Skip to main content

Securing Utilities Infrastructure


Details
    Published on Thursday, 21 February 2013 05:29
    Written by Craig Sutherland

Image result for Securing Utilities Infrastructure

As a highly critical sector, the oil and gas infrastructure should be one of the most secure, both physically and digitally. This is not the case.



A multi-billion dollar industry, trading one of the most valuable commodities on the market, is connecting its industrial control systems full of unpatched vulnerabilities to the Internet, where cyber criminals roam in all impunity. These systems are poorly protected against cyber threats – at best, they are secured with IT solutions which are ill-adapted to legacy control systems. “The lack of appropriate security has already allowed a number of destructive cyber-attacks to lay waste to some of the most high-profile companies in the industry,” says senior cyber security analyst Michela Menting. “Oil and gas companies have been the victims of sophisticated cyber threats since 2009. Many of these attacks have caused significant financial damages. Inevitably, as the number of cyber-attacks increase in the coming year, realization of the financial implications of persistent cyber threats will boost cybersecurity spending in this field during the forecasted period. Spending is set to pick up considerably from 2014 onwards.



According to ABI Research, cybersecurity spending on the oil & gas critical infrastructure will reach $1.87 billion by 2018. This includes spending on IT networks, industrial control systems and data security; counter measures; and policies and procedures. So, why is oil and gas infrastructure vulnerable to cyber attacks? The problem with protecting national infrastructure installations including utilities, is the nature of the process driven operations used. Workers are typically used to the same routine day-in-day out. Potential cyber attackers, perhaps even former employees will take advantage of these routines to launch an attack. In process controlled environments, which are never connected to external networks, the inherent risk of applying firmware and software updates is normally avoided. Since, the update may disrupt another dependant process or create a new issue, outweighs the risk of installing updates.


Furthermore, since the installation is not connected externally to the Internet or extranet, the chances of a known security vulnerability, which leads to a cyber attack, causing the installation to fail, was extremely unlikely. So what has changed? The biggest change which has occurred over the last twenty years is that process control systems have gone all IP. Previous generation of process control systems depended on legacy protocols such as RS-422/RS-485 for communication. Infiltrating such systems was nearly impossible and the technology was considered a closed loop. However, in today’s digital era, industry has demanded that process control systems migrate to IP, which reduces the cost and complexity of maintaining separate control systems. This IP migration is what has opened the door to new threats. Previously, when an issue was reported at a remote site, the onside staff would connect a modem to to the phone line so an engineer could log in using a RS-232 connection, then start a troubleshooting session remotely. Once the task was finished the remote site disconnected the modem and once again the site was secure.

In today’s era, the remote site staff allows an engineer starts an remote desktop session to their PC via the Internet connected VPN. From this PC the engineer can access all the process controlled devices, which are completely IP enabled. It is this scenario where so many vulnerabilities exist. Chances are that the engineer uses a laptop which he also takes home. Both the engineer and remote site staff have external email access on their PCs. A carefully crafted cyber attack will infiltrate the system within a legitimate email, or a shared file, and take advantage of the security weakness of the process control system itself. Furthermore, being completely IP enabled allows the attacker to spread the attack to every connected device. Installing extra firewalls and security appliance will not solve these types of sophisticated attacks. Only physical isolation and a thorough review of site access and connectivity policies will. 

Tips To Ensure Security

    Troubleshooting and maintenance support for the secure network should be made from a dedicated laptop which is stored in a safe when not in use.
    A sign in / sign out procedure for the laptop should also be included.
    The laptop should employ a CAPS compliant crypto authentication scheme to gain access to the secure network.
    Software and code updates, should be delivered on read only media, such as CD-ROM and should be produced by the vendor, not downloaded and copied.
    USB memory sticks and hard drives should never be used. 


By Craig Sutherland
Labels:

Comments

Post a Comment

Popular posts from this blog

Mobile Phones Sales Plummet

Details Published on Thursday, 16 August 2012 06:34 Worldwide sales of mobile phones reached 419 million units in the second quarter of 2012, a 2.3 percent decline from the second quarter of 2011, according to Gartner. Smartphone sales accounted for 36.7 percent of total mobile phone sales and grew 42.7 percent in the second quarter of 2012. "Demand slowed further in the second quarter of 2012," says Anshul Gupta, principal research analyst at Gartner. "The challenging economic environment and users postponing upgrades to take advantage of high-profile device launches and promotions available later in the year slowed demand across markets. Demand of feature phones continued to decline, weakening the overall mobile phone market. "High-profile smartphone launches from key manufacturers such as the anticipated Apple iPhone 5, along with Chinese manufacturers pushing 3G and preparing for major device launches in the second half of 2012, will drive the smartpho
257 comments
Read more

$109B Cloud Services Market

Details Published on Wednesday, 19 September 2012 05:11 The public cloud services market is forecast to grow 19.6 percent in 2012 to total US$109 billion worldwide. Business process services (also known as business process as a service or BPaaS) represent the largest segment, accounting for 77 percent of the total market. Infrastructure as a service (IaaS) is the fastest-growing segment of the public cloud services market and is expected to grow 45.4 percent in 2012, according to Gartner. "The cloud services market is a high-growth sector," says Ed Anderson, research director at Gartner. "The key to taking advantage will be understanding the nuances of the opportunity and then prioritizing investments in line with the opportunities." BPaaS is the largest segment primarily because of the inclusion of cloud advertising as a subsegment. BPaaS is forecast to grow to $84.2 billion in 2012, up from $72 billion in 2011. In 2011, cloud advertising represented abou
6 comments
Read more

India’s Mobile Market Challenges

Details Published on Tuesday, 30 April 2013 05:42 India’s mobile services market will reach Rs.1.2 trillion in 2013, up 8 percent from 2012 revenue of Rs. 1.1 trillion, according to Gartner. Mobile connections will grow to 770 million in 2013, an 11 percent increase from 712 million connections in 2012. “The mobile market in India will continue to face challenges if average revenue per unit (ARPU) does not grow significantly,” says Shalini Verma, principal research analyst at Gartner. “If the prevailing conditions do not change in the Indian telecom market, India will account for 12 percent worldwide mobile connections, but just 2 percent of worldwide mobile services revenue (in constant USD) in 2013.” Indian telecom operators are faced with two major challenges – growing their profit margin in the face of intense competition and successfully competing with over the top service providers, such as Facebook and WhatsApp. “As mobile voice services continue to get commoditized i
2 comments
Read more