Read part one of this article here.
Taking defensive action
In 2007, the US Department of Homeland Security created the Chemical Facility Anti Terrorism Standards (CFATS) programme to regulate security at chemical facilities that use large quantities of high risk chemicals. High risk facilities are those that are considered to present potential hazardous conditions to the safety and health of people in the area, and for the national economy and security. The law requires high risk facilities to conduct security vulnerability assessments, including cyber attack, and develop site security plans that are submitted to the Department of Homeland Security.
In order to comply, most petrochemical and refinery facilities seek the aid of cyber security experts. The first step is to assess the current depth and sophistication of security. Auditors test internal and external network infrastructure against penetration, evaluation of remote access security, control system and SCADA security, and even telephone and voice messaging systems vulnerability (anything that has the potential to be compromised by hackers or attackers) in order to highlight gaps and shortfalls in the system.
The second step is remediation. Much can be done inexpensively, such as installing patches or instigating more frequent password changes. More comprehensive steps include decoupling non-critical functions from the same system as critical operations, in order to avoid negative impacts from the former being compromised.
The third step is overhauling management oversight so that the security system is actively maintained, tested and updated to deal with new threats that are constantly being invented.
The fourth step is assurance; third party consultants confirm that security participation remains high, that employees are changing passwords frequently, and upgrades are implemented in a timely fashion.
What, me worry?
While developing a site security plan is mandatory, maintaining it is not. This can lead to situations where budget items that are required to meet environmental regulations or face criminal sanction, say, trump ‘nice to have’ security upgrades. Senior executives can take a laissez faire approach to cyber security, knowing that serious attacks are rare.
Part of the reason is the complicated, interconnected nature of utility networks and large facilities such as refineries. The centrifuges compromised by Stuxnet were relatively uncomplicated devices in which the virus altered one variable, the rotation speed, by less than 10%. A refinery has a host of interacting processes. Changing the pressure in a hydrocracker, for instance, would engender a cascade of other variables that would be exponentially more complex to conceal; a scenario that would require skills far in excess of most hackers.
Even if a cyber attack were to cause physical damage to a plant or network, it would be a matter of days or weeks before repairs could be made. However, in today’s world of big data and interconnectivity, cyber attacks can cause much greater harm to software and operating systems than physical assets. A breach could focus on wiping out historical operating data and/or configuration files. Such an attack would turn a refinery into thousands of tonnes of cold metal; essentially, it would require the equivalent of recommissioning the entire plant to return to normal operations.
Regardless of regulations, the oil and gas sector is taking the issue very seriously. Recently, the American Fuel & Petrochemical Manufacturers (AFPM) held its annual security conference, in which cyber security played a prominent role.
In addition to phones, hackers will focus on other smart devices. Wearable technology (in which glasses, watches and safety helmets are equipped with sensors, software and internet connectivity) are just beginning to enter the workplace environment. Recently, the Praetorian Group examined the potential for a home entertainment device with audio command capabilities.
Cyber defense is evolving. Some companies are installing air gaps, or a one way flow of information, creating a ‘virtual moat’ around the corporate system. Another recent security trend is the greater adoption of ‘white listing’ as opposed to just ‘black listing’. A black list contains known malicious applications; only trusted white listed apps are allowed to run.
A third trend is to increase the difficulty to access the system. “You can reduce compromises by using dual factor authentication,” said Abraham. “For instance, if a user accesses using a password, the system sends a text message to a secure phone with a random generated number that the user must then submit. There are a lot of online authentication services, some are free, and some charge a fee. They really help prevent compromises.”
In the end, however, the responsibility for protecting against cyber attacks will have to evolve from individual company responses to a much more comprehensive coordination between government and industry. Unfortunately, few see greater involvement until a serious breach, occasionally referred to as the cyber Pearl Harbor, finally occurs.
Written by Gordon Cope, Contributing Editor. This is an abridged article taken from the July 2015 issue of Hydrocarbon Engineering.
Read the article online at: https://www.hydrocarbonengineering.com/product-news/06072015/cybergeddon-how-real-is-the-threat-part-two-1018/