Oil & Gas Security: From Field to Boardroom

Tuesday, May 15, 2012 @ 02:05 PM gHale

By Gregory Hale
You never know who is watching.

Just ask the oil and gas company executives hit by “Night Dragon.”

“Night Dragon” attacks relied on a combination of spear-phishing, social engineering, Windows bugs and remote administration tools (RATs) to guarantee success. The catch is none of the tactics were particularly sophisticated, said researchers at security software provider McAfee, which uncovered the assault emanating from China and consisting of covert attacks targeting oil, energy and petrochemical companies as far back as November 2009.

These attacks spread across the world.

“(The attacks) were very successful,” said Dmitri Alperovitch, vice president of threat research at McAfee Labs. The information the hackers obtained had huge value to competitors.

That information included financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems. That attack showed security needs to be strong from the field all the way through the enterprise. You never know where the attack could occur.

In the Night Dragon case, the attackers compromised perimeter security through SQL injection attacks on extranet web servers; targeted spear-phishing attacks aimed at mobile workers’ laptops, and took control of corporate VPN accounts.

“Once the initial system was compromised, the attackers compromised local administrator accounts and Active Directory administrator (and administrative users) accounts,” according to the McAfee report on Night Dragon. “The attackers often used common Windows utilities and other publicly available software … to establish ‘backdoors’ through reverse proxies and planted Trojans that allowed the attackers to bypass network and host security policies and settings. Desktop antivirus and anti-spyware tools were also disabled in some instances — a common technique of targeted attacks.”

Using password tracking and pass-the-hash tools, the attackers gained additional usernames and passwords. In addition, they used malware to connect to other machines and swipe email archives and documents belonging to executives.

That is why, especially for the oil and gas industry, communications need to be secure and robust.

Security Challenge
The oil and gas industry has a tough challenge. Industry players need to deploy state-of-the-art technology to aggressively compete for and retain customers, increase profits and productivity while corralling legacy systems and applications running on disparate, proprietary networks. That all adds up to the potential for an interoperability, visibility, and security nightmare.

As oil and gas companies push toward more sophisticated technologies to hike business intelligence necessary to predict fluctuating demand, reduce refining turnaround times, and effectively manage and distribute fuels by identifying profit opportunities upstream and downstream, they need to find cost effective ways to rethink legacy systems. The trend is to move toward open, standards-based architectures that enhance interoperability, security, performance, reliability, and affordability. Whether it is upstream at the well site or downstream at the refinery, everyone at the company needs to be on the same page working as one to achieve business objectives.

In short, these companies are seeking a secure, connected end-to-end enterprise that can speed deployment of applications by eliminating technology silos, manual processes, and unrelated management systems.

This new network paradigm needs to be able to support systems that allow for data sharing. At the same time, these companies need to cut down on complexity and the costs on IT with an integrated network that allows for data privacy and security.

Big Picture
From a macro perspective, fossil fuels make up 83% of energy used in the United States, according to the U.S. Energy Information Administration. In the U.S. alone, there are 150 refineries, 200,000 miles of oil pipelines and 2 million miles of gas pipelines. From a global perspective, the oil and gas industry’s level of importance remains at a heightened level. Just take a look at growing countries vying for more energy like China, Brazil and India. Add on top of that the energy demands from developing nations continue to add more intrigue into the global power scenario.

For the most part, SCADA and Distributed Control Systems (DCS) control the networks to help provide an uninterrupted supply of energy. These formerly isolated networks now connect with business networks and the Internet. This connection brought the isolated control networks into the volatile IT realm where cyber vulnerabilities can crop up at any time and where hackers could potentially get in and take over a network, cause damage, or hold the system hostage.

These cyber vulnerabilities leave oil and gas companies susceptible to exploitation, attack and loss of proprietary information. Year over year, as has been reported in ISSSource.com, the industry is losing over $20 billion in safety and security related incidents.

Cyber incidents don’t always come from outside attacks; whether on purpose or by accident, insiders some times perform the dirty deed themselves either through design faults, employee errors, firewall misconfigurations, tardy software updates or just circumventing security plans. Any one of these “attacks” can have a huge effect on oil and gas process control systems.

Tunneling via OPC UA ensures secure communications from the field.

To effectively meet regulatory compliance, guarantee uninterrupted service, and ensure proper information from upstream to downstream operations is coming to the appropriate decision makers, companies must address their overall security posture with adequate measures from the field all the way up through the enterprise.

Product Level
For oil and gas companies, it all starts with the product they are pulling out of the ground. There is a critical need to pull timely and accurate data from the site and get it securely in the hands of decision makers.

