How To Defend Against A Cyber Attack

Transcription

1 As appears in: Cybersecurity - more than just a good firewall by Jim Fererro, Senior Vice President, GlobaLogix (8/4/2013) In seemingly too short a timespan, energy industry cyber threats have escalated from scams to disruptive malware to major cyber attacks that present extraordinary dangers to the world's oil supply and demonstrate how ill-equipped oil and gas companies are to combat the growing and tenacious hacker menace. Ex-FBI head, Louis Freeh, recently warned, "Hackers (of) the US infrastructure could do more damage than attackers of 9/11". News making cyber attack examples in the oil and gas industry include: * In 2008, three major oil companies were hacked, with educated guesses naming the Chinese at fault, resulting in a sizeable outflow of proprietary information, the extent of which was not even known by the companies until apprised by national law enforcement (FBI). * In 2011, a major oil company's IT manager warned participants at a Middle East energy conference about cyber threats, stating the company had undergone numerous attacks (criminal and commercial), with no indication of the problem easing or stopping (and the corporate headaches it is causing). * In 2012, a cyber attack characterized as the most devastating ever conducted against one company, 30,000 of Saudi Aramco's computers were hacked in a failed effort to halt its oil and gas production. Cybersecurity. 1 P a g e

2 And the list continues growing, as more than 40% of the world's cyber attacks on critical infrastructure is directed at oil and gas companies. At the root of the problem and what has attracted hackers to oil and gas is the potential to bring an entire country to a standstill by targeting SCADA (Supervisory Control and Data Acquisition). In an evolutionary process, companies have moved from proprietary technologies to more standardized/open solutions. Tied in with more connections between SCADA systems, office networks, and the Internet, are virtually open-ended vulnerabilities that did not exist before. From realtime monitoring in downhole operations to field data capture, SCADA plays a pervasive role in today's upstream sector while being subject to two distinct threats. One is the threat of unauthorized access to the company's control software, which can be via human access or viruses. The second is the threat of packet access to network segments hosting SCADA devices, which is potentially destructive, too. In the latter case, companies typically overlook the too-common hacker ability to bypass both firewall and VPN security. industry examples With technological capabilities providing unparalleled avenues to increase efficiencies and reduce downtime while both increasing productivity and downtime, the industry will not suddenly stop using these common strategic tools. However, cybersecurity has become a more critical component in achieving company profitability goals through leveraging technology. Externally, many SCADA vendors have tackled cyber risks with development of specialized industrial firewall and VPN solutions for TCP/IP-based networks, plus external SCADA monitoring and recording equipment. Additionally, the ISA Security Compliance Institute (ISCI) has formalized SCADA testing. However, one of the biggest problems in getting companies to address the cybersecurity threat is the common perception that only large oil and gas companies or mid-size independents should be concerned because hackers have no interest in attacking small companies. Borrowing from computer language, this could be a fatal error in executive/management thinking. With so many hackers working 24/7 worldwide, each is simply looking for any cyber opportunity to disrupt and/or destroy. 2 P a g e

3 Another major cybersecurity problem common to oil and gas companies is the idea that no viable solution exists, which fortuitously is wrong again. In fact, a multi-part plan can be put in place to take companies from cyber-vulnerable to more cyber-safe. The key begins with evaluating and assessing a company's preparedness i.e., determining risks and vulnerabilities in the network and SCADA systems not just once but periodically. This provides an ongoing roadmap for designing the network and SCADA system with contingency planning and prioritized countermeasures. Jim Fererro. Next plan to defend against a cyber attack beginning by going beyond total reliance on a firewall. Firewalls only protect against attacks that have been identified using known types of attacks. Therefore, they typically offer little protection against Zero-Day attacks, which are the first incidence of a new type of cyber attack. If never seen before, programming a firewall to defend against such an attack is difficult. Thus, a Zero Day attack defense needs to be more sophisticated and can involve totally re-designing a company's network architecture. One approach is, if the company's SCADA data is in a single-server room, opt for a distributed Cloud platform that does not "put all your eggs in one basket." Alternately, utilize new types of software to identify anomalies in data packets and transmissions and alarms on unusual activity that might flag an attack. Next, plan to respond to a cyber attack. In what may seem a simplistic strategy, but actually works, once a hack is in place, a company can shutdown or sequester the attack so no further damage is done and no technological controls are affected. This is pointedly not a suggestion for aggressive offensive attacks but reacting to the detection. For example, in the Saudi Aramco attack, the so-called Shamoon virus prompted the company to shutdown communications for everyone in the organization for a significant period. Although most western companies may not have the authority or ability to emulate that action, being headquartered in a sovereign nation it was an option that Saudi Aramco could and did take. The shutdown had a very negative effect on productivity but the virus itself was effectively isolated and handled. Following the cyber defense, companies may need to plan to report the incursion. While this aspect is applicable only to public companies under jurisdictions that may require it, reporting is nevertheless part of an overall cybersecurity strategy that companies of all sizes, public or private and in any oil-producing region, should heed. The plan to report all incursions to upper management and boards of the companies is a reasonable practice. However, not all company CEOs can confidently say that they are made aware of all incursions. In the US, California is an example of a state having a regulation that companies which are hacked must report the occurrence to all parties with whom they have been conducting business, alerting them of possible infection. And companies should plan for litigation defense, too. In countries such as the US with many stringent regulations, as with Sarbanes Oxley reporting requirements, in identifying risks a company must address litigation as one of the risks and the potential costs. 3 P a g e

4 Cybersecurity. Finally, companies must plan to comply. Behind this recommendation is that companies typically, not just with cybersecurity, tend to postpone planning their compliance. Instead, they think that regulations will continually change and subsequently that fluidity makes any plans obsolete - so planning is supposedly a moot point. Yet in an environment where it clearly appears that cyber attacks will only grow in volume and severity, that mindset can be lethal. Most regulations and standards involve frameworks for defense. Purposely not specific, these direct the types of activities that should be followed and are good practice guidelines. With cyber threats to the oil and gas industry becoming so profound, governmental and industry organizations are not waiting on companies to lead the way. In the US, the Department of Homeland Security, NIST, and the American Petroleum Institute (API) are actively working to prepare standards that will become recognized by industry. Some observers believe that 2014 may be a watershed year for developing regulations, standards, and possibly legislation that will drive the industry's collective defense against damaging hackers. At the individual company level, if executives are not taking defense action ahead of the curve, the scenario ahead is all too clear. Either they fund evaluation/assessment and begin making corner-office decisions in preparation for the potential havoc that is coming. Or they wait until they are victimized by hackers, have to play catch-up and, thus, not be in control during the interim period of getting up to speed. 4 P a g e

5 If companies do want to "do the right thing," but find themselves either lacking in terms of people (HR) or faced with a limited budget they should look outside the organization for vendors who do the work both expertly and cost-effectively. If they consider that as self-serving external advice they should ask themselves if they would use internal accountants to perform required regulatory audits. Only a rare executive would say the contrary. Cybersecurity is not only a very real threat, it can be devastating for a company of any size and should be proactively addressed now rather than later. Basic firewalls and canned software alone are emphatically not the answer. OGI Homepage I Contact Us Publication courtesy of Oil and Gas International 5 P a g e