SlideShare a Scribd company logo

Cybersecurity in Oil Gas Industry

Download as PPTX, PDF
Tunde Ogunkoya
Tunde Ogunkoya
1 of 52
Invest in security to secure investments 13 Real ways to destroy business by breaking company’s SAP Applications and a guide to avoid them Alexander Polyakov CTO ERPScan, President EAS-SEC CYBERSECURITY in Oil and Gas Tunde Ogunkoya (Partner, DeltaGRiC)
About Me 2 • Consulting Partner, DeltaGRiC Consulting – Leading Consultancy in the SAP Africa Ecosystem, focusing on mitigating cyber Risk and Compliance violations in SAP run organizations • Enterprise Application Security Enthusiast/Evangelist – Focused on SAP and Open Source Software Security. • Delivered first ever SAP cybersecurity project on the African Continent - RSSC, Swaziland with ERPScan team • Respected opinion on SAP Security matters / OSS Security matters (Times News, ITWeb) • Advocate of “Compliance is only but a check-in-the-box” and does NOT really mitigate the actual Security Risks. • Participated in the Curriculum content development for the Graduate Program in Cyber Security & Intelligence at the Ontario College of Management and Technology, Canada (OCMT). • I am not an Expert  !.I know one thing: that I know nothing … Apology 29d Socrates
About ERPScan 3 • The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for SAP and Oracle • Leader by the number of acknowledgements from SAP ( 250+ ) and Oracle (40+) • 80+ presentations key security conferences worldwide • 35+ Awards and nominations • Research team – 20+ experts with experience in different areas of security from ERP to ICS and Mobile • Offices in Palo Alto, Amsterdam, Copenhagen, Sidney
4 Trends SAP Security
How does traditional VAPT works 5 • A company hire experts for VAPT service or Product • Those specialists run some pentesting tools • They (may) manually test vulnerabilities, escalate privileges and as a result write report about vulnerabilities • Report looks like “we found vulnerability X on the server Y look at the black screenshot with command line”.
Common VAPT report 6
Why? 7 • Everybody know that there are vulnerabilities in almost every system • The question now – how dangerous are they – how easy is to exploit them – what can happen after the exploitation? – and what kind of REAL risks to YOUR organization it provides.
Risks are different 8
Why Oil and Gas? 9
Why Oil and Gas? 10 Competitive market – Risky market
Oil and Gas 101 11
Upstream: Critical processes and systems 12 • Extraction (Drilling) • Gathering (From earth to separators) • Separation (Separate oil, gas and water) • Gas compression (Prepare for storage and transport) • Temporary Oil Storage (Temporarily store before loading) • Waste disposal (Water disposal) • Metering (Calculate quantity before loading)
Midstream: Critical processes and systems 13 • Terminal management (Obtain oil from upstream) • Gas Processing (Separate natural gas and NGL) • Gas Transportation (Transfer gas to storage via pipelines) • Oil transportation (Transfer oil to storage via pipeline/Truck/Barge/Rail) • Base load Gas storage (Temporary and long-term) • Peak load Gas Storage • LNG Storage • Oil Storage (Long-term oil storage)
Downstream: Critical processes and systems 14 • Refining (Processing of Crude Oil) • Oil Petrochemicals (Fabrication of base chemicals and plastics) • Gas Distribution (Deliver gas to utilities) • Oil Wholesale (Deliver petrol to 3rd parties) • Oil Retail (Deliver petrol to end users)
Why should we care 15
What can happen? 16
What can happen? 17 Plant Sabotage/Shutdown Equipment damage Utilities Interruption Production Disruption (Stop or pause production) Product Quality (bad oil and gas quality) Undetected Spills Illegal pipeline taping Compliance violation (Pollution) Safety violation (Death or injury)
Three aspects of Oil and Gas Cyber Security 18
When we speak about securing oil and gas companies we should cover – Operational Technology security – Enterprise Application security – Connections security Three aspects of Oil and Gas Cyber Security 19
20 ICS Security in Oil and Gas SAP Security
Oil and Gas Cyber-Security (OT part) 21 3 Areas: Upstream Midstream Downstream 20+ processes: Separation Drilling ……… 100+ System Types: Burner Management Fiscal Metering …. 1000+ Solutions from hundreds of vendors: Emerson Rockwell Siemens ….
Lets look at those systems 22 • Metering System (Fiscal Metering) • Tank Inventory System (Oil Storage )
Metering 23 • Risks: – Product Quality, Monetary loss • Details – Analyzes density, viscosity of content, temperature, and pressure – Divided into several runs • Systems – Fiscal Metering System – Liquid Flow Metering – Gas Flow Metering System – Wet Gas Metering System
Fiscal Metering 24 • Description – Custody transfer, or fiscal metering, occurs when fluids or gases are exchanged between parties. – Payment is a function of the amount of fluid or gas transferred. – A small error in measurement leading to financial exposure –Over a year, the 0.1% error would amount to a difference of $50m. – The engine of a custody transfer or fiscal metering installation is the flow computer.
