• Subscribe
  • Magazine
  • Past Issues
  • Surveys
  • Industry Statistics
  • About Us
  • Members Only
    1. Home

    Final institute report refines, forecasts cyber-security issues

    Nov. 16, 2009
    This article follows a 2006 article that introduced the Institute for Information Infrastructure Protection (I3P) and presented initial research findings and industry perspectives on cyber-security risks facing critical control systems in energy infrastructures.
    Pennwell web 400 93

    This article follows a 2006 article that introduced the Institute for Information Infrastructure Protection (I3P) and presented initial research findings and industry perspectives on cyber-security risks facing critical control systems in energy infrastructures.1

    These initial findings included a characterization of risk in terms of threat, vulnerability, and consequence. Over the past 3 years, this characterization has remained a common thread through the I3P's Process Control System (PCS) Security and Survivability projects.

    Findings, observations

    Asset owner, operator concerns:

    • A need for comprehensive security across control systems. The architecture must be addressed as a whole.
    • Consideration of interdependences when implementing security in the architecture.
    • Overall intrusion detection and prevention that includes monitoring, event correlation, first-day intrusion awareness, and alarm processing.
    • Engagement of stakeholders at all levels of an organization, including asset owners and managers.
    • Acceptance that critical infrastructure is an attractive target.

    Vendor concerns:

    • Management engagement early in decisions about obtaining and implementing security controls.
    • Increased awareness and training among operators and integrators on security controls.
    • Industrial plant network to be considered multilayered enterprises rather than a collection of individual nodes. This facilitates comprehensive protection.
    • Clearly defined roles and relationships between IT staff and operators, with open communication lines.

    Shared concerns:

    • Securing wireless connectivity.
    • A set of widely accepted standards, guidelines, and best practices.
    • An understanding of how interoperability affects security within the enterprise at various levels within an organization.
    • Life-cycle and maintenance planning.
    • A plan to address legacy systems.
    • Realization that economic justification is required for implementing security throughout the enterprise.

    I3P team observations:

    • Asset owners, operators, and vendors can have different expectations. Asset owners often expect security to be addressed by vendors, while vendors often expect a certain user awareness and operational security already in place.
    • Specific concerns over remote access, wireless, and communications backbones still exist.
    • Metrics play an important role to industry. Asset owners, operators want to know their current security posture. Metrics provide data they can analyze to determine where they stand on security and to support decisions on security investments.
    • A secure design is key to many industry members.
    • Cyber security should be considered in the context of simply one more risk to manage.
    • Historically, security has been approached in piecemeal, patching only what is needed. This has resulted in many complex and disparate architectures.
    • The cost-benefit or return on investment is still extremely important when considering security.
    • The role of organizational communication is critical.
    • A balance between physical and cyber security is needed to achieve better operational security.

    The 2006 article presented conclusions about vulnerabilities, consequences, and the general perceptions on cyber security as provided by the oil, gas, and chemical industry and its vendors. This research provided a foundation for the I3P to continue working to meet the goals of government—to secure process control systems—while working closely with industry members.

    As the I3P PCS project completes its fourth and final year, many conclusions about process control system risk have evolved, and progress has been made between government and industry in addressing the security of control systems in the US critical infrastructure.

    This article outlines major findings from industry since the initial report and presents an outlook on the future of process control system security.

    Background

    The I3P was created in 2001 in response to a need recognized by the US government for research and development to protect critical national infrastructure.2 The I3P project team consists of scientists and engineers from nonprofit organizations, national laboratories, and academia.

    Begun in 2005, the PCS project focused on cyber security for the oil, gas, and chemical sectors.3 Owners, operators, and vendors participated through workshops and by site visits by I3P project team members to outline critical operational areas and address the feasibility of technology and methods to identify and rank cyber-security needs.

    The I3P team developed a methodology and supporting technologies over the following years. An industry advisory board guided development of this methodology and toolset. A feedback loop with industry ensured that these tools filled gaps and solved specific needs. The 2006 article present findings and characterized risk from the first 2 years of research.

