats are robust yet simple to
implement cyber security technology, sustained, consistent and updated education in this
area, enhanced public-private partnerships and well thought out cyber security standards that
industry can easily follow in order to truly protect industry plants and assets.
The Aggressors
The scope of motivation potentially behind a cyber-attack on a nation’s energy infrastructure
is a broad remit. “At the forefront of popular consciousness are of course other nation states,
criminals, terrorists, hackers and even disgruntled employees,” explains Justin Lowe, a smart
energy expert at PA Consulting Group. “This makes cyber attacks difficult to defend against
because the attacker could be located anywhere in the world, and could even be internal to
the impacted organisation,” he adds.
Despite the huge variety in aggressor origins, Eric Byres, CTO and VP Engineering of Tofino
Security Product Group, Belden Inc. and the world’s foremost authority on ICS security says
that often the real dangers are overlooked. “People tend to focus on terrorists and hackers, but

currently criminal groups are a more likely aggressor. There are lots of financial motivations.
Impacting the production of a competitor, short selling the shares of a company undergoing a
production, environmental or safety incident or extorting money under the threat of a
disruption are all potentially profitable activities for a criminal group.”
These same motivations could also be attractive to nation-states or political groups. However,
unlike terrorist or state-sponsored sabotage, which still tends to be accompanied by violence
and a tendency for the spectacular, Dorey notes that unless attackers admit to perpetrating an
attack victims are left with complicated difficult forensic tracing which could lead to an
involuntary accomplice (like someone’s computer owned by a botnet) as much as the real
perpetrator.
“However, good intelligence work does tell us that the attackers do tend to fall into 3 groups
categorized by motives and capability: State Actors – concerned with economic espionage,
possibly also carrying out intelligence into the possibility of disrupting critical national
infrastructure. Secondly, organised crime, which is typically looking for opportunity for fraud
or information theft. And finally, Hactivists, individuals or organisations often protesting
against the political, economic, social or environmental activities of companies of
governments. This includes both highly connected and capable attackers but also a whole raft
of technically unsophisticated and inexperienced attackers,” says Dorey.
Vulnerabilities
As touched on above, the vast majority of control systems were not built with security in
mind. The introduction and proliferation of standardised IT systems and IT networks in
industrial control systems has brought the possibility of cyber attacks deeper into focus.
The criticality to Middle Eastern nation states, and their customers for a reliable and
uninterrupted, predictable oil supply has never been sharper. Looking at the growth of
upstream asset management and production expectations, the importance of rolling out
intelligent systems which can deliver this requires technology which many see as the core
vulnerability to cyber attack.
“This is taking place in the context of a time when many existing oil and gas reserves are
going into or are already in decline and new reserves are more difficult to find, develop or
produce. These changes result in a more complex, integrated energy infrastructure with a
greater reliance on information technology, operations technology, and communications,”
explains Lowe. As a result, this evolving energy infrastructure is more vulnerable to cyber
security issues.
Improve efficiency and increase production from oil and gas assets is driving adoption of
wider digital oilfield implementation is gaining value . With these changes comes the extra
threat of cyber attack and it is imperative to understand what E&P data exists, where it needs
to flow and where the security risks are in order to keep DOF implementation secure.

“To coincide with this need for more integrated I, there has been a dramatic increase in cyber
security risks. There are now well publicized security incidents affecting oil, gas, electricity
and water companies and infrastructures. The sophistication of these attacks has increased
over the last few years and it is now time for all energy companies to identify and evaluate
the risks they and how they address them,” he adds.
The vulnerabilities in the oil and gas business are very real, adds Byres. “There are real
weaknesses. The systems deployed in the energy sectors were never designed to be secure –
they were designed to be safe, reliable and productive. Unfortunately the hackers have
discovered this in the past year and the list of known product vulnerabilities has exploded,”
he warns.
Of course, failures in computer systems can and do happen by accident, but these should be
managed separately to a cyber security strategy, stresses Dorey.
“A security incident comes from deliberate malicious intent and needs defence and detection
mechanisms that look to outthink a deliberate adversary - this is not the case with mistakes
and is why safety risk management does not automatically extend to security concerns.
“Some security attacks (like propagating viruses) spread to and impact systems that the
attacker did not intend to attack, and many industrial control systems have suffered from this
type of ‘collateral damage’ rather than being deliberately targeted. Accidental or not, it is still
key that ICS systems are defended against unintentional spread,” he adds.
Right approach
Despite the myriad threats, experts largely agree on the approach necessary to avoid a
catastrophe, be it commercial, environmental or otherwise.
“The very first place to start is to do a risk analysis to determine exactly what is the “worst-
case scenario” for a specific plan or company,” says Byres. “Then companies need to develop
mitigation strategies to make sure those scenarios never occur. For example, in the oil and
gas industry, the Safety Integrated System (SIS) is the last line of defense against a major
process disaster. Unfortunately these systems are often only loosely secured, if at all, so
protecting these needs to be a priority.
In industrial control systems the main weaknesses that are exploited are the connections with
other business, industrial or engineering systems, and even the internet. In many cases these
systems were not originally designed with cyber security in mind, so weaknesses around
access control and communications resilience can be straightforward to find and exploit. This
is further exacerbated by the fact that updating or patching these systems to address known
weaknesses can be logistically challenging in production environments.
“It is also important to understand that even where systems are isolated there are still risks –
attacks can still be performed by individuals or by intentionally planting or accidentally
transferring malicious code into these systems,” says Lowe.

