Cyber Domain “Fifth Domain of Warfare” 🌍
Cyber-attacks on the energy sector, and on oil and gas facilities, have increased in the past five years along with the associated costs. The scale and severity of attacks on industrial cyber systems are growing. For the oil and gas sector – like other sectors – it continues to be difficult to detect and defend against. Few Snapshot :
“The good guys need to protect everything that’s online.
The bad guys just need to find one way in.”
When a cyber criminal (not a hacker or script kiddies) wants your data, however, they won’t be so easily detected or deterred. Wo kehtey hai na “You’re secure only if you are not targeted”; sahi kehtey hain ;). Below image simplifying everything, “a small piece of code may more dangerous 😧”
I’m so glad someone asked so what about Ethical Hackers?
Ethical hackers (so called to avoid association with their criminal counterparts) are engaged by organizations to break into their systems and detect vulnerabilities. They then report what they found and explain how it can be fixed. This process is also known as a penetration test. The problem is that some cyber criminals are smart – very smart 😉 so Dear readers.
Be Smart & Creative in Cyber World 🕵️
Well move to Oil and gas sector accordingly, a report by Frost & Sullivan, “Global Oil and Gas Infrastructure Security Market Assessment,” estimated that the total market is expected to reach $31 billion dollars by 2021. Drawing from these impending threats and projections, the need for a cutting-edge, extensive and preventive approach for cyber threats has become paramount.
A 2014 report issued by the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identified a wide range of information security weaknesses evident across what the US government classifies as “critical infrastructure sectors.” The report found that vulnerabilities in three specific realms were most prevalent across these sectors: boundary protection, information flow enforcement, and remote-access control.
Hackers and cybercriminals are driven by various motives, including political and ideological beliefs, economic value, related criminal activity spilling over to cyberspace, strategic gains, and other issues pertaining to national security. Additionally, the sector has been impacted by robust state-sponsored Cyber-Espionage age campaigns, including Trojan.Laziok and Energetic Bear, attacks that can damage physical infrastructure. For more Cyber War and Terrorism please check 👉 C3 Cyber
As Hackers Perspective,
Malicious groups have an increasingly large armoury of technology by using a piece of code for mass destruction. Most are into Supervisory Control and Data Acquisition (SCADA) and Distributed Control System (DCS), used for industrial automation and control. The nature of the problem relates to the design, installation, and functionality of the Operational Technology (OT) used to manage and operate industrial and critical infrastructures.
Technological advancements in our industry may expose more of our operations to cyber-attack. The oil and gas industry is well aware of potential threats and is rising up to tackle cyber security issues by creating joint programs and initiatives. But it is the critical importance of oil and gas infrastructure that makes some governments unwilling to share information and join a global fight against cyber crime
According to the survey, 72 percent of respondents said that a single executive is responsible for securing both IT and OT environments.
Lacking enterprise-wide cyber analytics technology to monitor for cyber attacks, most oil and gas companies are not fully aware of when or even how cyber attacks might affect them, Accenture’s High-Performance Security 2016 Report
- Deirdre Michie, Chief Executive of Oil & Gas UK
“Politically and economically, the attention of hackers is drawn to energy in wishing to cause disruption by halting production, causing financial loss, or even causing loss of life. Cyber-attacks on the energy sector, and on oil and gas facilities, have increased in the past five years along with the associated costs.”
“Human error still remains one of the main causes of security lapses and all employees should have an understanding of how they are likely to be targeted. In today’s digital world, simply opening an infected email in a head office, for example, may lead to serious consequences for upstream and downstream operations. The threats are unlikely to go away and will continually evolve. It is therefore vital that companies continue to invest in solutions that will ensure security for their personnel, assets, and reputation,”
- Trond Winther, Head of the Operations Department, DNV GL – Oil & Gas.
“As all oil and gas process plants are now connected to the Internet in some way, protecting vital digital infrastructure against cyber-attacks also ensures safe operations and optimal production regularity,”
- Petter Myrvang, Head of the Security and Information Risk, DNV GL – Oil & Ga
“Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems,”
The top 10 cyber security vulnerabilities:
- Lack of cyber security awareness and training among employees
- Remote work during operations and maintenance
- Using standard IT products with known vulnerabilities in the production environment
- A limited cyber security culture among vendors, suppliers, and contractors
- Insufficient separation of data networks
- The use of mobile devices and storage units including smartphones
- Data networks between on- and offshore facilities
- Insufficient physical security of data rooms, cabinets, etc.
- Vulnerable software
- Outdated and ageing control systems in facilities
Must Read 👌 : Cyber Security Threats 2017
The scope of activities within the oil and gas industry’s value chain creates many potential points of entry for attack (See Exhibit 1.)
We then looked at a simple upstream drilling infrastructure for help in identifying and understanding where the security gaps in upstream operations were largest. (See Exhibit 2.) As the exhibit shows, most security efforts related to upstream drilling infrastructure are focused on the security of physical assets rather than the security of information.
INDUSTRIES WORRIED 😱
- Production circle shutdown
- Utilities interruption
- Power Outage/ Disruption
- Undetected spills/ leaks
- Inappropriate product quality
- Data Breach
- Brand Value
- Plant shutdown
- Equipment damage
- Safety measures violation resulting in injuries and even death
MAJOR THREATS ☠️
- Cyber criminals infiltrating / Espionage (Lead to Breach)
- Crypto Malware
- DDoS/ Sabotage
- Phishing Tactics/ SE
- Target (Data mining and analytical programs, IoT)
- PPT (People, Policy, Technology) need
- Training & Proper Framework
- Standardization of procedures Controls and Privilege
- VAPT /Audit Time to time
- Strengthen Enterprise Resource Planning (ERP) or Business Intelligence (BI) systems
- Accurate analysis of remote access management tools /Cloud MSS
- Laws and regulations/ Organizational Security Guidelines
- Disaster Recovery Plans
- SOC & Threat Intel on proper place
- Zoning and separation of networks
- Transportation Security Administration’s (TSA) Pipeline Security Guidelines
- American Petroleum Institute (API)
- Interstate Natural Gas Association of America (INGAA)
- NIST/DHS/ SANS/ISO
The increasing technological complexity of today’s oil and gas industry—driven by, for example, the industry’s spiraling deployment of data mining and analytics technologies, sensor and networking technologies, industrial systems, and systems integration technologies—is rendering it increasingly vulnerable to cyber attack. To protect themselves, their shareholders, and their customers adequately, industry players must make cybersecurity a highest priority and an ongoing consideration at the executive level.
Source & References Might Helpful 🙏