By Tom Schmidt
While oil and gas companies have made strides to protect the physical security of their plants and infrastructure, two factors have lately moved control system security higher up on the agenda:
- Supervisory control and data acquisition (SCADA) systems and Distributed Control Systems (DCSs) used within refineries and to control pipelines are vulnerable to cyber threats.
- The explosive nature of these commodities makes this industry's infrastructure an attractive target.
But while progress has been made to enhance cyber security, oil and gas companies still face some steep challenges, including the need to connect once isolated SCADA and DCSs with business systems and networks; clashing organizational priorities; and the lack of a mandate to comply with cyber security-related standards.
This article examines today's principal SCADA and DCS vulnerabilities before proposing some effective practices that oil and gas companies can adopt to improve the security of these critical systems.
SCADA and DCS vulnerabilities
The oil and gas sector depends upon a vast and highly decentralized infrastructure, consisting of an extensive network of roughly 150 refineries, 200,000 miles of oil pipelines, and 2,000,000 miles of gas pipelines. SCADA and DCS systems used within refineries and to control pipelines form the backbone of most oil and gas industry operations in the United States and worldwide today. To supply corporate decision makers with crucial data, these organizations are increasingly integrating their SCADA and DCS systems with corporate business systems.
It is this development that has raised concerns among security professionals. These systems were originally built for efficiency and reliability -- and often deployed with security features not being implemented because they were intended to be isolated from the outside world. Integrating SCADA and DCS systems with corporate business systems exposes these control systems to cyber threats introduced through the corporate network.
Likewise, many of these control systems use the Modbus protocol to support communications with electronic flow measurement (EFM) devices and remote terminal units (RTUs) scattered throughout the thousands of miles of pipelines. While this interconnectedness provides corporate decision makers with access to critical data, it also leads to widespread availability of information about these control systems and their vulnerabilities.
At the same time, partner data sharing (a result of industry mergers and partnership formation) has fostered real-time data-sharing between DCS systems and corporate networks between separate corporate entities. These interconnections must be secured against cyber threats.
And some of those threats have been successful. For example, according to FBI director Robert Mueller, hackers in Russia were able to gain control of a gas pipeline for 24 hours by penetrating electronic control systems.
Finally, the nonstop operational requirement of SCADA and DCS systems complicates security implementation and testing because systems can never be taken offline. Many organizations maintain 24x7 operations via remote system access, which introduces additional vulnerability points.
Practices for securing SCADA and DCS systems
Oil and gas companies can benefit from proven practices to safeguard their SCADA and DCS systems within refineries and pipelines. Moreover, the following four-step cyber security process aligns with the recommendations put forth in the Security Guidelines for the Petroleum Industry, published by the American Petroleum Institute in April 2005.
- Step 1: Security Assessment This includes assessing a company's awareness of electronic threats before they reach the organization, identifying possible regulatory compliance issues, assessing the effectiveness of security and administration tools, and manually validating these security concerns using penetration testing methods.
- Step 2: Security Policy Creation and Enforcement Here companies establish who is authorized to gain access to what information, as well as who is authorized to perform what functions. To ensure an effective policy, organizations must continually measure compliance with its policies and procedures.
- Step 3: Security Measure Deployment To combat ever-evolving cyber threats, organizations must utilize proven security technologies and procedures, and that means recognizing that perimeter firewalls alone offer insufficient protection. An Intrusion Detection System (IDS) featuring both protocol anomaly and signature-based detection techniques is a vital element of modern network security. Oil and gas companies must also address inadequately protected networked, mobile, and remote users, protecting them with antivirus, IDS, and personal firewalls. This step also involves implementing recovery procedures and tools to be used in the event that an attack eludes other security measures.
- Step 4: Security Monitoring and Management This involves real-time, 24/7 monitoring and management of security information resources to prevent disruptions and minimize downtime. And that poses a real challenge. Pipeline and refinery control center personnel must focus on their system operation duties and aren't typically trained in the nuances of effective security monitoring and management. As a result, many organizations are using third parties that have experience providing management and monitoring of security devices. Also, early warning services can provide customized alerts of worldwide cyber attacks -- as well as countermeasures to prevent attacks before they occur.
Conclusion
The increasingly interconnected nature of SCADA, DCS, corporate networks, remote workers, and other networks means the industry must move to enhance security of this critical infrastructure -- in spite of a current lack of industry-mandated cyber security regulations.
The good news is that a growing number of technologies and services are available to help companies secure not only their SCADA and DCS networks but also the networks to which they are connected. For oil and gas companies looking to protect their refineries and pipelines from constantly evolving cyber threats, that can mean the difference between a costly disruption and business continuity.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.