EY holds that increased risk requires a significantly more robust approach to operational technology (OT) security than many oil and gas companies are currently taking. OT systems now require in depth, ongoing attention from the chief information officer and their department, including regular reviews of the OT environment and supporting infrastructure, assessments of information flow patterns and usage techniques, and analysis of remote access management tools.
In addition, the security of each component of the network architecture must be tested regularly, from the applications used to operating systems on servers and even the actual field devices that respond to controls.
This type of testing is called ‘penetration testing’, and is done regularly on the IT side of most companies’ networks. It is designed to mimic the techniques and methodology used by attackers intent on gaining access to the network. Penetration testing on OT networks is less common, although the concept is the same.
Why the reluctance to test?
EY highlights that unlike IT systems, which can be shut down at certain times for testing without major consequences, OT is necessary around the clock. Even momentary disruptions can result in considerable losses in revenue. More importantly, however, disruptions at refineries, petrochemical plants or pipelines can create major safety and environmental issues.
In addition, until recently, with OT networks not linked with business IT networks or the internet there was little need to test. Hence, many companies have no standard protocol or policy for testing and are reluctant to implement a new program.
EY holds that it is possible to conduct meaningful penetration testing on OT networks. Communication is essential to this achievement.
A multidisciplinary test planning team that includes operations support engineers, consultants experienced in designing and executing OT tests and internal IT security professionals can help promote the exchange of information and ideas so that everyone understands exactly what will take place.
A major focus of pre-test planning should be identifying testing acitivities that could disrupt critical servers. These activities must be excluded or worked around via alternatives.
If exploiting a potential vulnerability, such as buffer overflows or denial of service activities, the team should carefully consider the appropriateness of performing the test. The gains from better understanding the vulnerability may not outweigh the potential adverse reaction that may result. Whenever possible, these types of activities should first be tested in a developmental area.
Social engineering element
Additionally, including a social engineering element to penetration testing can help to uncover gaps in security policies and procedures and identify weaknesses in personnel awareness training. Social engineering also helps to enhance or complement technical activities during a penetration test and more closely resembles the array of activities and methods that would be used by an attacker.
Adapted from a report by Emma McAleavey.
Read the article online at: https://www.hydrocarbonengineering.com/gas-processing/07072014/oil_and_gas_cybersecurity_867/