As a highly critical sector, the oil and gas infrastructure should be one of the most secure, both physically and digitally. This is not the case.
A multi-billion dollar industry, trading one of the most valuable commodities on the market, is connecting its industrial control systems full of unpatched vulnerabilities to the Internet, where cyber criminals roam in all impunity. These systems are poorly protected against cyber threats – at best, they are secured with IT solutions which are ill-adapted to legacy control systems. “The lack of appropriate security has already allowed a number of destructive cyber-attacks to lay waste to some of the most high-profile companies in the industry,” says senior cyber security analyst Michela Menting. “Oil and gas companies have been the victims of sophisticated cyber threats since 2009. Many of these attacks have caused significant financial damages. Inevitably, as the number of cyber-attacks increase in the coming year, realization of the financial implications of persistent cyber threats will boost cybersecurity spending in this field during the forecasted period. Spending is set to pick up considerably from 2014 onwards.
According to ABI Research, cybersecurity spending on the oil & gas critical infrastructure will reach $1.87 billion by 2018. This includes spending on IT networks, industrial control systems and data security; counter measures; and policies and procedures. So, why is oil and gas infrastructure vulnerable to cyber attacks? The problem with protecting national infrastructure installations including utilities, is the nature of the process driven operations used. Workers are typically used to the same routine day-in-day out. Potential cyber attackers, perhaps even former employees will take advantage of these routines to launch an attack. In process controlled environments, which are never connected to external networks, the inherent risk of applying firmware and software updates is normally avoided. Since, the update may disrupt another dependant process or create a new issue, outweighs the risk of installing updates.
Furthermore, since the installation is not connected externally to the Internet or extranet, the chances of a known security vulnerability, which leads to a cyber attack, causing the installation to fail, was extremely unlikely. So what has changed? The biggest change which has occurred over the last twenty years is that process control systems have gone all IP. Previous generation of process control systems depended on legacy protocols such as RS-422/RS-485 for communication. Infiltrating such systems was nearly impossible and the technology was considered a closed loop. However, in today’s digital era, industry has demanded that process control systems migrate to IP, which reduces the cost and complexity of maintaining separate control systems. This IP migration is what has opened the door to new threats. Previously, when an issue was reported at a remote site, the onside staff would connect a modem to to the phone line so an engineer could log in using a RS-232 connection, then start a troubleshooting session remotely. Once the task was finished the remote site disconnected the modem and once again the site was secure.
In today’s era, the remote site staff allows an engineer starts an remote desktop session to their PC via the Internet connected VPN. From this PC the engineer can access all the process controlled devices, which are completely IP enabled. It is this scenario where so many vulnerabilities exist. Chances are that the engineer uses a laptop which he also takes home. Both the engineer and remote site staff have external email access on their PCs. A carefully crafted cyber attack will infiltrate the system within a legitimate email, or a shared file, and take advantage of the security weakness of the process control system itself. Furthermore, being completely IP enabled allows the attacker to spread the attack to every connected device. Installing extra firewalls and security appliance will not solve these types of sophisticated attacks. Only physical isolation and a thorough review of site access and connectivity policies will.
Tips To Ensure Security
- Troubleshooting and maintenance support for the secure network should be made from a dedicated laptop which is stored in a safe when not in use.
- A sign in / sign out procedure for the laptop should also be included.
- The laptop should employ a CAPS compliant crypto authentication scheme to gain access to the secure network.
- Software and code updates, should be delivered on read only media, such as CD-ROM and should be produced by the vendor, not downloaded and copied.
- USB memory sticks and hard drives should never be used.
By Craig Sutherland