OIL STORAGE 25 • Risks – Plant Sabotage/Shutdown, Equipment damage, Production Disruption, Compliance violation, Safety violation • Description – Consist of 10-100+ tanks with 1-50m barrels – Tank Inventory Systems (TIA) collects data from special tank gauging systems – Accurate records of volumes and history are kept for Forecasting for stock control – Tank level deviations can result in hazardous events such as a tank overfilling, liquefied gas flashing, etc. • Systems – Terminal Management Systems, Tank Inventory Systems, Tank Management Systems
Tank Inventory Systems 26 Terminal Management – Honeywell Enfaf TM BOX (connected with IT) – Emerson Syncade Terminal Logistics (connected with IT) – Emerson Rosemount TankMaster WinOpi • View and control commands • Change alarm (Level, Temperature, Pressure) • Send management commands servo tanks (Freeze, Lock)
27 Enterprise Applications Security in Oil and Gas
Enterprise usage: Business Applications 28 85% of Fortune 2000 Oil and Gas companies use SAP
Enterprise usage: Business Applications 29 70 million barrels per day of oil are produced by companies using SAP solutions (75% of total Oil production)
Enterprise applications VS Oil And Gas processes 30 • PPM (Project portfolio management) • ALM (Asset Lifecycle Management) • LIMS (Laboratory Information Management System) • PAS (Production Accounting System) • ERP (Enterprise Resource Planning) • + HR, CRM, PLM, SRM, BI/BW, SCM
Enterprise applications 31 • PPM <-> Exploration • ALM <-> Refinery, Separation, etc. • LIMS <-> Refinery, Separation • PAS <-> Tank Inventory, Metering • ERP <-> Tank Inventory, Metering • + HR, CRM, PLM, SRM, BI/BW, SCM
Enterprise apps security Ways to compromise ERP/Business Application • Vulnerabilities – 3500+ in SAP, 3000+ in Oracle • Misconfigurations – Thousands • Unnecessary privileges – Hundreds for every type of system • Custom code issues – Hundreds vulnerabilities for each system that we analyzed
Vulnerabilities in SAP and Oracle 33 Only one vulnerability would suffice to jeopardize ALL business-critical data
Misconfigurations in SAP 34 • ~1500 General profile parameters • ~1200 Web applications to configure • ~700 web services to secure • ~100 specific management commands to filter • ~100 specific parameters for each of the 50 modules (FI, HR, Portal, MM, CRM, SRM, PLM, Industry solutions…) http://erpscan.com/wp-content/uploads/publications/EASSEC-PVAG- ABAP.pdf
• 2012 • 2013 • 2014 • 2015 35 SAP Security Incidents
36 The latest SAP Security Incident (2015)
37 Security of Connections between IT and OT
IT/OT connection looks like this 38
Or like this 39
IT and OT, SAP example 40
SAP SAP xMII overview 41 • Connects manufacturing with enterprise business processes, provides information to improve production performance
Attack Surface (SAP xMII Security): 42
SAP Plant Connectivity 43
Hacking SAP Plant Connectivity 44
45 Now they are inside your OT network and can do whatever they want. there is no Air Gap!
DEMO 46
Oil and Gas attack vectors 47 Oil market fraud attack: • Imagine what would happen if a cyber criminal uploads a malware that dynamically changes oil stock figures for all Oil and Gas companies where SAP is implemented. Attackers will be able to deliberately understate data about Oil in stocks. Plant equipment sabotage attack • Hackers can spoof a report about equipment status in a remote facility. Companies will spend a lot of time and money to investigate the incident Plant Destruction attack • With access to BMS systems, via SAP Pco and SAP xMII hackers can perform physical attacks.
48 How does one go about securing it? SAP Security
Apply • Step 1 Next Month – Security Assessment for ERP and Business applications • Step 2 Next Quarter – Protect your ERPs and other business applications ( Specific Scanning and Monitoring tools) • Step 2 Next 2 Quarters – Review all connections • Step 4 by This Year – Secure connections where possible • Step 5 next year – Assess and Protect ICS Systems
How to apply ERP Security 50 Business security (SoD) Prevents attacks or mistakes made by insiders Code security Prevents attacks or mistakes made by developers Application platform security Prevents unauthorized access both within corporate network and from remote attackers
51 • Only 360-degree approach can help in maximizing security • Full workflow (Identify/Analyze/Remediate) • Specific checks for Industry modules and solutions • Fast release cycles to address client needs ERPScan Strengths
About 52 a.polyakov@erpscan.com tunde@deltagricconsulting.com 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 USA HQ www.erpscan.com info@erpscan.com G17, Pinewood office complex, 33 Riley road , Sandton - Johannesburg South Africa