    In 2007, the PCS project took on a new scope that included survivability and recovery of process control systems. This new phase built upon the foundational research but included reliability, resilience, and overall ability to survive and recover from a cyber incident with minimal impact. Many in industry felt this area was the next step in securing overall operations.

    Realizing that the best chances of meeting national security goals was to ensure that research and development are usable in actual architectures and support overall operations, the I3P launched an additional outreach initiative. This outreach project facilitated increased interaction, feedback, and awareness. Both projects continued workshops, security forums, and site visits.

    After several years of collaboration, we can summarize the cyber security climate in the oil and gas industry and recognize future needs to ensure that energy continues without interruption to flow to consumers nationwide.

    Many observations are conveyed in the following sections in attempts to enumerate the perspective of industry on cyber security and provide insight to critical issues in the future.

    Observations

    Early in the project, a main objective was to agree on bounds and definitions that comprised cyber security for process control systems. Following definition, the next step was to develop a general acceptance among the oil, gas, and chemical industry that cyber security is a legitimate, defined problem. It was not unexpected that agreement and acceptance of cyber security as a problem could be a hurdle.

    Pennwell web 400 93

    Differing architectures, historical processes, and procedures are sometimes vastly different among organizations. Different interpretations also exist between separate organizational subgroups and among vendors.

    To approach this problem from a technical view, the project team first defined how industry members were actually conducting operations and structuring control system architectures, especially during emergency situations or when trying to bridge communications to remote locations. Identifying shared perspectives on security and understanding realistic operating practices provided a more accurate view of potential risks. These views were gathered from workshops, forums, and site visits; the accompanying box on the opposite page lists those findings.4

    Understanding what motivates industry to reduce risk and preserve operations helped researchers define and apply the correct mitigation. The project team defined risk in terms of threat, vulnerability, and consequence (accompanying box above); this definition has remained consistent throughout the project, although threats, vulnerabilities, and consequences have become more complex over time.1

    A threat implies that an individual or group has the ability and access to damage or exploit a system for a specific gain. A vulnerability is a weakness that exists in a system, network, application, or process that can be exploited by a threat to create an adverse effect. Finally, a consequence is the resulting loss, damage, or impact resulting from a threat successfully exploiting a vulnerability. The result can have physical, economic, environmental, and human consequences.1

    The 2006 article details examples of characterized vulnerabilities and their resulting consequences and effects. Building an understanding of how each vulnerability leads to a consequence, one can develop a business case for applying security. In nearly all cases, industry members shared common overall operational goals, including:

    • Financial stability.
    • Production and movement of product.
    • Safety.
    • Security.
    • Reliability.
    • Environmental compliance.
    • Preparedness.

    Mapping high-level operation goals to specific cyber risks can help define the scope of the problem, promote understanding of potential consequences, and allow security controls and mitigations to be applied more effectively.

    Applying these solutions with an operational perspective is key in an industry in which reliability and the production and movement of product are absolutely critical. For cyber security to be applied successfully, it must be viewed as simply one more operational aspect, rather than an additional burden or optional consideration.

    Awareness, cultural shift

    During the first 2 years of collaboration with industry, a cultural shift seemed to be emerging. Cyber security began, in fact, to transform into an operational element and potential investment area. Awareness and discussions on security increased, and industry feedback indicated that communication across different organizational departments was increasing.

    Outreach events, such as workshops and security forums held over the past several years, provided government and researchers with a chance to understand industry perspectives and concerns fully, and facilitated collaboration to produce solutions while meeting operational needs.

    The I3P project team found increased participation from various parts of industry organizations to include technical managers, IT staff, auditors, and supervisory control and data acquisition managers. Feedback indicated that, technical challenges aside, communication and investment justification were two areas of particular concern and interest to industry.

    Linking cyber security to a business investment is difficult. Making the case for an investment to prevent something bad from happening to a network or architecture can be difficult.

    Many industry members developed their own strategies to justify spending on protection and awareness. These included potential consequence cost assessments and development of cross-segment risk analysis teams. Market drops in the past few years affected momentum that security had gained early in the project. Reduced staffing, increased workloads, limited training, and shrinking travel budgets slowed the major security efforts.

