Cybersecurity-related events have become an increasing problem for the oil and gas industry over the past decade.
On one hand, there has been a push to reduce costs and increase efficiency through companywide network integration. The advances in industrial control systems (ICS) have made pipeline systems accessible through Internet-based technologies and tools. This has allowed systems to be operated and maintained effectively with fewer staff distributed widely around the world.
Unfortunately, while connectivity was improved, the millions of legacy control systems in use were not designed with security in mind. Thus, with the increasing connectivity of SCADA and ICS, and a library of free tools to attack ICS products available to hackers – right now, industrial security is a game with the advantage going to the attacker.
Ultimately, these circumstances are leading to a do-or-die moment: secure your ICS or the reliability and safety of your entire company is at risk. Of course, there’s no simple solution – the process takes substantial effort and thorough planning. A carefully constructed and strategically designed “Defense in Depth” model is the only viable answer.
Pipelines – Prime Targets
There are many reasons why oil and gas operations have become attractive targets for cyber-attacks. For example, a pipeline’s importance to the economy of a country may make disrupting operations useful in achieving political goals. In “Cybersecurity And The Pipeline Control System,” February 2009 Pipeline and Gas Journal, I described the cyber-sabotage of the ship loading systems at Petróleos de Venezuela, S.A. (PDVSA) in 2002 during a national strike.
Often the attacks appear to be driven by reasons of economic competiveness, such as the Night Dragon cyber-activity that stole sensitive data, including oil field bids and SCADA operations data from energy and petrochemical companies in 2011 (See “Next Generation Cyber-Attacks Target Oil, Gas SCADA, February 2009 Pipeline and Gas Journal.)
And sometimes the attackers seem to have multiple goals. In 2012, there were cyber-attacks on 23 North American natural gas pipeline operators. While much of the stolen information had clear economic value, some of the data – such as the remote maintenance dial-up numbers of the compressor stations – had no economic benefit to the attackers. However, information like this does offer the ability to sabotage the pipelines years in the future.
Researchers came up with several theories for who could have been behind the 2012 gas pipeline attacks, suspecting the special intelligence teams of several countries, including China. As a result of this and other events, the White House issued an executive order to increase cybersecurity measures to protect systems critical to the national economy, including pipelines.
Adding to the complexity of the problem, attacks aren’t just coming from well-known or long-established threat sources. The attackers don’t even have to be well-funded or organized. The Shamoon attacks against Saudi Armco in September of 2012 destroyed over 55,000 servers and workstation hard drives. This was likely the work of one or two individuals with religious goals. The similar attacks against Qatar’s RasGas two weeks later also seem to have been ideologically motivated.
North Korea has emerged as an international threat on the cyber-war scene. According to a recent Christian Science Monitor account, analysts have found that during the last four years, the North Korean government’s cyber-attacks on the South Korean government have cost the country more than $750 million in damages, plus infecting and wiping clean 32,000 computers – one of the world’s most destructive and costly cyber-attacks to date.
For an unstable country to have such serious capabilities to do harm is a concern, especially since this gives the regime the ability to strike targets off of the Korean peninsula. The operations of the oil and gas industry would clearly be an attractive target for more “soft” military adventures by an unpredictable state.
Myth Busting: Air-Gap Defense
Understanding that oil and gas control systems face risks that are considerably different than those faced by IT systems often means very different strategies and technologies are needed to ensure reliable security. At the same time, IT security and pipeline security solutions need to work together to be effective.
For example, most IT security managers see data confidentiality as paramount, resulting in the deployment of solutions based on encryption technologies. However, security in ICS is primarily concentrated on maintaining integrity and availability of the system. Encryption technologies can make troubleshooting operational issues more difficult, therefore reducing overall systems availability or safety. Thus, careful balancing of the right technology for the security objectives of a system is critical.
The rift between IT systems and operational systems has also resulted in a number of misunderstandings and outright myths. Chief among the myths: “the air-gap defense theory,” an idea that looks great on paper, but doesn’t work in practice.