“A common security approach is to secure the connection between systems but often the
systems themselves remain vulnerable behind these secure connections. The vulnerability of
the core systems is the real issue as it is very difficult to manage the ongoing security of these
systems,” he adds.
A key area to focus on are new projects where new systems and technologies are being
deployed. It is essential that cyber security risks are identified and addressed as part of these
projects as bolting on security later is costly and less effective than getting it right from the
start.
Throughout the local upstream industry there is an understanding of the risks, and the need
for a coordinated security strategy, however the cross-over responsibilities between project
engineers and senior managers can lead to confusion over where best to start.
Dorey says the biggest management challenge in industrial control systems is the gulf
between security expertise – usually held within the IT function – and deep engineering and
industrial control knowledge, held by the plant engineers and technology team.
“Some IT security solutions work well in the ICS environment and others are disastrous.
Getting teams cross-trained and skilled with hybrid security and ICS knowledge must be a
priority. Security vendors also need to significantly improve their understanding and build
industrial strength security solutions, a few key suppliers understand the requirements but
most just offer standard IT solutions which could even create rather than solve security
problems,” he warns.
Safeguards
The security challenges are significant, and there is no silver bullet solution to cyber security
either in the corporate environment or industrial operational environment.
“New technology solutions are being developed all the time – many of which are very useful
in securing systems. However, many organizations naturally focus on technology as the main
method of dealing with security risk. However, the best safeguard is understanding the risk
and establishing a security culture within the organization to address the risks. Ultimately,
organisations rely on people, process and technology to be secure,” explains Lowe.
“One of the most effective safeguards an organization can invest in is being prepared to
detect and respond to a security incident. This can be as simple as developing some pragmatic
procedures and can be more valuable than spending significant funds on the latest security
technology solution,” he adds.
The upstream industry may have some advantages over other process-reliant industries such
as the utilities and telecoms sectors, says Byres. “Compared to the other industries, oil and
gas companies and operators are probably more likely to embrace the necessary cyber
security steps once they are aware of the risks they are facing, because most of them actually
have a solid risk management culture. They can quantify what bad security could cost them

and then make the decision to do something. In contrast, the power industry and
manufacturing industry tends to be lost when it comes to moving to address the risk until they
have a problem or are legislated to do something.”
Wireless Concerns
Additionally, the step to wireless, which has always raised security related questions from the
industry, may actually be helping migrate upstream firms into safer territory.“Frankly most of
the wireless deployments I see are better than the wired ones in terms of security. People see
the word “wireless” and they immediate ask themselves: What do I need to do about
security? With wired systems, security never crosses their mind,” Byres states.
Whilst wireless networking can introduce potential security risks to networks and facilities,
many secure wireless solutions have been developed. It is, however, easy to implement
wireless solutions in an insecure way that can introduce security weaknesses.
“Companies implementing wireless solutions in the industrial environment should only do so
having been informed by a thorough risk assessment and should design the wireless solution
to address the identified risks,” explains Lowe. “These should be reviewed on a regular basis
and action taken as required to maintain security levels against an evolving threat and risk
landscape.”
Outlook
Many local energy companies are only just beginning to recognise the cyber security risks.
However, that recognition has kick-started an appetite to address, explore and counter future
threats. The upcoming Abu Dhabi International Forum to discuss the cyber security of energy
and utilities sectors in the Middle East is proof that the threat is being taken seriously by
energy and utility players throughout the region.
With participation from leading cyber security luminaries, and their local upstream energy
and utility counterparts, means local business leaders are embracing the need for rapid, but
planned adoption of a cyber security framework.
The Middle Eastern energy industry could not be more vital to meeting the Gulf’s aspirations,
as well as the stability and general wellbeing of the global economic system. The threat is
being tackled, but the oil and gas industry, and its utilities counterparts cannot pause for
deliberation. Action to match good intentions is now as critical as the challenge.
Article Source: http://www.arabianoilandgas.com/article-9868-digital-danger-zone-tackling-
cyber-security/1/
Cyber Security Services Provided by iFluids Engineering < To know more send email to
john@ifluids.com>
•IT Security Awareness

•ISO 27001 Introduction & ISMS Primer
•Essentials of ICS Engineering
•Essentials of SIS and Safety Life Cycle
•ICS Security and Network Management
•Identity and Access Management
For more information regarding iFluids Engineering Services & Past Project Track Record
please visit here
Disclaimer: All information and content contained in this website are provided solely for
general information and reference purposes. TM information, Images & any copyrighted

material inadvertently published or depicted belong to rightfull owner and iFluids doesnt claim
to be its own
#NIST SP 800-53 #NERC #CIP #CyberSecurity #ISO27002 #IEC27002 #ISO27001
#IEC27002 #NIST #ISA62443 #IEC62443 #ISA99 #IACS #iFluids #InfoSec
#NetworkSecurity #ICS #Automation #ControlSystem #GIACS #PEBC #Protection
#Endpoint #Firewall #Routers #Switch #ISO31000 #DMZ #Layer3.5

Digital danger zone tackling cyber security

More Related Content

What's hot

Similar to Digital danger zone tackling cyber security

Recently uploaded

Digital danger zone tackling cyber security