Recommended

Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyEryk Budi Pratama
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
 

Recommended

Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyEryk Budi Pratama
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber SecuritySteppa Cyber Security
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityNcell
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Cybersecurity for Oil and Gas Industries: How Hackers Can Steal Oil
Cybersecurity for Oil and Gas Industries: How Hackers Can Steal OilCybersecurity for Oil and Gas Industries: How Hackers Can Steal Oil
Cybersecurity for Oil and Gas Industries: How Hackers Can Steal OilPriyanka Aash
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
 

More Related Content

What's hot

Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityNcell
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 

What's hot (20)

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 

Viewers also liked

Cybersecurity for Oil and Gas Industries: How Hackers Can Steal Oil
Cybersecurity for Oil and Gas Industries: How Hackers Can Steal OilCybersecurity for Oil and Gas Industries: How Hackers Can Steal Oil
Cybersecurity for Oil and Gas Industries: How Hackers Can Steal OilPriyanka Aash
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
 
7 most important rules for oil and gas cybersecurity experts
7 most important rules for oil and gas cybersecurity experts7 most important rules for oil and gas cybersecurity experts
7 most important rules for oil and gas cybersecurity expertssusyangryany
 
Cyber Crime & Big Data Webinar -- 10-16-13
Cyber Crime & Big Data Webinar -- 10-16-13Cyber Crime & Big Data Webinar -- 10-16-13
Cyber Crime & Big Data Webinar -- 10-16-13MedillNSZ
 
Counter Narco-Terrorism and Drug Interdiction
Counter Narco-Terrorism and Drug InterdictionCounter Narco-Terrorism and Drug Interdiction
Counter Narco-Terrorism and Drug Interdictionmariaidga
 
2016 Canadian CEO Outlook
2016 Canadian CEO Outlook2016 Canadian CEO Outlook
2016 Canadian CEO OutlookStradablog
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)ITCamp
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
The ever increasing threat of cyber crime
The ever increasing threat of cyber crimeThe ever increasing threat of cyber crime
The ever increasing threat of cyber crimeNathan Desfontaines
 
Cloud with Cyber Security
Cloud with Cyber SecurityCloud with Cyber Security
Cloud with Cyber SecurityNiki Upadhyay
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
PwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementPwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementCA Technologies
 
Fighting The Top 7 Threats to Cloud Cybersecurity
Fighting The Top 7 Threats to Cloud CybersecurityFighting The Top 7 Threats to Cloud Cybersecurity
Fighting The Top 7 Threats to Cloud CybersecurityDavid Zaizar
 

Viewers also liked (16)

Cybersecurity for Oil and Gas Industries: How Hackers Can Steal Oil
Cybersecurity for Oil and Gas Industries: How Hackers Can Steal OilCybersecurity for Oil and Gas Industries: How Hackers Can Steal Oil
Cybersecurity for Oil and Gas Industries: How Hackers Can Steal Oil
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
 
