The WannaCry ransomware that attacked Windows-related equipment in May provided yet another stinging punch to IT and operations managers on the importance of sound security strategies. The malware didn’t specifically target industrial control system (ICS) networks, but as Automation World reported at the time, some manufacturing production networks were impacted by the WannaCry attack nonetheless.
The good news, though, is advanced security systems can quickly identify security threats or equipment anomalies in the plant or remote field networks in real time. A recent application with an oil supermajor rig exploration contractor reveals how Israel-based Claroty provides anomaly detection and secures remote access to four separate operational platforms on the vessel, with one comprehensive view.
Network security policy is in new territory for some rig contractors as more supermajors require security measures from exploration and production (E&P) vessels. “We spent the first six months of this project with a company to assist us in creating about 54 pages of policies and procedures related just to industrial cybersecurity,” the oil rig contractor relates.
For the most part, oil supermajors can no longer rely on their networks being air gapped. These exploration vessels are connected directly to the rig contractor’s main IT network, which resides on the Internet. Recognizing asset anomalies more quickly has become an essential requirement.
The exploration vessels include four separate operational platforms—for power generation, positioning, blowout prevention and drilling. “We weren’t interested in trying to manage individual security solutions across multiple vendor networks,” the rig contractor says. “We wanted one solution that was capable of collecting operational data across all four networks and providing it in one dashboard.”
The separate operational platforms on these $800 million exploration vessels include many different industrial protocols, such as Kongsberg Proprietary for dynamic positioning and Ethernet and Modbus for the blowout prevention platform. Claroty’s Secure Operations Platform integrates these different protocols into a cohesive visual offering, but also provides deep packet inspection (DPI).
“A lot of our intellectual property (IP) is our dissectors,” says Patrick McBride, chief marketing officer at Claroty. “This IP allows us to understand different data from different network protocols and conversations between assets within an operating environment. For example, we can understand an operator’s routine with a PLC, such as three changes a week, and deem that’s normal.”
To understand this semantic relationship in operational environments, the security system performs baseline modeling for all of the platforms on the exploration rig. “We go into learning mode for some period, depending on kind of the natural cycle of the plant or operation,” McBride says. The process can take 30-45 operational days before the software completes its learning cycle and produces a high-fidelity system.
A key selling point for Claroty’s offering was being able to mirror operational data to remote enterprise monitoring centers and not interfere with the operational networks. Replicating the data required managed switches; two of the operating platforms—the drilling control and blowout prevention platforms—already had these in place. “On a managed switch, an Ethernet port is configured for SPAN [switched port analyzer], and it’s basically taking a copy of all the traffic that goes across the network and dumping it out that port,” McBride says.
With this design in place, asset data is sent to a server that creates an asset inventory of the vessel. The software assigns “relative risk ratings” to different components on the vessel, such as the programmable logic controller (PLC) controlling the drilling system. This also starts the contextual relationship part of the security solution, where the system begins to dig deep to find why certain IP addresses talk to each other and what’s being exchanged.
This application included multiple networking vendors for the separate working platforms: Siemens, Hirschmann, Cisco and Moxa. Additional managed switches were introduced to the vessel, with a further 20 switches added to the blowout prevention subsystem. “There can be some network engineering with applications, but mostly we’re plugging into managed switches,” McBride says.
Continuous operational data is fed to an internal security operation center (SOC), but the feed also goes to a Cisco operations center for 365/24/7 monitoring. A key ingredient to effective alert detection is reducing the number of extraneous notices to an SOC staff. The software, via DPI, grabs granular details and creates consolidated alerts.
“Our software gathers state data for PLC configurations. And due to our modeling, we can create a specific alert that will contain 15-20 different anomalous events,” McBride says. “For the remote staff, we’re shortening the identification cycle and accelerating communication to the vessel.”