Attacks/Breaches
1/8/2016
10:30 AM
Susan Peterson
Susan Peterson
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Lessons Learned About Critical Infrastructure: What’s Good Enough?

Over the past decade, oil and gas companies have invested significant resources in security management, but there are sizable challenges ahead in people and processes.

With massive operational and reputational costs on the line, oil and gas operators recognized the need for, and implemented, security programs a decade ago. The industry has made great strides, but the operating environment’s complexity still present sizable challenges to most operators.

Recently, I had dinner with a respected colleague who is a recognized leader in oil and gas security, having worked in the space for more than a decade. I asked him, what, if anything, would you have done differently from the beginning?

He said, “First, I would have spent less time on educating the C-Suite and more time with folks on the ground floor. Second, I would have spent more time on secure supply chain, making certain we were purchasing products with security designed in.”

While I expected to hear about specific technologies, his response really resonated with me.

Managing complexity

With an increasing number of connected devices and two very unique operating environments – information technology (IT) and operational technology (OT) – the energy sector’s greatest challenges and opportunities for security today stem from people and process.

In the past year, one-third of critical infrastructure operators believed their control system assets or networks had been breached more than twice, and 44 percent were unable to identify the source of infiltration, according to the SANS institute.

Oil and gas organizations face huge risks associated with industrial control system vulnerabilities. One company calculated that the failure of one of its control system's “human machine interfaces” (HMIs) and the resulting downtime of two days would cost the organization an estimated $12 million in lost production alone, never mind damage to physical assets and risks to human safety. When a floating production storage and offloading operation has 80 HMIs or more from disparate suppliers, the security requirements and risks become even more complex.

Oil and gas leadership and investors understand that the cost of capital and that their ability to complete critical projects is conditional on their ability to withstand a security attack and minimize the impact of a breach. Unlike some companies in the highly-regulated utilities sector, oil and gas organizations have already invested significant resources in developing industry standards to determine how best to manage security challenges and solutions. Industry executives are now looking for security solutions that provide transparency and compliance, and that support the standards that provide guidance to assure continued profitable growth in this uncertain environment.

A common language and approach

While risk management is a core practice and priority for oil and gas, many companies still struggle to define what is good enough when it comes to security practices protecting assets such as gas turbine and compressor controls that have a life span of a decade or longer, require continuous operation, and are more vulnerable than other machines that receive regular updates and patching during frequent maintenance shutdowns. 

Operators also need full transparency so they can verify that the technology they implement is protecting digital assets effectively, and that it complies with their company’s security policies and industry standards.

In 2015, the International Electrotechnical Commission (IEC) in collaboration with major oil and gas organizations, including Shell, BP and Chevron, developed security standards, IEC 62443 for industrial automation and control systems to help the industry better understand best practices surrounding robust security programs. The energy sector needs a pragmatic and efficient way to address security concerns, and IEC 62443 helps define a common language and approach.

These standards will also help reduce the risk of investing too heavily in a sole security control, be it network segmentation or monitoring, which may ignore security needs across the entire spectrum of an OT environment. Instead, the IEC standards help organizations evaluate security controls in the context of their operational workflow and maintain it through a holistic security approach and program.

The talent gap

As my colleague noted, one underestimated component of security is training and awareness. While it seems obvious, a focus on people solves another challenge the industry is facing – a talent gap. A large portion of the oil and gas workforce is nearing retirement, and security in this industry requires a unique background of both engineering and cyber experience, which is a scarce commodity and highly sought after. As the talent gap widens, these organizations will need to become more aggressive about providing training programs and opportunities for continued education in order to develop the workforce it requires and help non-technical staff understand how their actions impact security.

With long-life assets that require maintenance and real-time patching, oil and gas organizations will also benefit by providing their suppliers with clear guidance on the security controls they expect to see in projects. Efforts to secure their supply chain require oil and gas procurement organizations to clearly distinguish OT security needs from IT security needs to ensure both environments are able to withstand cyberthreats.

The oil and gas industry faces a 20 year technical debt that can’t be recovered overnight. But continued collaboration within the energy industry about how to address the talent gap and secure the supply chain could go a long way in accelerating the next phase of the industry’s security journey.

Susan is the Product Security Leader of GE Oil + Gas. In this role, she is responsible for driving a comprehensive product security program for the business, together with stakeholders in engineering, supply chain, services, sales and product line management. Susan joined Oil ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.