7 most important rules for oil and gas cybersecurity experts
7 most important rules for oil and gas cybersecurity experts7 most important rules for oil and gas cybersecurity experts
7 most important rules for oil and gas cybersecurity experts
 
Cyber Crime & Big Data Webinar -- 10-16-13
Cyber Crime & Big Data Webinar -- 10-16-13Cyber Crime & Big Data Webinar -- 10-16-13
Cyber Crime & Big Data Webinar -- 10-16-13
 
Counter Narco-Terrorism and Drug Interdiction
Counter Narco-Terrorism and Drug InterdictionCounter Narco-Terrorism and Drug Interdiction
Counter Narco-Terrorism and Drug Interdiction
 
2016 Canadian CEO Outlook
2016 Canadian CEO Outlook2016 Canadian CEO Outlook
2016 Canadian CEO Outlook
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
 
IT Security Myths
IT Security MythsIT Security Myths
IT Security Myths
 
The ever increasing threat of cyber crime
The ever increasing threat of cyber crimeThe ever increasing threat of cyber crime
The ever increasing threat of cyber crime
 
Cloud with Cyber Security
Cloud with Cyber SecurityCloud with Cyber Security
Cloud with Cyber Security
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
 
PwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity ManagementPwC Point of View on Cybersecurity Management
PwC Point of View on Cybersecurity Management
 
Big Data in Cyber Security
Big Data in Cyber SecurityBig Data in Cyber Security
Big Data in Cyber Security
 
Fighting The Top 7 Threats to Cloud Cybersecurity
Fighting The Top 7 Threats to Cloud CybersecurityFighting The Top 7 Threats to Cloud Cybersecurity
Fighting The Top 7 Threats to Cloud Cybersecurity
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 

Similar to Cybersecurity in Oil Gas Industry

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code ProtectionPerforce
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
VMworld 2013: How to make most out of your Hybrid Cloud
VMworld 2013: How to make most out of your Hybrid Cloud VMworld 2013: How to make most out of your Hybrid Cloud
VMworld 2013: How to make most out of your Hybrid Cloud VMworld
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
ScadaProject.com
ScadaProject.comScadaProject.com
ScadaProject.comSyncteam
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsERPScan
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar finalAlgoSec
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 

Similar to Cybersecurity in Oil Gas Industry (20)

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
VMworld 2013: How to make most out of your Hybrid Cloud
VMworld 2013: How to make most out of your Hybrid Cloud VMworld 2013: How to make most out of your Hybrid Cloud
VMworld 2013: How to make most out of your Hybrid Cloud
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
ScadaProject.com
ScadaProject.comScadaProject.com
ScadaProject.com
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
iWIT-A4-Brochure
iWIT-A4-BrochureiWIT-A4-Brochure
iWIT-A4-Brochure
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
SCADA of the Future
SCADA of the FutureSCADA of the Future
SCADA of the Future
 

