Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

We Are Not Paranoid: Protecting the Digital Oil Field

My mantra has always been to over-protect, especially when the network being protected is critical.

My mantra has always been to over-protect, especially when the network being protected is critical.

This opinion has been somewhat validated by the recent incident with a small water utility’s SCADA system, resulting in damage to pumping equipment. While a water pump failure in a small township isn’t exactly a national threat, there are SCADA and industrial control systems that are just as vulnerable. Consider energy generation and the transmission and distribution of energy. I used to think of the “Smart Grid” as the pinnacle of my pseudo-paranoid call for cyber security because of the massive attack surface that it presents. When I was recently introduced to “Smart Fields” I was fully prepared to cringe within a shroud of renewed skepticism. The digital oil field uses more intelligent devices at all stages of oil production—drilling, piping, storage, refining and delivery—in order to lower costs and improve safety. At the same time, just like with “smart” electric grids, this added intelligence opens up a potential new attack surface.

SCADA Industrial Control Systems SecurityFortunately, this exciting evolution in the oil industry is being spearheaded by a kindred spirit. Someone who understands that the paradox of smart automation systems can only be combatted with diligent cyber security measures. Why use one firewall when you could use a firewall and an Intrusion Prevention System? Why trust the network when traffic analysis tools can indicate threat patterns? Why trust anything, for that matter? Lock down the controls, separate and segregate everything. Add security until your CFO breaks down in tears, because in truly Critical Infrastructure the ROI of cyber security is measured in human lives.

I say this a lot, and I hear the same response a lot, “you’re paranoid.” Well you know what? I’m not alone, and we are not paranoid.

I use “we” instead of “I” because the aforementioned kindred spirit—an ally, if you will, in the cyberwar. Through him I was exposed to one of the best cyber security plans that I’ve seen in a while. How does it work?

The plan is designed specifically to protect the “Digital Oil Field,” and it answers issues of accessibility and vulnerability by heightening awareness and implementing the best security controls available today. It is built using multiple security perimeters: one separating the process control system from the process information system; and then another separating the process information system from the rest of the business network. That final separation uses a DMZ to further strengthen that barrier, requiring every session to be terminated and reestablished before crossing that very important digital divide. Firewalls, Intrusion Prevention Systems, and even Network Behavior Anomaly Detection (NBAD) systems are used to control known policies, block known attacks, and detect patterns of unknown attack. Replace “PCN and PIN” with “ICS and SCADA,” and you have essentially the same cyber defense architecture described in my book.

But with digital oil fields at stake, there’s another perimeter that needs consideration. It sits between the PIN and the field stations—protecting the programmable logic controllers at their most physically vulnerable locations—the well heads. This is where the hard work of products like the Tofino firewall or the Zenwall industrial protocol filter come into play, and it’s encouraging to see a critical operator investigating these types of tools.

This all makes sense, although some may make those familiar accusations of paranoia. But it gets even better when you add in DLP. DLP, or Data Loss Prevention, is designed to prevent information from being stolen or “leaked” from the network. It’s widely used in large enterprises, financial institutions and hospitals. It protects credit cards, and patient health data, and personal identities. It does not, many might argue, have any relevance to industrial control systems cyber security … but those people would be wrong. Consider Night Dragon, Shady Rat, and now the newest Stuxnet variant, Duqu. “Information theft” could indicate a reconnaissance effort for a larger attack. While only Night Dragon represents information theft directed specifically at control systems, the increasing presence of APT and industrial espionage is starting to converge with the increasing number of threats against control systems. In this light, protecting sensitive information about an industrial control system could be the ultimate preventative measure.

That was the “how”, what about the “why?” To that, my kindred spirit had a clear and concise answer, “because if I can save a single life, it is all worth it.” This is critical infrastructure, remember? So no, we are not paranoid.

Advertisement. Scroll to continue reading.

Related Reading: Industrial Control Systems Security One Year After Stuxnet

Related Reading: Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems

Related Reading: Are Industrial Control Systems Secure?

Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers

Related Reading: The Increasing Importance of Securing The Smart Grid

Related Reading: Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults?

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture