Downstream Facilities Face Threats from Real & Virtual Worlds

Downstream Facilities Face Threats from Real & Virtual Worlds
How well is your refinery, pipeline or other facility protected from unsavory denizens of cyberspace?

Recent uprisings in oil and gas industry hubs such as Libya, Bahrain, Egypt and Algeria provide vivid reminders that refineries, pipelines and other critical infrastructure often operate in politically unstable regions. The fact that the industry has for decades managed to function in such restive environments testifies to the skill and perseverance of onsite personnel.

More insidious but no less threatening to the smooth operation of oil and gas installations are threats from the virtual world such as computer viruses, Trojans, worms and other unsavory denizens of cyberspace. Regularly unleashed into this nebulous world, malicious software ("malware") and hacking attacks constitute major threats that can attack and disable the computer systems upon which these facilities rely. Supervisory control and data acquisition (SCADA) systems that monitor and control refineries, pipelines and numerous other types of industrial facilities are attractive targets for those perpetrating these attacks.

"Any IT system, SCADA system or network can be vulnerable if there is a connection to the Internet—and it doesn't have to be a direct connection either," said Adrian Davis, principal analyst with the London-based Information Security Forum (ISF). The ISF is an independent, not-for-profit organization that develops best practices for combating information security threats to its members, many of which are companies on the prestigious Fortune 500 and Forbes 2000 lists.

There are hackers and then there are hackers

"Hacker" is a broad term that can refer to perpetrators whose attacks stem from motives ranging from boredom to malevolence. The effects of their cyber-handiwork to an oil and gas facility can run the gamut from mildly irritating to devastating. Davis said that hackers can fall into four different groups based on their abilities and intentions.

You've been hacked.
Now what?

Several indicators that your facility's SCADA or computer system may have been hacked include inconsistent system behavior, slow system response, the inability to log on and excessive bandwith consumption.

Note that such signs do not always accompany an attack. ISF's Adrian Davis cautions that more advanced attacks may not leave many traces such as those mentioned above.

"Often, the only way to determine if a hack has occurred is to review system logs for unusual activity, review network logs for unusual IP addresses and perform digital forensics of systems," Davis said.

If you suspect that hackers have broken into your system, Davis offers the following advice:

  • Don't panic. Davis said that many of the technologies, processes and procedures available and in place do provide a level of security that will deter or defend against many of the threats companies face in cyberspace.

  • Conduct a risk assessment. Davis explained that a risk assessment will help you to understand (a) why your company might be a target, (b) the impact to your business if you became a target, (c) the threats to your company, (d) the vulnerabilities present and (e) the likelihood of one or more threats materializing or one or more vulnerabilities being exploited. "Using the results of this exercise, the controls that best protect your company can be selected, or other mitigation measures put in place," he said.

  • You are not alone. "Other businesses face the same challenges," said Davis. "Talk to your peers inside and outside your industry and understand the similarities and differences in the approaches you take."

  • Think forward. Assessing and recovering from a suspected attack are certainly important, but Davis encourages companies to use the experience as a valuable learning opportunity. "Yes we have to deal with today's issues, but what about tomorrow," he said. "What can you learn, what can you do to prepare yourself and your company for the challenges to come?"

An attack from the first type of hacker is relatively innocuous. He or she "may just be looking to break in to prove how good they are and show off," explained Davis. "They may leave a message on your website and that's it. Some of these may probe around your systems but are likely to leave them alone."

The second type of hacker has a more sinister motive because he or she wants to break into a company's computer system and harm its reputation with the public.

"Typically, the company's websites are a favorite target as messages about the company can be posted for all to see," said Davis.

Such an attack often exemplifies "hacktivism," or "cyber-enabled social activism" as the ISF defines it. Perpetrators of hacktivism may coordinate their attacks with other electronic and physical protests, such as Facebook campaigns or demonstrations outside company facilities, Davis noted. In addition, he said that hacktivists may inadvertently usher in more serious attacks.

Theft is the goal of the third type of hacker, who will launch an attack out of revenge or the desire to weaken the position of the target company.

"The third type of hacker will break in to deliberately steal company information," said Davis. Perpetrators may include disgruntled former employees, rival companies or even foreign governments.

"Remember that espionage is nothing new, it's just that the Internet provides another channel to carry out these activities," Davis pointed out. "People who steal information may sell it to competitors or other organizations, post it online or send it to journalists or news organizations to embarrass the company, or they may use it as part of a hacktivist campaign."

The fourth—and perhaps most dangerous—type of hacker wants to deliberately attack a company to inflict damage. "This can be done by introducing malware to affect how SCADA and computers operate," said Davis, noting that the StuxNet worm discovered in June 2010 is the best known but certainly not the only variant of malware.

A malware attack can target an oil and gas company's mission-critical information. In addition to affecting how SCADA and computer systems operate, malware can deliberately delete information such as production specifications, control settings and other data, Davis said. In addition, hackers can use malware as a tool to deliberately alter sensitive information such as valve settings as well as payroll and IT account data.

"The last two types of hacker are prepared to take their time, probe for weak spots and then attack," concluded Davis. "Remember, the hackers may combine both electronic and physical methods as part of their strategy. Companies should bear in mind that these two types will get around most if not all defenses or barriers erected in their path."

Vigilance is key

Given the myriad capabilities and intentions of hackers, companies should maintain a defensive posture.

"There are various types of hacker—and the damage they do will vary as well," said Davis. "If a facility is left unprotected, then you've made their job a lot easier. All companies should have the basics implemented and, where possible, shield critical systems or information from direct connection to the Internet."

According to Davis, the cornerstones of any company's information security strategy should be threefold: support the business, defend against threats and provide assurance.

"ISF research shows that a cybersecurity strategy needs to place greater emphasis on the following components of the company's information security strategy: intelligence and partnering, situational awareness, resilience and response," Davis said.

Davis noted that most organizations already deploy basic information security tools such as anti-malware software, firewalls and patch management.

"However, these need to be measured, improved and their effectiveness against the risks companies face assessed on a regular basis," Davis advised. "They also need to look ahead—using work such as the ISF's Threat Horizon—and prepare for tomorrow's threats as well."

Practice, practice, practice

Davis stressed the important role that drills play in a company's information security plan.

"All organizations should have and rehearse their 'cyber' incident management processes regularly and keep them current," Davis said. "Although a real incident will probably not match any rehearsal, the skills and knowledge gained from practice will assist in speedy resolution and will minimize the impact of any incident."

Also, Davis noted that information security preparedness is not just the responsibility of a company's IT department.

"ISF work on incident management and response highlights that rehearsal is vital and that it should not be confined to the techies," Davis said. "Business and corporate communications need to be involved as well."

Although refining, pipeline and other companies devote considerable resources to maintaining information security measures, the cost of deploying these defense reflect the magnitude of the threat that hackers pose. Trying to quantify that threat is anyone's guess.

"There are a number of figures banded around such as the study that says cybercrime is bigger than the drugs trade, but the truth is we don't know," acknowledged Davis. "There is a cost to business — employing security professionals, buying and maintaining security technologies and dealing with incidents but again many of the numbers are speculative at the least."

"Hacking is a problem and we as an industry need to get in front of it, reduce the incentive to hack and reduce the vulnerabilities that can be exploited by hackers," concluded Davis.