Comment: ICS Analysis: Critical concerns
Doug Wylie, director of SANS Institute’s Industrials & Infrastructure Practice Area, provides an overview of the current cyber security threats to industrial control systems
Cyber security breaches have rarely been out of the news in recent years and organisations of all sizes, across all industries and sectors, are falling victim. The threat is nowhere more apparent however, than in sectors such as oil and gas, and critical infrastructure that are reliant on industrial control systems (ICS) to maintain the smooth running of their operations.
A recent SANS report found that four out of 10 ICS practitioners lack adequate visibility into their networks to monitor assets and operations and to identify potential threats. This leaves them at risk of being unable to recognise and defend against cyber-attacks, putting critical infrastructure at risk.
Oil and gas: cyber security of critical concern
Cyber security is a critical area for concern within the oil and gas industry, where the range of potential threats is far wider and carries far more severe consequences than in other key industries. Disruption, damage and destruction from digital attacks have all emerged as real-world consequences the industry must now combat.
While not necessarily seen as a ‘cool high-tech’ industry, oil and gas remain absolutely pivotal to the functioning of the world we live in. These industries enable and support the infrastructure of society and worldwide economy so we have to ask the question, why are they so difficult to protect and therefore vulnerable to attack from cyber criminals?
According to the Repository of Industrial Security Incidents (RISI), cyber attacks against oil and gas organisations in the Middle East make up more than half of the recorded instances, in comparison to under 30% in the US and other Western countries. The Ponemon Institute reports that almost 68% of oil and gas companies worldwide were affected by at least one significant cyber incident in 2016, with many attacks assumed to be undetected, miscategorised or unpublished.
There is therefore no doubt that the oil and gas sector is a target. High-profile attacks in the Middle East include the massive cyber-attack in 2012 against Saudi Aramco, which either partially wiped out or totally destroyed data on 35,000 computers. This was followed three years later by an attack on Sadara, a chemical company owned by Aramco and Dow Chemical (DOW). As recently as June 2017, companies across the industry and around the world including Russian oil and gas giant Rosneft were combatting a ransomware outbreak that physically and financially impacted operations- Rosneft’s public statement said they “avoided ‘serious consequences’ by switching to a backup system, but others were not nearly as fortunate.
While global spend in the oil and gas industry is expected to continue to decline, Middle East producers are looking to maintain spending in order to meet production targets. Saudi Aramco for example, plans to spend $334bn across the oil and gas chain by 2025, while Kuwait is expected to spend $115bn on energy projects over the next five years to help boost crude production capacity to four million barrels a day by 2020. The various control systems that will enable this efficiency and productivity are digital, networked, interconnected and in most cases, remotely accessible for monitoring, maintenance and even control. It is clear that the sector must therefore keep a close eye on the future to effectively protect itself from cyber-attacks.
The pros and cons of progress
Developments in technology and connectivity in the oil and gas arena have been instrumental in driving greater productivity, efficiency and revenues within industries such as oil and gas. Today, an industrial control system (ICS) that uses specialised industrial-grade hardware and software to monitor and control devices and machinery, sits at the heart of all operations and may be a nearly immutable single point of failure (SPOF) in the complex upstream, midstream, and downstream operations. But such advances have also increased the risk and introduced a myriad of new scenarios that can disrupt production and processes, impact safety and bring financial consequences. The adoption of cloud-based IT solutions, the widespread introduction of insecure connected devices into networks, and the increasing reliance on digital technology for operations and expanded connectivity mean that many systems are far more vulnerable to attack than they once were.
In an ordinary business environment, a cyber breach of business IT systems can compromise data and revenues may be affected as a result. However, the potential damage can be far more severe when an attacker targets an organisation reliant on industrial control systems, such as oil and gas where digital and physical processes must necessarily converge.
SANS report explores cyber risks and threats
SANS Institute’s Securing Industrial Control Systems 2017 report explored how hundreds of ICS security practitioners worldwide are combatting cyber security risks and threats. These are the people responsible for identifying risks, protecting control systems and networks from malicious and accidental activity and recovering systems if and when things go wrong. The report shed light on the concerns of ICS practitioners, as well as their views regarding the most prevalent cyber security threats today.
Challenging real-world scenarios
The SANS report showed that many of the professionals responsible for today’s industrial control systems do at least recognise current cyber security risks. However, they aren’t always in a position to overcome them since governance is often seen as a lower priority when it comes into conflict with the objectives of the business around efficiency and productivity. Many ICS practitioners aren’t interested in becoming cyber security experts themselves, but they do realise that their organisation needs to plan to manage the threats.
It is also important to recognise that ICS environments pose unique challenges that do not exist in an ordinary business enterprise system. Automation and control systems frequently run continuously, ceasing only in the event of a loss of power, mechanical failure or an issue with the raw materials. Decisions to stop systems are not taken lightly, and a patch upgrade for example – a not-infrequent occurrence that every network administrator must factor in – will disrupt the operation of most ICS designed to run around the clock. A plant manager must weigh up the cost of downtime to patch a system as a preventative measure against the impact on system safety, uptime, efficiency and productivity.
This process of upgrading ICS products and systems, even if just to apply a minor patch, is in stark contrast with many other IT environments. In the SANS report, only 46% of ICS respondents said they regularly apply vendor-validated patches. Given the challenges of running ICS systems 24 hours a day, it is no surprise that decisions are taken not to update. However, the expanding attack surface that results from such decisions only increases the long-term security challenges of protecting these critical systems against known risks and threats.
Neither is it surprising that more than two-thirds of respondents in the SANS report (69%) considered the threat to ICS systems to be high or severe/critical. Four out of 10 practitioners said they lack visibility into their networks (for comprehensive asset identification, communication anomaly detection and discovery of indicators of compromise), which is one of the primary reasons organisations struggle to secure ICS systems.
To be able to fully protect networks, practitioners require full knowledge of connected and interconnected assets, configurations and the integrity of communications. In addition, 44% of respondents considered the addition of devices that can’t protect themselves to the network, to be the top threat to their ICS. This was followed by accidental internal threats (43%), external threats from hacktivists or nation-states (40%) and ransomware (35%).
Training plays a big role
Trained cyber-security professionals are key to solving the security problems of ICS, as is the continuous education of all employees that come into contact with the ICS, in best practice and security.
Weaknesses in IT systems can sometimes be the cause of a cyber breach. However, people pose a greater risk, with almost 90% of cyber-attacks caused by human error or behaviour. This can either be the result of malicious action by staff, but equally many will simply be employees who have not received adequate training, and lack the knowledge of how to operate and maintain IT systems securely, or even spot that there is an issue.
The SANS report highlighted that worldwide, despite the rise in cyber-attacks and awareness of them, budgets for the training and certification of staff responsible for implementing and maintaining industrial control systems have fallen considerably, from 34% in 2016 to 26% in 2017.
The report also revealed that businesses are cutting their budgets for bringing in trained security staff and consultants despite a recent study that found that 82% of respondents reported a shortage of cybersecurity skills within their company, and 71% agreed that the shortage of skills does direct and measurable damage to their business. There is clearly a gap in the workforce of many ICS businesses for specialist cyber security skills and these particular year-over-year shifts in spending are hopefully mere temporary aberrations, not indicators of larger macro industry trends.
The 2017 report also found that a large number of respondents had to balance ICS security duties with a large proportion of secondary responsibilities, so many must manage priorities and counterbalance key risk decisions against other job duties.
Organisations must therefore be more willing to train staff to become dedicated security professionals, instead of dividing their time between a security role and another.