Attacks/Breaches

1/8/2016
10:30 AM
Susan Peterson
Susan Peterson
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Lessons Learned About Critical Infrastructure: Whats Good Enough?

Over the past decade, oil and gas companies have invested significant resources in security management, but there are sizable challenges ahead in people and processes.

With massive operational and reputational costs on the line, oil and gas operators recognized the need for, and implemented, security programs a decade ago. The industry has made great strides, but the operating environment’s complexity still present sizable challenges to most operators.

Recently, I had dinner with a respected colleague who is a recognized leader in oil and gas security, having worked in the space for more than a decade. I asked him, what, if anything, would you have done differently from the beginning?

He said, “First, I would have spent less time on educating the C-Suite and more time with folks on the ground floor. Second, I would have spent more time on secure supply chain, making certain we were purchasing products with security designed in.”

While I expected to hear about specific technologies, his response really resonated with me.

Managing complexity

With an increasing number of connected devices and two very unique operating environments – information technology (IT) and operational technology (OT) – the energy sector’s greatest challenges and opportunities for security today stem from people and process.

In the past year, one-third of critical infrastructure operators believed their control system assets or networks had been breached more than twice, and 44 percent were unable to identify the source of infiltration, according to the SANS institute.

Oil and gas organizations face huge risks associated with industrial control system vulnerabilities. One company calculated that the failure of one of its control system's “human machine interfaces” (HMIs) and the resulting downtime of two days would cost the organization an estimated $12 million in lost production alone, never mind damage to physical assets and risks to human safety. When a floating production storage and offloading operation has 80 HMIs or more from disparate suppliers, the security requirements and risks become even more complex.

Oil and gas leadership and investors understand that the cost of capital and that their ability to complete critical projects is conditional on their ability to withstand a security attack and minimize the impact of a breach. Unlike some companies in the highly-regulated utilities sector, oil and gas organizations have already invested significant resources in developing industry standards to determine how best to manage security challenges and solutions. Industry executives are now looking for security solutions that provide transparency and compliance, and that support the standards that provide guidance to assure continued profitable growth in this uncertain environment.

A common language and approach

While risk management is a core practice and priority for oil and gas, many companies still struggle to define what is good enough when it comes to security practices protecting assets such as gas turbine and compressor controls that have a life span of a decade or longer, require continuous operation, and are more vulnerable than other machines that receive regular updates and patching during frequent maintenance shutdowns. 

Operators also need full transparency so they can verify that the technology they implement is protecting digital assets effectively, and that it complies with their company’s security policies and industry standards.

In 2015, the International Electrotechnical Commission (IEC) in collaboration with major oil and gas organizations, including Shell, BP and Chevron, developed security standards, IEC 62443 for industrial automation and control systems to help the industry better understand best practices surrounding robust security programs. The energy sector needs a pragmatic and efficient way to address security concerns, and IEC 62443 helps define a common language and approach.

These standards will also help reduce the risk of investing too heavily in a sole security control, be it network segmentation or monitoring, which may ignore security needs across the entire spectrum of an OT environment. Instead, the IEC standards help organizations evaluate security controls in the context of their operational workflow and maintain it through a holistic security approach and program.

The talent gap

As my colleague noted, one underestimated component of security is training and awareness. While it seems obvious, a focus on people solves another challenge the industry is facing – a talent gap. A large portion of the oil and gas workforce is nearing retirement, and security in this industry requires a unique background of both engineering and cyber experience, which is a scarce commodity and highly sought after. As the talent gap widens, these organizations will need to become more aggressive about providing training programs and opportunities for continued education in order to develop the workforce it requires and help non-technical staff understand how their actions impact security.

With long-life assets that require maintenance and real-time patching, oil and gas organizations will also benefit by providing their suppliers with clear guidance on the security controls they expect to see in projects. Efforts to secure their supply chain require oil and gas procurement organizations to clearly distinguish OT security needs from IT security needs to ensure both environments are able to withstand cyberthreats.

The oil and gas industry faces a 20 year technical debt that can’t be recovered overnight. But continued collaboration within the energy industry about how to address the talent gap and secure the supply chain could go a long way in accelerating the next phase of the industry’s security journey.

Susan is the Product Security Leader of GE Oil + Gas. In this role, she is responsible for driving a comprehensive product security program for the business, together with stakeholders in engineering, supply chain, services, sales and product line management. Susan joined Oil ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.