Cyber Attacks in the Oil Patch: Safeguards and Risk Mitigation StrategiesJeff Klein | December 30, 2014
As the digital oil field moves from concept to reality, its vulnerabilities take on a whole new importance.
Cyber attacks on industrial control systems are very real: the U.S. Department of Homeland Security (DHS) reported that 40% of cyber attacks in 2013 were directed at the energy infrastructure. Such attacks don’t even need to be sophisticated. Hang a portable Wi-Fi jammer on a quad copter and a miscreant may be able to take down a refinery’s Ethernet system without ever having to enter a building much less splice a cable.
The digital oil field places intelligent devices throughout the production flow, from drilling platforms and refineries to distribution pipelines and tank farms. The effect of these sensors has been tremendous. Real-time monitoring improves safety, drives down costs and enhances efficiency. Unfortunately, these dispersed sensors also create vulnerabilities, not all of which are easily solved.
SCADA (supervisory control and data acquisition) systems can be the weakest link in an industrial control system (ICS). Because the SCADA standards were developed for internal control networks at a time when cyber threats were insignificant, these systems are highly vulnerable to attack. According to DHS's Industrial Control System Cyber Emergency Response Team (ICS-CERT), SCADA networks are vulnerable at any device. A flow monitor at a remote wellhead or valve station has almost no physical security, providing easy entry to the serial communication network. Unlike internet-based IP networks, serial communications networks typically have minimal security, yet they offer a direct line to both servers and networks.
Mark Bristow, chief of the ICS-CERT team for incident response, noted at a recent technology forum sponsored by the American Fuel and Petrochemical Manufacturers Association a trend favoring control system attacks. While the federal government is actively monitoring and responding to attacks, he says that the industry needs to take an active role to update and harden its process control systems.
ICS-CERT publishes best practices for hardening industrial control systems. It points out that every attacker faces at least three primary challenges, any of which can be used to stop an attack. These challenges are to gain access to the control system network; identify the control systems, circuits and devices; and gain control.
The first challenge may be the easiest and the hardest to maintain. A refinery system is typically confined to its physical footprint, making a physical breach difficult although not impossible, as Wi-Fi vulnerabilities exist. For self-contained networks like these, attackers may try to gain access through vendor support systems, often backed up by a dial-up modem. Dial-up modems are often highly vulnerable due to the prevalence of default password usage. To mitigate this vulnerability, passwords should be changed when the device is installed.
More extended facilities such as pipelines and wellhead collection networks face a different set of access control challenges. A first step at hardening these vulnerable access points is to address the physical: fences, cameras and locked equipment panels should be a fundamental part of any cyber security plan. The plan begins to fall apart when RTUs – remote terminal units - are used to back up IP, satellite or other high-speed communications. RTUs typically offer little or no authentication data, so that a modem calling the network from a remote compressor station may in reality be an attacker.
Detecting these attacks is relatively simple. Traffic originating from a strange port or from an IP address that is not normally on your network is one giveaway. Likewise, any loss of connectivity to a remote access point should set off alarms in the network management system, and the device cut off until its status can be confirmed.
Once the attacker gains access, he or she still will need to identify and understand production processes and how to control them. At the wellhead, the primary process is lift, usually through a rod or submersible pump. An attacker may be able to interrupt flow, but creating a catastrophic failure is difficult. Compressor stations are more susceptible to damage, although the major risk again is mechanical rather than environmental. Remote valve installations rank higher on the risk scale. Opening the wrong valve or closing one too quickly may cause a pipeline rupture.
Defense in Depth
Refineries present a more complex vulnerability. They often are located in industrial or mixed-use areas and present a risk of fire, explosion and toxic gas release. For these reasons, keeping operational control secure should be a refinery manager’s primary goal. The key to this is known as defense in depth.
The point of defense in depth is to segment corporate and process control systems into multiple layers, each with increasing security. The outermost layer is considered “public” and contains Internet connections, connections to business associates and connections to untrusted equipment sites. For obvious reasons, there should never be a direct connection between the public layer and a process control system or device.
The next layer contains corporate services, such as email and business support systems like human resources and accounting. An attack on these systems can be painful (as the December 2014 cyber attack on Sony Pictures demonstrated), but rarely risks life or property.
Within the corporate layer lies the manufacturing layer where most monitoring and control takes place. This later acts as the interface between pure control systems and business management systems. An attack that reaches this layer can shut down a plant, but again, generally with little risk of physical harm.
The fourth layer is the control layer. Devices in this layer include programmable logic controllers, flow and pressure sensors and valve control devices. Keeping this layer secure is paramount to maintaining safe process operations.
Layer five contains all process safety devices. Many experts recommend that this layer be “air gapped,” that is, entirely unconnected to any external network. By air gapping the safety layer, fail-safe devices cannot be overridden in an emergency.
The most secure network stil can be brought down by human error. Social hacking – the use of phone calls, emails or other communications to gain login credentials, passwords and control information, should be discussed with staff, third-party vendors and management.
The oil patch is thousands of miles long, with many dark and lonely places along the way. By tightening up network controls, installing a robust intrusion detection system and maintaining firewalls and air-gapped safety devices, the industry can go a long way toward keeping the infrastructure safe, secure and profitable.