Attacks/Breaches
1/8/2016
10:30 AM
Susan Peterson
Susan Peterson
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Lessons Learned About Critical Infrastructure: Whats Good Enough?

Over the past decade, oil and gas companies have invested significant resources in security management, but there are sizable challenges ahead in people and processes.

With massive operational and reputational costs on the line, oil and gas operators recognized the need for, and implemented, security programs a decade ago. The industry has made great strides, but the operating environment’s complexity still present sizable challenges to most operators.

Recently, I had dinner with a respected colleague who is a recognized leader in oil and gas security, having worked in the space for more than a decade. I asked him, what, if anything, would you have done differently from the beginning?

He said, “First, I would have spent less time on educating the C-Suite and more time with folks on the ground floor. Second, I would have spent more time on secure supply chain, making certain we were purchasing products with security designed in.”

While I expected to hear about specific technologies, his response really resonated with me.

Managing complexity

With an increasing number of connected devices and two very unique operating environments – information technology (IT) and operational technology (OT) – the energy sector’s greatest challenges and opportunities for security today stem from people and process.

In the past year, one-third of critical infrastructure operators believed their control system assets or networks had been breached more than twice, and 44 percent were unable to identify the source of infiltration, according to the SANS institute.

Oil and gas organizations face huge risks associated with industrial control system vulnerabilities. One company calculated that the failure of one of its control system's “human machine interfaces” (HMIs) and the resulting downtime of two days would cost the organization an estimated $12 million in lost production alone, never mind damage to physical assets and risks to human safety. When a floating production storage and offloading operation has 80 HMIs or more from disparate suppliers, the security requirements and risks become even more complex.

Oil and gas leadership and investors understand that the cost of capital and that their ability to complete critical projects is conditional on their ability to withstand a security attack and minimize the impact of a breach. Unlike some companies in the highly-regulated utilities sector, oil and gas organizations have already invested significant resources in developing industry standards to determine how best to manage security challenges and solutions. Industry executives are now looking for security solutions that provide transparency and compliance, and that support the standards that provide guidance to assure continued profitable growth in this uncertain environment.

A common language and approach

While risk management is a core practice and priority for oil and gas, many companies still struggle to define what is good enough when it comes to security practices protecting assets such as gas turbine and compressor controls that have a life span of a decade or longer, require continuous operation, and are more vulnerable than other machines that receive regular updates and patching during frequent maintenance shutdowns. 

Operators also need full transparency so they can verify that the technology they implement is protecting digital assets effectively, and that it complies with their company’s security policies and industry standards.

In 2015, the International Electrotechnical Commission (IEC) in collaboration with major oil and gas organizations, including Shell, BP and Chevron, developed security standards, IEC 62443 for industrial automation and control systems to help the industry better understand best practices surrounding robust security programs. The energy sector needs a pragmatic and efficient way to address security concerns, and IEC 62443 helps define a common language and approach.

These standards will also help reduce the risk of investing too heavily in a sole security control, be it network segmentation or monitoring, which may ignore security needs across the entire spectrum of an OT environment. Instead, the IEC standards help organizations evaluate security controls in the context of their operational workflow and maintain it through a holistic security approach and program.

The talent gap

As my colleague noted, one underestimated component of security is training and awareness. While it seems obvious, a focus on people solves another challenge the industry is facing – a talent gap. A large portion of the oil and gas workforce is nearing retirement, and security in this industry requires a unique background of both engineering and cyber experience, which is a scarce commodity and highly sought after. As the talent gap widens, these organizations will need to become more aggressive about providing training programs and opportunities for continued education in order to develop the workforce it requires and help non-technical staff understand how their actions impact security.

With long-life assets that require maintenance and real-time patching, oil and gas organizations will also benefit by providing their suppliers with clear guidance on the security controls they expect to see in projects. Efforts to secure their supply chain require oil and gas procurement organizations to clearly distinguish OT security needs from IT security needs to ensure both environments are able to withstand cyberthreats.

The oil and gas industry faces a 20 year technical debt that can’t be recovered overnight. But continued collaboration within the energy industry about how to address the talent gap and secure the supply chain could go a long way in accelerating the next phase of the industry’s security journey.

Susan is the Product Security Leader of GE Oil + Gas. In this role, she is responsible for driving a comprehensive product security program for the business, together with stakeholders in engineering, supply chain, services, sales and product line management. Susan joined Oil ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.