REMOTE INSIGHT REPORT
O& G Cyber Security
Are we doing enough?
Offshore may be far from the crowds, but distance doesn’t minimise cyber threat. Innovations in technology are allowing us to drill further and deeper. But these advancements often come with an array of open back- doors. So, as numerous different networks and devices find their way onto rigs and remote installations, just what can be done to protect the oil and gas industry asks Vaughan O’Grady.
There is no shortage of activity in the remote exploration cyber security space these days. Late last year, for example, we heard that RigNet had selected cloud security specialist Alert Logic’s Threat Manager and Active-Watch services to help its oil and gas customers better identify suspicious network traffic and respond quicker. In February, Airbus Defence and Space and Communications International announced an alliance to enhance secure radio communication solutions for the Brazilian mining industry. In May,
GE announced the acquisition of Wurldtech, a leader in cyber security solutions, noting: “This move is one of several by GE to help protect critical infrastructure and advance cyber security efforts globally for key industries.” But what should remote exploration companies be worried about? Chris Camejo, director of information security and risk management
specialist NTT Com Security, cites a number of threats. They include the potential for users on their networks to bring malware into the environment, social engineering attacks (“tricking a user into installing a backdoor into the network”) and the vulnerabilities of industrial control systems. He explained: “Industrial control systems ~ including SCADA ~ have a long history of vulnerabilities, administrators deploying insecure configurations, default passwords, and in some cases protocol designs that are simply not appropriate for connection to a potentially hostile public network.” The resulting economic dangers, for oil and gas in particular, said his colleague Lars Thoresen, CSO & CQO Nordic region, are not just information theft but very expensive system downtime.
Where are threats coming from?
The motives for cyber attacks vary. Disgruntled insiders are an obvious source but Alert Logic's chief security evangelist, Stephen Coty, also cites “industrial espionage by countries looking for a
competitive advantage using remote access Trojans built to spy on organisations; political motives; and people who just want to know how the system works and break in to explore out of curiosity.” Camejo suggests that some attackers may be looking to gather economic information on lease bids or to exploit weaknesses in control systems. He said: “The ‘ Night Dragon’ malware and another attack reported last year both stole passwords, modem numbers, and other information that could be useful for hijacking control systems and using them for sabotage.” Just about any communications system can be vulnerable unless it is properly secured. Camejo points out that even satellite terminals and cellular connections, in many cases, “are just another device with an IP address that can be accessed from anywhere in the world and face the same sort of attacks as their leased-line brethren.” Telephone modems are often used as an out- of- band backup in case of an internet outage or for periodic control of remote locations. These too are vulnerable because they tend to be connected directly to console ports on sensitive devices, devices that may have default, or no, passwords. “Radio communication links should also be on the security radar as the price of software defined radio ( SDR) technology quickly drops,” Camejo pointed out, and Thoresen added “also, letting a system be installed with default settings may leave that system open to known vulnerabilities or backdoors.” The more points at which security could be compromised ( systems, people, devices) the more risk. But the risk may be greater because, as Coty suggests, remote sites tend to have what he calls “a lower security posture.” This certainly doesn't help when personal devices are involved. Staff may want to access, monitor or control internal systems ~ even SCADA ~ from any wirelessly enabled device anywhere but they run the risk of picking up malware on a public WiFi network and spreading it. “The best advice,” said Thoresen, “is to always conduct a thorough risk analysis before allowing any mobile device remote access to systems containing sensitive information.” Coty added: “A paper we wrote on this* found that BYOD introduced a great amount of risk into environments. Using desktops in the cloud has given a new strategy in which we can still centrally secure and monitor desktops while making them available for a remote workforce.” Another problem, said Camejo, is that many of the systems that are deployed in the field are rarely upgraded or updated due to a lack of IT resources and, often, fear that updates will cause outages that impact the business. “It's still fairly trivial to find control systems with default passwords and known vulnerabilities connected to the internet,” he notes.
Perhaps that is why Coty argues for the importance of “a solid strategy that has management support to enforce the policies created to protect the environment.” He also suggests preventative measures, such as “locking down the physical security of the facilities to make sure there is no outside introduction of malicious technologies; the hardening of computer networks and the implementation of a security- in- depth strategy; and monitoring the security technologies that are deployed 24/ 7 to look for possible incidents and anomalies.” Changing default passwords and patching vulnerabilities are also important but, said Camejo, ” This applies equally to the back office systems, the control systems in the field, and the infrastructure pieces that control the satellite, cellular, and radio links.” At the organisational level, IT managers need control of the security policies for the devices and the authority to enforce them. And, Camejo points out; staff need to be aware of the threats of lax password control, phishing emails and installing ‘ sketchy’ apps ( that could be malware) on their BYOD devices. On the technology side Camejo said, “2- factor authentication and VPNs are key tools to make it more difficult for remote attackers to access sensitive resources,” along with “monitoring technologies like SIEM [ security information and event management] that can provide a security dashboard to detect attacks in their early stages when they can be more easily stopped.”
“There are several good technologies in the market that secure devices through encryption, policies that restrict or prohibit risky behaviour and that prevent malware infections,” added Thoresen.
As for the recent Rig-Net deal with his company, Coty explained: “Having Threat Manager deployed with 24/ 7 Active Watch will allow our SOC [ Security Operations Centre] to respond to incidents quickly and efficiently escalate them for resolution. With NetFlow collection we can then look for anomalies that might occur through network traffic.” But technology needs to be part of an overall company policy of security enforcement. As Coty said: “Companies need to invest in their security- in- depth technologies and support the people and process behind it.”
Chris Camejo, director of information security and risk management,NTT Com Security
Lars Thoresen, CSO & CQO, Nordic region, NTT Com Security
Vaughan O’Grady,independent telecomms writer
Stephen Coty, chief security evangelist,Alert Logic