Mapping challenges in the cyber battle
A thorough plan of action to ward off cyber threats has never been more important, says Francisco Salcedo
The need to prepare against risks associated with cyberattacks in the oil and gas industry will not abate in 2015. It is estimated that cyber-attacks will increase both in numbers and sophistication in execution.
The oil and gas industry is going through major changes due to the business needs, as well as other factors. Oil prices have fallen by 50% over recent months and natural gas prices are following suit.
However, there is an abundance of supply, while exploration and energy companies are closing certain facilities to reduce supply and to increase efficiency.
In addition, oil and gas companies need access to information and demand visibility into their global operations to manage the complexities inherent in technology silos and business supply chain structures.
The industrial automation and control systems which monitor and control the physical processes involved in this industry are termed as Operational Technology (OT).
Until recently, these mission critical systems, specifically Supervisory Control and Data Acquisition (SCADA) and Distributed Control System (DCS) were kept isolated from the Internet and the corporate LAN.
However, with the adoption of operating systems used for normal office network by the SCADA and DCS, demand for business insight and requirements for remote network access have resulted in a change in this traditional approach. As a result, the oil and gas industry has started integrating its OT and enterprise IT networks.
However, with this integration comes the greater challenge to implement a foolproof Information Security strategy.
Over the past decades, the oil and gas sector has been the target of well-known cyberattacks. The attack on Saudi Aramco is infamous, bringing down 30,000 computers and causing major disruption.
Corporate computer systems and the website of RasGas, one of the world’s largest Liquefied Natural Gas (LNG) suppliers, was taken offline by a virus attack just days after Aramco assault in 2011. In June 2014, National Security Authority Norway had revealed 300 companies in the oil sector had been hacked.
According to Ponemon Institute’s “2014 Cost of Data Breach Study: Arabian Region” report, the average total cost of a data breach was $3.11mn. The report also cites that 50% of the companies reported the root cause of data breach as malicious insiders.
Other major causes reported were system glitches, business process failures and targeted attacks. Today, there are sophisticated networks of highly skilled “hacktivists” who are not only interested in stealing data, but who also want to create highly visible incidents that damage a company’s reputation. Taking control of a company’s OT and disrupting operations is one way to do that.
Article continues on next page ...
In today’s environment, a traditional approach does not suffice. Traditional solutions like IDS/IPS and anti-virus focus on the vulnerability component of risk, and traditional incident response strategy is based on a successful intrusion. The evolution in the purpose and complexity of recent attacks/breaches indicates that this traditional defense is ineffective in instances of sophisticated and persistent attacks.
Today, the adversaries are well-resourced, skilled and they perform an attack/hack using advanced tools and techniques. A source of intelligence feed which provides an insight on attack methodologies and knowledge on adversaries helps in enabling companies to considerably reduce the likelihood of success in subsequent intrusion attempts.
The evolution of advanced persistent threats (APT) necessitates an adoption of intelligence-based model Using this approach, defenders mitigate not just vulnerabilities but the threat components of risk too. In recent years, some companies have started subscribing to different sources/vendors for “intelligence” feeds.
The objective is to enhance the visibility and the anticipation level using such feeds. However, in reality, it adds more overhead costs to Information Security teams because they are presented with an infinite amount of data, resulting in the challenge of deciphering and processing this set of data into meaningful intelligence and subsequent remedial actions.
The demand is for such a solution that can consolidate all these feeds from different sources, be it endpoint level data, network level data or trends data.
What is needed is a holistic approach; this comprises implementing an Information Security framework across the company, creating security policies and processes and implementing technological solutions adhering to these policies across users, applications, systems, hosts, networks and physical layers.
Mechanisms to adopt a holistic approach include:
- Adopting Continuous Risk Management
To maintain an improved security posture, it is highly recommended to practice a continuous cycle of risk assessment, review of assessment findings, implement security controls in view of acceptable risks, and continuously assess threats and vulnerabilities to combat ever evolving security risks in a business environment.
- Ensuring the security triad – Availability, Integrity and Confidentiality
The oil and gas industry was built with accessibility at its core. Therefore, the priority was for accessibility and not for confidentiality and integrity. However, the integration between the IT and OT changes this very nature of OT, which is now exposed to various vulnerabilities and threats affecting confidentiality, integrity and availability.
- Acquiring intelligence on the adversary campaigns can help build a better defense
Oil & gas should adopt mechanisms that address the threat components of risk, including analysis of adversaries, their methodologies, targets, and limitations. This is a continuous process discovering new malicious activities and their trends.
- Employing Vulnerability Assessment and Penetration Testing (P-VA & PT)
The traditional approach by an organisation is to perform a VA & PT once in a quarter or twice a year. With the adoption of a Persistent VA & PT approach, an enterprise can continuously gain knowledge of current threats and vulnerabilities, take remedial steps on priority basis and develop continuous improvement of security in IT and OT. It also helps in keeping a measurement of risk levels through metrics and to save time and money by preventing risks before they become effective.
- Inculcating security awareness and training
As the saying goes “You are as strong as your weakest link”, a security posture of an organisation is as good as its weakest link. Research reports and root cause analysis of incidents imply that the better the awareness of internal staff, the easier it is to deploy and maintain an improved security posture.
About the author:
Francisco Salcedo is the senior vice president of Digital Services at Etisalat