Oil, Gas: Protecting Against Black Swan

Wednesday, April 22, 2015 @ 05:04 PM gHale


By Gregory Hale
Security has come to a point where users have to protect against attacks that are unpredictable.

“You want to watch out for and protect against a Black Swan,” said Alice Barnett, manager information technology audit at ConocoPhillips during her talk entitled “Cybersecurity Pitfalls to Avoid in Oil and Gas” at the Siemens Oil and Gas Innovations Conference 2015 in Houston, TX, Wednesday. “A Black Swan is a surprise attack that has a major impact on your environment that was not predicted, but appears to be rational upon further review. So, you have to protect against an unpredictable attack.”

RELATED STORIES
Employees Violate Cloud Security Rules
Social Engineering: Employees a Huge Risk
Affect of Attacks on Partners
BYOD, Cloud Security Risk Growing

In the end it all means security professionals in the oil and gas industry have to design systems with resilience and robustness that can withstand unpredictable events.

The Siemens conference focused on the growing automation environment in the oil and gas industry, but Barnett said no matter how you look at it, yes, automation is growing, but so is the security threat.

“It is really going to take all of us to ensure a secure environment,” she said. “Automation brings reliability safety and operating efficiency. Cyber security is a threat to all three.”

That means uses have to worry about cyber security in all phases of the business.

An attack, Barnett said, can have a serious impact on a business and create a:
• Loss of production
• Off spec products
• Environmental problem
• Health impact

As mentioned, attacks are increasing as there were 245 reported attacks to ICS-CERT in 2014. That means attacks are definitely happening, according to reports from ICS-CERT, and with a majority of them coming against oil and gas industry, Barnett said.

In addition, she added, attackers are getting more successful. The amount of successful attacks doubled from 2013 to 2014, she said.

Also, it used to be cyber attacks relied upon the expert knowledge of attackers and their ability to infiltrate systems. That is not the case anymore as off the shelf attack kits are available to just about anyone that wants to create an attack.

“It seems like there is a new attack going on every week.”

She mentioned the Stuxnet attack, which as ISSSource reported, ended up conducted by the United States and Israel to disable the uranium enrichment plant outside Natanz, Iran, by causing the control system to run wildly out of control causing severe damage to centrifuges.

Attacks like Stuxnet can end up used to attack any kind of network, she said.

There was also a more recent attack on a German steel mill. Social engineering ended up used to get credentials so the attacker can get into the system and it appeared the attack worked as a crucible full of product ended up spilled, she said. “There were no injuries, but it does present a problem.”

While all of that is bad news that can strike fear into any oil and gas practitioner or manufacturer, “we can do something about it,” she said.

It is all about having a plan that revolves around: Protect, Detect, Respond and Learn.

“We need to pull in all the resources to improve in this space,” she said.

While she talked about the process of security, Barnett also pointed out the other two elements of the three-legged stool of success for security and that involves people and technology.

“There is a lot of technology that can help as well. Bad guys have good technology, but we have it as well. If you want to be successful to keep systems safe you have to have people that understand everything that needs to be done. Unfortunately, we don’t have enough Super Geeks to go around.”

The key to getting people to lock into and successfully enjoy a secure environment all falls down to communication and awareness.

As a rule to get a stronger security environment, OEMS have to design in security, EPCs need to ask clients about their security rules, users need to learn all company security policies, and everyone needs to take ownership of security, Barnett said.

“Security remains a growing concern and the community has to work together to adequately protect their systems,” Barnett said.



Leave a Reply

You must be logged in to post a comment.