New Industrial Security article: ICS Security for Oil and Gas Applications

Sept. 24, 2014
This year, the Belden Industrial Ethernet Infrastructure Design Seminar is being held in Houston and therefore a number of the sessions are focusing on applications for the oil and gas sector.

This year, the Belden Industrial Ethernet Infrastructure Design Seminar is being held in Houston and therefore a number of the sessions are focusing on applications for the oil and gas sector. I had the privilege of attending Scott Howard’s session on cyber security. In it, he reviewed the primary goals of cyber security measures in industrial networks:

  • To improve safety
  • To reduce downtime
  • To increase productivity

In other words, the goals of cyber security are the same as the core goals of most manufacturing teams.

This article reviews the cyber security fundamentals that Scott described and also explains how Belden’s products fit into industrial networking solutions. In Part 2 of this article, I will look at three, specific oil and gas applications discussed by Scott and describe a cyber security solution for each scenario.

Industrial Cyber Security Threat Sources
Over the past few years, there have been a number of high-profile, advanced malware threats that have attacked the energy sector (e.g., Stuxnet, Flame, Shamoon). While these are significant threats that need to be taken into account in oil and gas industry risk assessments, the fact is that they account for a low number of overall threat sources.

Scott explained that most threats come from inside the industrial network. Industry research shows that threat sources breakdown as follows:

Industrial networks are susceptible to internal incidents because many PCs on the network run 24 hours per day, seven days a week, and do not have antivirus protection. In addition, there are many ways for malware to enter control networks, such as USB keys, maintenance systems and the laptops of visitors. Controllers designed for real-time I/O, and not robust network communications, may not respond well to malformed messages or high levels of traffic. Finally, many industrial networks are “wide open” with no isolation between sub-systems, making it easy for problems to spreaderimeter Defense is Not Enough for Industrial Security

You may think that because there is a firewall protecting the edge of a network that the plant network is secure. However, as we just explained, many cyber security incidents originate from within industrial networks. Therefore, additional security measures need to be taken in order to harden control networks.

The best approach to take is one of Defense in Depth, i.e. where there are multiple layers and types of security in place. The best guidelines for this are the ISA/IEC 62443 (formerly ISA99) standards which recommend defining “zones” within networks and allowing the zones to communicate only through secure “conduits.” With this method, only the minimum necessary network traffic passes between zones and unusual traffic generates alarms and is blocked.

Why IT Solutions Do Not Work for Plant Networks

IT professionals have been successfully dealing with cyber security threats for years. Why can’t these same solutions be applied to control and SCADA networks? Here’s why:

  • Control devices cannot be secured with automated third-party tools.
  • Patching or updating PLCs is usually not practical.
  • Manufacturing networks cannot be shut down for testing, configuration and maintenance, as is done with business networks. Instead, industrial security products must be set up and maintained while the plant network is running.
  • Industrial networks use unique communication protocols not seen in the IT world and not addressed by IT security products.
  • Plants require hardened equipment that can survive harsh electrical and environmental conditions.
  • Also, plant networking equipment needs to work for decades, whereas IT gear has a lifecycle measured in years.

Finally, engineering staff need cyber security solutions that are simple to use. While you are an expert in making products or programming PLCs, you are likely not a cyber security expert. Thus, industrial cyber security solutions need to be easy to use, in order to minimize human error in set-up and ongoing use.

Getting Started on Cyber Security

The first place to start to improve cyber defenses is to do a risk assessment. If you are unsure of how to conduct one, there are links to resources that will help at the bottom of this article.

Alternatively, you could work with one of Belden’s security partners, such as Cylance, exida or Securicon. These companies can help you develop and implement a security plan both quickly and cost effectively.

Once a plan is underway, use the Security Lifecycle (shown below) to guide your actions for keeping defenses up to date.

Belden's Industrial Cyber Security Solution

Belden’s product line supports security at many levels of communication, including at the physical level with high-reliability cables and at the data level with switches that have many built-in security features. At the network level and higher in the OSI model, we have security-specific products that include EAGLE routers and Tofino Security appliances.

In general, use the EAGLE family of routers and firewalls to secure the EDGE of networks. They are Layer 3 routers with firewalls and stateful packet inspection. They also have VPN capabilities for securing connections between untrusted networks.

Use the Tofino family of products to secure the CORE of industrial networks. The Tofino Security Appliance is a Layer 2 bridge with no IP address that can be installed without disrupting live networks and with no changes to network design. It provides high levels of security using a "whitelist" approach that allows for simple deployment.

The Tofino product line also includes modules that do content inspection (also known as Deep Packet Inspection) for popular industrial protocols, such as Modbus TCP, OPC Classic and EtherNet/IP. This capability inspects messages and only allows approved types of messages through. For example, allowing read messages to pass through the firewall, but blocking write messages.

Cyber Security for Oil and Gas Applications

In Part 2 of this series, I will look at cyber security solutions for three oil and gas applications: an offshore platform, an oil refinery and a pipeline system. We will look at the network diagrams of each application and show where EAGLE or Tofino devices can be added as part of a Defense in Depth security strategy.

Download the Application Note: "Implementing Cyber Security in Offshore Oil and Gas Platforms" here

>> For more information, click here 

Companies in this Article