Securing Oil Companies' Underlying Infrastructure

By Tom Schmidt

Traditionally, proprietary protocols, applications, and private networks have shielded the oil industry's core distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems. Within this "closed" environment, little control system operating information was exchanged with, or made available to, groups outside of operations.
 
Over the last decade, of course, much has changed. Newer technologies have enabled wider information sharing, and various end-user groups have seized on the wealth of information available in DCS and SCADA data repositories. While there is little doubt about the efficiencies of making such data instantly available to business decision makers, this situation has created new dangers.
 
This article looks at some of the common security vulnerabilities of control systems, as well as the steps that oil companies can take to strengthen infrastructure cyber security.
 
Security vulnerabilities of control systems
How deep do concerns about cyber security vulnerabilities run among oil companies? A 2004 report by Newton-Evans Research concluded as follows:
 
"Outside of a relative handful of utilities and pipeline operators, we still don't get it, when it comes to the issue of infrastructure cyber security. Limiting access to business records and files is vital for any organization. Limiting access to real-time, mission-critical computer and communications systems typified by SCADA technology is paramount to the continued safe and secure operation of the world's power grids and energy pipelines."

Improving control system security should be part of an enterprise-wide risk management program for all oil companies. At the same time, the challenges of securing these systems can be daunting. These include:

• Cyber security was typically not the primary consideration when SCADA and DCS systems were being deployed. Rather, the primary driver was a high level of functionality.
• The replacement of proprietary operating systems with control systems running Windows and Unix makes such systems subject to the same vulnerabilities experienced in corporate networks. Exacerbating this problem is often the inability to take a system down in order to apply security patches from the vendor.
• Remote access to control systems by company engineers, contractors, and others via public telephone systems and the Internet introduces new access points to control systems.
  Such access may, in turn, unleash viruses or malicious code on the control systems.
• Technical information about control systems is becoming increasingly available to the public.
• Disgruntled employees pose a wide range of threats (such as an authorization violation, in which an authorized user gains access to the control system via the corporate network for an unauthorized purpose).
• A disruption in the flow of fuels -- such as that experienced recently by oil and natural gas industry facilities in the Gulf Coast Region following Hurricane Katrina and Hurricane Rita -- can create disgruntled customers looking for reprisal.
• An intruder initiating a denial-of-service attack by sending repeated information requests can "lock up" a control system server.
• Terrorism, electronic theft, and hacking are increasing worldwide, including intentional damage to electronic assets to promote political or social causes.
• Viruses or worms can infect control system servers or other devices, performing malicious activities such as emailing critical information to another host.

Strategies to strengthen control system security
The Newton-Evans Research report cited above predicted that "over the next few years, the industry focus will be on increasing the ability of users to secure their SCADA systems through the use of virtual private networks, encryption, authentication and participation in a number of task forces and working groups set up in the energy industry."

Effective practices for protecting control systems against common security vulnerabilities can be grouped as follows:

• Security assessments An effective cyber security process begins with the assessment of the vulnerabilities of SCADA and DCS networks and systems on a recurring basis. Such an assessment is complicated by the multiple SCADA and DCS systems in place at most plants. Another complexity involves the interconnection of corporate networks and control networks; each type of network exposes a unique set of vulnerabilities, all of which must be assessed. One key part of security assessment is penetration testing. The "always on" nature of control networks complicates such testing. (This effectively rules out use of traditional IT security assessment companies with little or no experience conducting penetration testing in SCADA and DCS environments.)
• Security policy creation and enforcement The foundation of effective security practices is a comprehensive, well-conceived security policy. For the control systems used by plant operators, security policies must address issues of who is authorized to gain access to what information, and who is authorized to perform what functions, as well as procedures that authorized parties must follow to ensure effective security. Such policies are particularly important for the control of access by parties outside of the control room (e.g., employees accessing information via the corporate network, on-site and off-site contractors, remote employees, and others). After establishing security policies, oil companies need a policy-compliance tool that measures the current state of security, compares it with the state needed to comply with regulations and company policy, and recommends measures to accomplish such compliance.
• Security measurement deployment Some security administrators believe that firewalls provide sufficient protection across the company. However, firewalls can offer a false sense of security. Many firewalls simply allow or disallow certain types of traffic at each port. In order to secure these ports, companies need more than a firewall - they need security measures that recognize anomalies in IP traffic. In light of the limited IT resources in some DCS environments, recommends purchase of an integrated solution that combines firewall, intrusion detection, and antivirus technologies into a comprehensive gateway solution. In addition to this gateway security, oil companies need network security as well. This intrusion protection should combine protocol anomaly, signature, statistical, and vulnerability attack interception techniques to accurately identify and block known or unknown attacks and worms from spreading throughout networks.
• Security monitoring and management As oil companies deploy security technologies throughout their networks, the challenge of properly managing and monitoring these resources is becoming increasingly complex. The implementation of "technology-only" solutions without close monitoring and management significantly weakens the effectiveness of security devices. Hiring experienced IT security professionals to monitor network security devices can help to mitigate risk; however, this option is cost-prohibitive for most companies. Additionally, most IT teams do not work seven days per week, 24 hours per day. As a result, many organizations are using third parties that have experience in providing 24x7 management and monitoring of security devices.

Conclusion
Control systems have undergone significant, even radical changes in recent decades, and will doubtlessly continue to evolve in the years ahead. For that reason, oil companies need to commit the resources to develop effective control system security policies and to deploy a proactive security solution (either establishing full-time positions or hiring a third party to manage the solution).

Keep in mind that existing security measures are not enough. Firewalls do not stop blended threats, like worms, and desktop antivirus solutions do not protect networks. Nor do such solutions monitor or protect oil-specific SCADA protocols like Modbus. General IT security products, untested in control center environments, can even degrade performance and bring down the systems they're supposed to protect, which is unacceptable.
The four-step cyber security process outlined above -- assessment, policy, measure deployment, and monitoring/management -- can improve DCS security, perhaps more importantly they also make good business sense for today's oil companies.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.