Planning future drilling, optimizing production, and managing well reserves and spot gas supplies are more important now than ever. Just how can a company go out and make the best business decisions, save money and increase profitability?

Executives at one oil and gas exploration and production company, who requested anonymity, asked those very questions and decided it was time for a change. They decided on creating a new automation program to move their outsourced process control and data acquisition management operations in-house.

They needed workers to be able to gain access to vital information from a fully integrated, web-enabled production automation system that allowed a view to real-time and accumulated data from each well. Field operators needed access, of course, but so did engineering, gas/data gathering teams, and regional and executive management. It was all about empowerment; giving the various teams and departments the potential to recognize trends and identify any problem areas so they can achieve optimal production levels and greater profitability.

With the help of their system integrator, Louisiana-based Failsafe Controls, they were able to develop a web-enabled application to monitor 1,800 well sites and 120,000 I/O points across their principal reserves and producing properties in Arkansas, Louisiana, New Mexico, Oklahoma, Texas, Utah, and Wyoming, and Canada.

They came up with an integrated SCADA system that would continuously collect data from each well, create timely and accurate electronic reports and store current and historical data that workers could access from the field or anywhere via a standard web browser. The system monitored flow for all 1,800 well sites and seamlessly integrated data into the existing communications infrastructure.

True Costs
Outsourcing sometimes is a cost benefit, but if you look below the superficial labor and benefit cost scenario, you can find the true outlay for the company. The oil and gas company estimated if they purchased the devices and equipment originally supplied by the outsourced service company, they would realize significant savings and a quick ROI. They calculated their field supervisors and engineers would be able to more efficiently coordinate field activities and target the areas where they should place workers. On top of that, management was able to gain better and faster information to manage oil and gas fields as well as track aggregate production over time.

The web-based application allowed for bi-directional access to data via OPC UA; cross-platform service oriented architecture for process control that enhances security and interoperability.

With hardware used from a cross-section of vendors to monitor gas/liquid flow rates, pressures and temperatures, the OPC server was able to gain access to all the devices to integrate and communicate with historians, the SCADA system and other OPC-enabled applications.

The flow computers measured and stored raw flow rate parameters and used this data with gas flow equations to calculate and store the raw flow meter data into volumes. The flow computers also recorded events and alarms related to the flow meter (for example, loss of flow, loss of required electrical signals from transducers, or readings of these electrical signals near their upper or lower range). It also kept a running tally of the volume for each flow meter it monitored and was able to report the volume on an hourly, daily or monthly basis; the capability known as EFM (Electronic Flow Measurement).

In addition, the company had PLCs (Programmable Logic Controllers) and RTUs (Remote Terminal Units) of various brands at 30 compressor stations along their pipelines (The RTUs connect to the SCADA system and monitor the status of the wells at these control stations. Control occurs at the local stations which then generate reports that users can access throughout the enterprise.

The main servers, which do the polling and collection of data, are at headquarters where IT can manage them. Management can access the data from any computer or via their smartphones or tablets by accessing HMI/SCADA client screens created via the mobile module. In addition, the company set up redundant servers to ensure uninterrupted service.

Getting the secure data from the field to the main servers involved a process called tunneling.

This is where the OPC DA and UA Client Drivers and the OPC UA Server interface provide a secure OPC Tunneling solution. The OPC DA Client Driver can connect to any 3rd party OPC Data Access (DA) Server and make the data available. This setup enabled the company to provide a communications tunnel between computers to transfer data securely. It also provided higher performance and deterministic failure modes, eliminating any reliance on the antiquated Microsoft COM and DCOM technology.

The oil and gas exploration and production company managed its operations through a single OPC Server, which allowed for consistency and reliability, while cutting down on the number of third-party communication servers. Other bonuses were that a single source gathering data for client applications helps cut down on network traffic, device and system resource usage, and data inconsistencies.

“The ability for management to view this data in so many different ways has made a big difference,” said Albert Lambert, web automation architect at Failsafe Controls. “OPC UA makes this possible. It’s easy to set up and you don’t have to worry about the DCOM settings in the computers making the data more secure.”

Security does not have to be complicated for the end user, but it does have to be robust enough to get data to the right people when they need it. In the competitive oil and gas market, it is time to slay the dragon by ensuring secure communications from the field all the way up to the boardroom.

Gregory Hale is the Editor and Founder of Industrial Safety and Security Source, ISSSource.com.

Leave a Reply

You must be logged in to post a comment.