The oil and gas industry might want to keep its operations shut off from the outside world because of ever-escalating concerns about cybersecurity, especially for such critical infrastructures. But the gains of connected assets are just too vital to ignore; optimization of enterprises is the key motivator and remote access is an important consideration. Chevron maintains that its critical systems are air gapped, but just about any discussion around cybersecurity these days includes the point that isolating your operations 100 percent is nigh impossible (you might want to check that new printer that was just installed to see if you need to disable its web connection).
The inevitability of transferring data from an industrial automation and control system (IACS) to the outside world—and the importance of keeping that data, network and core environment secure—has led the Linking Oil and Gas Industry to Improve Cybersecurity (LOGIIC) to commission a report detailing the factors that should be considered with real-time data transfer (RTDT) products.
It’s no secret that legacy control systems were not built with cybersecurity in mind. Automation vendors have been making progress over the past few years, advising clients on how best to secure their networks through strong defense-in-depth practices. More recently, some of them have even begun to talk more about making their industrial automation and control systems secure by design. There is still room for improvement, however, and plenty that oil and gas companies need to be concerned about to protect their security.
On LOGIIC’s behalf, the Automation Federation has released a public report that details the technical, security and operational factors that should be evaluated prior to the selection and implementation of commercially available RTDT products. Although the report identified some positive security steps that automation vendors have taken to improve their products, it also detailed areas that could create threat vectors and compromise the integrity of the data.
Because RTDT technologies transfer real-time data outside of IACS environments, they must meet rigorous standards to ensure the protection of those core assets, data and operational stability. The objective of LOGIIC’s Real-Time Data Transfer Project report was to highlight the vital factors that should be weighed when considering an RTDT project, and to help critical infrastructure operators understand what they should be asking their automation vendors.
Through a series of research surveys and studies, LOGIIC specifically looked at the applicability and cybersecurity capabilities of available products that collect and move data from Level 2 and 3 to Level 3.5, 4 and beyond (including data collection systems that reside in the core IACS architecture, and servers and clients that manipulate those data sets). They were particularly interested in RTDT used for health and monitoring, trending analysis, decision support and situational awareness, and data sharing with strategic partner systems, and they conducted hands-on studies of RTDT offerings in an IACS laboratory environment to test various scenarios.
There were some positive security attributes that the study revealed among RTDT products, making them more inherently secure:
- Correct implementation of encryption
- Use of packet integrity and packet privacy
- Up-to-date patching
- Disabling unnecessary ports and services
- Protection of data at points of rest during the overall transfer through database security or access control
- Protection of application log files with access controls and ensuring contents can support an adversary’s attempt to gather detailed information on the application, certificates or key exchange
- Removal of default settings
- Careful consideration of network devices at all levels
This is certainly a good starting point when looking at the differences between possible solutions. The report also identified other critical factors that should be involved in analyzing RTDT products prior to their selection and implementation, including:
- Differences between automation vendor and third-party solutions
- Product footprint and management
- The use of third-party components within automation vendor solutions
- Networking components
- Importance of encryption
- Networking and packet handling
- Layered security
- Use and maintenance of the product
The study noted some interesting differences between offerings from automation vendors and third-party providers. Automation vendors tend to package hardware, software and networking components all together, creating a larger footprint, with more components requiring security and management. Third-party vendors, on the other hand, tend toward software-only solutions to be implemented on existing assets, thereby creating a smaller attack surface. That said, however, the larger packages are typically installed by the automation vendor, accredited, and included in broader patch management plans.
According to LOGIIC, the project helps its members—including large global oil and gas companies such as BP, Chevron, Shell and Total—not only understand the current vulnerabilities and risks associated with emerging RTDT offerings, but also to have ongoing discussions with their suppliers to introduce further solutions.
LOGIIC was established more than a decade ago by members of the oil and gas industry in partnership with the U.S. Department of Homeland Security (DHS), Science and Technology Directorate (S&T), Cyber Security Division (CSD) to study cybersecurity issues in IACS specific to the oil and gas sector. The Automation Federation serves as the LOGIIC host organization.
You can read the full report here.