Cybersecurity in Oil Gas Industry

  • 1. Invest in security to secure investments 13 Real ways to destroy business by breaking company’s SAP Applications and a guide to avoid them Alexander Polyakov CTO ERPScan, President EAS-SEC CYBERSECURITY in Oil and Gas Tunde Ogunkoya (Partner, DeltaGRiC)
  • 2. About Me 2 • Consulting Partner, DeltaGRiC Consulting – Leading Consultancy in the SAP Africa Ecosystem, focusing on mitigating cyber Risk and Compliance violations in SAP run organizations • Enterprise Application Security Enthusiast/Evangelist – Focused on SAP and Open Source Software Security. • Delivered first ever SAP cybersecurity project on the African Continent - RSSC, Swaziland with ERPScan team • Respected opinion on SAP Security matters / OSS Security matters (Times News, ITWeb) • Advocate of “Compliance is only but a check-in-the-box” and does NOT really mitigate the actual Security Risks. • Participated in the Curriculum content development for the Graduate Program in Cyber Security & Intelligence at the Ontario College of Management and Technology, Canada (OCMT). • I am not an Expert  !.I know one thing: that I know nothing … Apology 29d Socrates
  • 3. About ERPScan 3 • The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for SAP and Oracle • Leader by the number of acknowledgements from SAP ( 250+ ) and Oracle (40+) • 80+ presentations key security conferences worldwide • 35+ Awards and nominations • Research team – 20+ experts with experience in different areas of security from ERP to ICS and Mobile • Offices in Palo Alto, Amsterdam, Copenhagen, Sidney
  • 5. How does traditional VAPT works 5 • A company hire experts for VAPT service or Product • Those specialists run some pentesting tools • They (may) manually test vulnerabilities, escalate privileges and as a result write report about vulnerabilities • Report looks like “we found vulnerability X on the server Y look at the black screenshot with command line”.
  • 7. Why? 7 • Everybody know that there are vulnerabilities in almost every system • The question now – how dangerous are they – how easy is to exploit them – what can happen after the exploitation? – and what kind of REAL risks to YOUR organization it provides.
  • 9. Why Oil and Gas? 9
  • 10. Why Oil and Gas? 10 Competitive market – Risky market
  • 11. Oil and Gas 101 11
  • 12. Upstream: Critical processes and systems 12 • Extraction (Drilling) • Gathering (From earth to separators) • Separation (Separate oil, gas and water) • Gas compression (Prepare for storage and transport) • Temporary Oil Storage (Temporarily store before loading) • Waste disposal (Water disposal) • Metering (Calculate quantity before loading)
  • 13. Midstream: Critical processes and systems 13 • Terminal management (Obtain oil from upstream) • Gas Processing (Separate natural gas and NGL) • Gas Transportation (Transfer gas to storage via pipelines) • Oil transportation (Transfer oil to storage via pipeline/Truck/Barge/Rail) • Base load Gas storage (Temporary and long-term) • Peak load Gas Storage • LNG Storage • Oil Storage (Long-term oil storage)
  • 14. Downstream: Critical processes and systems 14 • Refining (Processing of Crude Oil) • Oil Petrochemicals (Fabrication of base chemicals and plastics) • Gas Distribution (Deliver gas to utilities) • Oil Wholesale (Deliver petrol to 3rd parties) • Oil Retail (Deliver petrol to end users)
  • 15. Why should we care 15
  • 17. What can happen? 17 Plant Sabotage/Shutdown Equipment damage Utilities Interruption Production Disruption (Stop or pause production) Product Quality (bad oil and gas quality) Undetected Spills Illegal pipeline taping Compliance violation (Pollution) Safety violation (Death or injury)
  • 18. Three aspects of Oil and Gas Cyber Security 18
  • 19. When we speak about securing oil and gas companies we should cover – Operational Technology security – Enterprise Application security – Connections security Three aspects of Oil and Gas Cyber Security 19
  • 20. 20 ICS Security in Oil and Gas SAP Security
  • 21. Oil and Gas Cyber-Security (OT part) 21 3 Areas: Upstream Midstream Downstream 20+ processes: Separation Drilling ……… 100+ System Types: Burner Management Fiscal Metering …. 1000+ Solutions from hundreds of vendors: Emerson Rockwell Siemens ….
  • 22. Lets look at those systems 22 • Metering System (Fiscal Metering) • Tank Inventory System (Oil Storage )
  • 23. Metering 23 • Risks: – Product Quality, Monetary loss • Details – Analyzes density, viscosity of content, temperature, and pressure – Divided into several runs • Systems – Fiscal Metering System – Liquid Flow Metering – Gas Flow Metering System – Wet Gas Metering System
  • 24. Fiscal Metering 24 • Description – Custody transfer, or fiscal metering, occurs when fluids or gases are exchanged between parties. – Payment is a function of the amount of fluid or gas transferred. – A small error in measurement leading to financial exposure –Over a year, the 0.1% error would amount to a difference of $50m. – The engine of a custody transfer or fiscal metering installation is the flow computer.
