As oil & gas enterprise control systems connect to the Internet, they allow for greater business efficiency (e.g., remote process monitoring, predictive system maintenance, process control and production data analysis). However, at the same time, they also make businesses more vulnerable to cyber threats. According to the U.S. Department of Homeland Security ICS Cyber Emergency Response Team, a 20% increase in Integrated Control System (ICS)-related attacks was observed in 2015, across a wide range of US industry sectors, including the petroleum industry (footnote #1). Hackers are targeting critical infrastructures, such as power grids, water networks, and oil pipeline networks.
These cyber attacks are being generated from numerous sources, including individuals, rogue groups, and nation states. Attacks are increasing in intensity and sophistication and are capable of changing system settings or derailing systems that sustain business processes.
Cloud platform and analytics layers of the aforementioned architectures must be designed within a balanced envelope for security (physical security and cyber security) of open protocols/open connectivity. The protection from cyber attacks can come in many different flavors. Most casual observers are familiar with firewalls that protect the outer perimeter (threats from outside) of the network.
Although many components make up the overall security landscape, two in particular are applicable to industries like Oil & Gas that operate control systems (i.e., SCADA, power systems, water networks, building management) at multiple levels: Network Intrusion Detection Systems (NIDS) and Dynamic Endpoint Modeling systems.
NIDS are network security systems that monitor the network and focus on the attacks that come from authorized users inside of the network. NIDS systems perform pre-emptive analysis by searching for anomalies and signatures on the network. Once detected, an alert is forwarded to a security analyst for review. The analysts’ role is important to determine which alerts are false positives and which alerts are legitimate attacks. Some NIDS also have a defensive capability (prevention) that enables them to block an anomaly or signature before it can cause damage.
NIDS are deployed at key entry points on a network and report their information to a central server where all alerts appear on a console. Analysts who are trained in viewing such alerts monitor network traffic to determine if the alert and signatures are legitimate attacks. In the event of an attack, appropriate action is taken by the network defense team to resist the attack according to the organizations internal process and procedures.
Dynamic Endpoint Modeling, on the other hand, is a newly emerging technology that provides an additional layer of control system network cyber security. Dynamic Endpoint Modeling learns and models the behavior of all devices on the network and triggers alerts when algorithms detect changes in learned behavior. Any changes that divert from the baseline will alert that a possible compromise or malicious activity has occurred on an endpoint. These systems also know when a new device appears on the network or accesses the Internet for the first time.
Endpoint Modeling offers a quick and cost-effective deployment in a passive mode without any impact to network performance. Unlike traditional intrusion detection prevention systems, the skill sets needed to deploy and maintain the system are not demanding, and the costs for implementing are comparatively low.
On the security front, manufacturers like Schneider Electric are involved in the development of security-certified products and standards and in the development of secure remote solutions and services. Schneider Electric designs its software and systems according to the highest cyber security software engineering standards. In the Oil & Gas industry, Schneider Electric also offers services to system architects to assess the state of vulnerability of their upstream, midstream and downstream electrical, water, and control systems and recommends risk mitigation actions. In addition, Schneider Electric also provides assistance on how to best implement both NIDS and Dynamic Endpoint Modeling cyber security approaches.
- Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT), “ICS-CERT Fiscal Year 2015: Final Incident Response Statistics”, 2016
This article is part of an eight-part series looking at how the Industrial Internet of Things (IIoT) concepts are transforming the Oil & Gas industry business model. For more information, please visit: goo.gl/4ohXN7.
About the Authors
Maurizio Rovaglio is Vice President of Oil & Gas Technology and Alliances at Schneider Electric in Italy. Mr. Rovagilo holds multiple patents and has authored over 100 technical articles published in international scientific journals, and has delivered presentations at multiple international conferences. Mr. Rovaglio has over 15 years’ experience in software sales, marketing, resource planning and project execution in the O&G domain across the world.
Jack Creamer is Schneider Electric Segment Marketing Manager – Pumping Equipment, based in the United States. Mr. Creamer has more that 30 years in the Electrical Industry, and has been involved for 10 years in the Pumping Industry. He is involved in key industry organizations such as the Hydraulic Institute and Submersible Wastewater Pump Association, where he holds both Committee Chair and Board level positions. In his time in the Pump industry, he has help Schneider create numerous solutions that both enhance pumping efficiency and address issues such as maintenance and downtime.