Here’s the theory: Creating a physical gap between the control network and the business network prevents hackers and worms from reaching critical control systems. But simply put, it’s not possible for true air gaps to exist in the ICS and SCADA world. Eventually, someone will need to move data into or out of the control system, and among that data will be the possibility of some sort of malware.
Luckily, control system providers aren’t buying the air-gap theory either, as PLC and DCS vendors have both come to realize that air gaps conflict with their architectures. Modern control systems need a steady flow of electronic information from the outside world. They need to be tightly integrated to the corporate operations and allow remote maintenance support. Severing the network connection to create air gaps simply invites new pathways, such as dial-up modems, laptops and USB keys, which are more difficult to manage, but just as easy to exploit.
The Path Less Traveled
Thanks to this evidence – and much trial and error, IT professionals and SCADA experts are well aware that singular defenses lead to a single point of failure, whether it’s a lone firewall, physical barrier or air gap, and they have to be ready to combat sophisticated attacks.
Relying on a single defensive solution exposes systems, no matter how well designed or strong. Breaking through that one defense means the entire system is wide open to an attack. A far more effective strategy for reliable security is the concept of “defense-in-depth.”
Building a defense-in-depth strategy is not something unique to ICS, SCADA or cybersecurity. In fact, it was originally coined by the Romans in describing a military strategy.
For our purposes, a defense-in-depth is built on three core concepts:
• Multiple layers of defense: Layering multiple security solutions provides that if one layer is bypassed, another will provide the defense. Systems cannot rely completely on a single point of security, no matter how good it is.
• Differentiated layers of defense: This ensures that each of the security layers is slightly different. If attackers find a way past the first layer, they don’t automatically have the capabilities for getting past all the subsequent defenses.
• Threat-specific layers of defense: Each of the defenses should be designed to be context and threat specific. In essence, design for the threat. The SCADA/ICS system can be exposed to a variety of different security threats, ranging from angry employees and computer malware, to denial of service attacks and information theft. Each needs to be considered and defended against. In the control system, more sophisticated SCADA-aware firewalls can observe the traffic beyond the protocol types. This allows defenses based on the behavior and context of the systems using these protocols on the control network.
Implementing Defense In Depth
Changes in SCADA infrastructure and facility processes reflect a different focus in today’s attacks – subtle and persistent attempts to steal valuable information that can rob an organization of its economic life blood. The industry needs to accept the idea that complete prevention of all attacks isn’t possible. The best system for the managing hostile entities is to quickly detect, isolate and control them.
A few security measures that pipeline operators can take:
• Prioritize by making sure mission-critical systems are secured first.
• Make sure the full team is informed and educated on security best practices; create a culture of security.
• Update your risk assessments regularly, including both physical and virtual checks.
• Do not apply a one-size-fits-all solution across the entire IT and ICS system.
Thorough planning includes mapping out the architecture for a defense-in-depth strategy, applying the philosophy to the physical world and securing the path to a SCADA/ICS system.
It’s important to note that not all IT security solutions are applicable to industrial systems security. While studies at major oil companies have shown that 90% of IT security policies work well for ICS, companies can’t blindly use IT security processes and technologies in the SCADA system. They need solutions that are SCADA/ICS-focused.
Conclusion: Security Is Never One And Done
It’s critical to periodically test and assess your system. Effective ICS and SCADA security is not a one-time project. Companies need to develop ICS-specific documents describing company policy, standards and procedures concerning control system security. Control system engineers need to use solutions that are SCADA/ICS-focused.
Most importantly, companies must make sure ICS have a proper defense-in-depth design where the network, control devices and systems are collectively hardened. When the most critical systems in your operations have multiple layers of defense, reliable security for production and midstream operations can be a reality.
Author: Eric Byres is chief technology officer with Tofino Security, a Belden brand, and has a background as a process controls engineer. He is the recipient of the 2013 International Society of Automation Excellence in Leadership Award for his contributions to the industry, including advancements in automation. He can be reached at firstname.lastname@example.org.