  • 25. OIL STORAGE 25 • Risks – Plant Sabotage/Shutdown, Equipment damage, Production Disruption, Compliance violation, Safety violation • Description – Consist of 10-100+ tanks with 1-50m barrels – Tank Inventory Systems (TIA) collects data from special tank gauging systems – Accurate records of volumes and history are kept for Forecasting for stock control – Tank level deviations can result in hazardous events such as a tank overfilling, liquefied gas flashing, etc. • Systems – Terminal Management Systems, Tank Inventory Systems, Tank Management Systems
  • 26. Tank Inventory Systems 26 Terminal Management – Honeywell Enfaf TM BOX (connected with IT) – Emerson Syncade Terminal Logistics (connected with IT) – Emerson Rosemount TankMaster WinOpi • View and control commands • Change alarm (Level, Temperature, Pressure) • Send management commands servo tanks (Freeze, Lock)
  • 28. Enterprise usage: Business Applications 28 85% of Fortune 2000 Oil and Gas companies use SAP
  • 29. Enterprise usage: Business Applications 29 70 million barrels per day of oil are produced by companies using SAP solutions (75% of total Oil production)
  • 30. Enterprise applications VS Oil And Gas processes 30 • PPM (Project portfolio management) • ALM (Asset Lifecycle Management) • LIMS (Laboratory Information Management System) • PAS (Production Accounting System) • ERP (Enterprise Resource Planning) • + HR, CRM, PLM, SRM, BI/BW, SCM
  • 31. Enterprise applications 31 • PPM <-> Exploration • ALM <-> Refinery, Separation, etc. • LIMS <-> Refinery, Separation • PAS <-> Tank Inventory, Metering • ERP <-> Tank Inventory, Metering • + HR, CRM, PLM, SRM, BI/BW, SCM
  • 32. Enterprise apps security Ways to compromise ERP/Business Application • Vulnerabilities – 3500+ in SAP, 3000+ in Oracle • Misconfigurations – Thousands • Unnecessary privileges – Hundreds for every type of system • Custom code issues – Hundreds vulnerabilities for each system that we analyzed
  • 33. Vulnerabilities in SAP and Oracle 33 Only one vulnerability would suffice to jeopardize ALL business-critical data
  • 34. Misconfigurations in SAP 34 • ~1500 General profile parameters • ~1200 Web applications to configure • ~700 web services to secure • ~100 specific management commands to filter • ~100 specific parameters for each of the 50 modules (FI, HR, Portal, MM, CRM, SRM, PLM, Industry solutions…) http://erpscan.com/wp-content/uploads/publications/EASSEC-PVAG- ABAP.pdf
  • 35. • 2012 • 2013 • 2014 • 2015 35 SAP Security Incidents
  • 36. 36 The latest SAP Security Incident (2015)
  • 37. 37 Security of Connections between IT and OT
  • 38. IT/OT connection looks like this 38
  • 40. IT and OT, SAP example 40
  • 41. SAP SAP xMII overview 41 • Connects manufacturing with enterprise business processes, provides information to improve production performance
  • 42. Attack Surface (SAP xMII Security): 42
  • 44. Hacking SAP Plant Connectivity 44
  • 45. 45 Now they are inside your OT network and can do whatever they want. there is no Air Gap!
  • 47. Oil and Gas attack vectors 47 Oil market fraud attack: • Imagine what would happen if a cyber criminal uploads a malware that dynamically changes oil stock figures for all Oil and Gas companies where SAP is implemented. Attackers will be able to deliberately understate data about Oil in stocks. Plant equipment sabotage attack • Hackers can spoof a report about equipment status in a remote facility. Companies will spend a lot of time and money to investigate the incident Plant Destruction attack • With access to BMS systems, via SAP Pco and SAP xMII hackers can perform physical attacks.
  • 48. 48 How does one go about securing it? SAP Security
  • 49. Apply • Step 1 Next Month – Security Assessment for ERP and Business applications • Step 2 Next Quarter – Protect your ERPs and other business applications ( Specific Scanning and Monitoring tools) • Step 2 Next 2 Quarters – Review all connections • Step 4 by This Year – Secure connections where possible • Step 5 next year – Assess and Protect ICS Systems
  • 50. How to apply ERP Security 50 Business security (SoD) Prevents attacks or mistakes made by insiders Code security Prevents attacks or mistakes made by developers Application platform security Prevents unauthorized access both within corporate network and from remote attackers
  • 51. 51 • Only 360-degree approach can help in maximizing security • Full workflow (Identify/Analyze/Remediate) • Specific checks for Industry modules and solutions • Fast release cycles to address client needs ERPScan Strengths
  • 52. About 52 a.polyakov@erpscan.com tunde@deltagricconsulting.com 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 USA HQ www.erpscan.com info@erpscan.com G17, Pinewood office complex, 33 Riley road , Sandton - Johannesburg South Africa