The threat to the security of process control systems is growing by the day as vulnerabilities continue to be discovered and attackers realise the potential for harm. This is leading to a greater focus on improving security protection, and process control system security is rightly a priority for energy companies and governments.
Safe, reliable production operations are critical to energy and utility companies’ health and safety performance, protection of the environment and the public, bottom line and reputation. The systems controlling operations are vital to achieving these goals, which is why my own, and Amor Group’s, definition of process control system security (PCSS) is: “Security is taking action to provide assurance that a process control system does not deviate from normal operation for any reason.”
UK Members of Parliament recently called on the military and security services to ‘wage war’ on cyber criminals and as with any war, there will be casualties. In a report looking at predictions for IT organisations and users for 2011 and beyond, research company Gartner is predicting that by 2015 at least one G20 nation’s critical infrastructure will be disrupted and damaged by online sabotage, and infrastructure managers are looking to establish an effective security regime that addresses threats and vulnerabilities in their industrial networks.
In oil and gas operations control systems are operational at every location: onshore in gas plants, oil and gas production locations and refineries; offshore on manned and unmanned platforms and for pipelines at compressor and pumping stations. Therefore, by covering such a plethora of vital areas it is imperative that organisations are aware of their own vulnerabilities, the specific threats, and how best to deal with these.
That said, in our experience there are many organisations that understand their reliance on process control systems but not the security related risks to these systems and the potential impact they can have to their operations.
Vulnerabilities and threats
A major problem to overcome is the need for a change in attitudes. Too many people are not convinced of the threat and impact not having appropriate PCSS in place can have; mainly because they believe “we’ve not had a problem and it won’t happen to us”. Another issue, especially offshore, is that companies believe that as the computer in control of the process isn’t directly connected to the corporate network or the web it isn’t at risk, when the reality can be very different.
This misplaced belief in the effectiveness of an ‘air gap’ often means computers are left vulnerable to virus infections, simply because their security has never been updated. It is worth noting that on 75 per cent of the installations where we have carried out a check on computers of this type we have found viruses. In essence, it may not have happened to them yet or, more likely, it has, and they don’t know about it.
The vulnerabilities come from internet, wireless, malicious intrusions, hostile hackers, organised crime and often human error (whether intentional or unintentional). There is the threat of data corruption, data theft, equipment damage and safety incidents and as these threats increase, it becomes more and more difficult to ignore the need to improve security and safety measures.
Concern has risen with the migration of Process Control Systems to commercial off-the-shelf computing and communications platforms. The increasing interconnection of industrial control and traditional IT systems can undermine the integrity and security of vital control systems.
One of the reasons vulnerabilities exist is because control systems have traditionally been built to deliver functionality and performance and not for security, so are therefore ill equipped to deal with intelligent and persistent security threats.
The vulnerability is heightened further because the ‘attack surface’ is broader, with increasing connectivity of systems to corporate networks and support vendors remotely monitoring systems. Furthermore, there is growing realisation that they are easy to target, meaning there is a real sensitivity that needs to be addressed.
Without the appropriate security and defence measures in place, opportunities exist, as does a belief that these systems are there for the taking. The so-called ‘script kiddies’ (those who use scripts or programmes developed by others to attack computer systems and networks) are relatively easy to defend against as they will usually come up second best against a sophisticated perimeter network or firewall.
However, it is widely agreed amongst IT and PCSS practitioners that the hardest to defend against is Advanced Persistent Threats (APTs). Organisations struggle against these primarily because the APTs are skilful at bypassing defences and evading detection, well financed and, above all else, patient, so they take their time to penetrate organisations. There is a continual attack and defend arms race taking place.
The threats can also be internal. It is not unheard of for major errors to occur through staff wittingly or unwittingly making a vital mistake. There is usually such a strong focus on technology as a threat, but in truth people tend to be the weakest link of all. This is usually born out of plain ignorance and ignoring procedures rather than malicious intent. Screening USB sticks before they are allowed to be used on the wider network is one way to stop these accidental breaches for example.
It used to be the case that cyber-attacks would occur in order to damage files and would be easily detectable. The idea behind these was one of disruption and destruction. However, this has changed in recent times with information gathering and crime coming to the forefront. With PCSS it could very much be industrial espionage, for example an environmental campaigner targeting specific companies or an opportunity to blackmail. These viruses are very sophisticated and can go undetected in order to simply gather credentials and vital data that can then be exported and used elsewhere. This is dangerous as the virus could be collating data for months on end without people realising. Damage is being done and nobody is any the wiser.Impact
Should any of these threats come to fruition there is a wide spectrum of different impacts it could have on an organisation. This of course depends on the nature of the threat, and there could be anything from low-risk system interruption with a limited impact on production to major disruption, which could mean a shutdown of operations right through to oil or gas leaks or malfunctions that could put human safety at risk causing injury or death.
For those who continue to bury their heads in the sand regarding the possible threats, I would point them in the direction of a number of well documented and publicised cases where damage has already been delivered. High profile attacks such as Stuxnet successfully delivered its cyber payload and caused a large amount of damage in systems that were believed to be highly secured.
The Kingsnorth power station shutdown, the Olympic pipeline explosion and the Natanz Nuclear Uranium Enrichment Plant Stuxnet attack (where the devices attacked were in a secure underground facility) are just three large security breaches that have made headlines in recent times. A deliberate attack by disgruntled employees, or an attack from outside the organisation, is much harder to protect against than those created accidently.
Because of this, PCSS has become recognised as an increasingly business critical issue for energy and utility companies globally.Applying security
Our experience is that the key thing that frequently triggers interest in process control system security is internal and partner audits, which have highlighted weakness or concerns in a company’s systems. Also, interest may arise as a corporate initiative, or perhaps an incident has already happened and systems need to be addressed.
Organisations must know what control systems they have, how they are interconnected, understand the risks and take appropriate steps to mitigate those risks. As a result, they will have increased their understanding of PCSS threats, enhanced security and how to manage its PCSS stance.
A holistic approach is required, by looking not just at systems and network security but the organisation’s security management system, policies and standards, training and physical security.
Prioritising risks and tackling them piece by piece will help ensure that they remain manageable. It is crucial to understand process control system security as being good business practice and not just as a cost. Security culture needs to be viewed much in the same way as health and safety culture exists in business. It should be viewed as a journey, not a destination.Amor Group
Andrew Wadsworth is head of process control security at Amor Group, which has over 20 years experience of delivering scalable IT managed services and application developments to clients in the global oil and gas industries. Operating from bases in Aberdeen, Houston and Glasgow, Amor’s services range from co-sourcing to fully managed IT services, and from process control system security solutions to application development.
For further information please visit: www.amorgroup.com/energy