    An interesting but beneficial consequence to these events, however, was the broadening of communication across different areas within industry organization. For several years, the I3P team has recommended strong communications across organizations.5 The first workshop indicated that departments within the organization worked at different paces and with different objectives for security. A need to reconcile objectives, motivators, and application in operational segments became evident.

    At a time when resources are strained, a need to maximize and coordinate limited security budgets for comprehensive solutions, technology, and policy is evident. In 2008, the I3P conducted its second SCADA Security Forum in conjunction with the API IT Security Conference. Overwhelming feedback from industry at this event suggested that technical staff and SCADA managers had a strong awareness of cyber security and many had integrated security into their operations.

    Feedback suggested, however, that a next step was needed to extend this awareness to CEO and executive management to ensure cyber security was a major consideration in strategic planning. These areas, in addition to evolving technical options, are considered important pieces in the future of securing infrastructure.

    Technology advancements

    In addition to outreach, methodology development, and risk characterization, the I3P project team researched specific technologies and gathered feedback from industry on its primary needs. Early in the project, feedback from workshops indicated several areas that industry felt required focus:6

    • Wireless.
    • Intrusion detection.
    • Situational awareness.
    • Legacy and interoperability.
    • Standards compliance.
    • Business and control system network connectivity.
    • Forensic data and traceability.
    • Life-cycle maintenance, patching, upgradability.

    Some of these concerns, such as interoperability and life-cycle issues, are ongoing, but many new options are available to assist asset owners. Over the past few years, the market has seen new technologies, products, and services erupt in this area.

    Industry members may select component-level solutions, total consultant solutions, or third-party membership-information portal services. The choice typically boils down to what meets an organization's specific objectives, funds, and the staffing resources available in-house.

    Many industry members indicated they do not want a component level, "bump in the wire" solution. They also strive for control and management of cyber security, however, and attempt to meet very specific security objectives. Purchasing a comprehensive service and solution seems less agreeable.

    The reality is likely somewhere in between and a mix of options. Regardless of how much an organization does in-house or farms out, a comprehensive operational approach is still the most effective option. This includes:

    • Assessment.
    • Determination of risk.
    • Identification of vulnerabilities.
    • Analysis and application of mitigation.
    • Support with policies and procedures.
    • Development and utilization of a life-cycle maintenance plan.
    • Periodic assessments.

    As is always recommended, an approach that includes people, processes, and technologies best removes gaps in a security solution.

    Perhaps the greatest challenge is system interconnection. This includes all connectivity, such as the business network to the control system network, the connection of remote and field sites, or the connection of simple sensors to the network.

    Controlling the flow of data as well as ensuring its integrity can certainly benefit from technology-based solutions. Typically, however, an organization must still review its own operations to determine specific needs before applying security to interconnection points.

    A one-size-fits-all technology cannot be applied to disparate architectures. Technology-based security controls, along with supporting policies, however, can mitigate many risks. As an example, general architectural guidelines and interconnectivity recommendations can be found in API 1164 SCADA Security Standard for Pipelines.7 Encryption, intrusion monitoring, firewalls, and role-based controls can provide the technology that facilitates the architectural goals.

    Industry is also interested in tools that help it reduce risk while making the business case. Market conditions at present demand strong economic viability of technical solutions. A shift towards component-based solutions that require lower up-front costs is visible in the market today. Doing something towards security, even a small improvement, provides some level of assurance to some industry members rather than taking risks and waiting until budgets are stronger to address security.

    Industry faces tough choices on how to invest in security in a tough market. Many more options exist today, however, than even a few years before in terms of technology, tools, guidelines, and methodologies that can help.

    Industry is also now more aware of cyber security and potential technical and economic consequences, and it can make more informed decisions based on its own architectures and business needs.

    Changes in risk elements

    Changes in the elements of the risk equation will always occur over time, especially in the evolving critical infrastructure. Suggestions that the threat has changed are arguable. Many insider and outsider threat characteristics will always exist.

    The US has not seen a large attack since Sept. 11, 2001, but attempts on critical infrastructure over the past several years have been well publicized. If anything, one can assume the threat will increase capability, just as defenses increase.

    Vulnerabilities change rapidly. Just as the information technology sector realized many years ago, the shift towards zero-day attacks and rapid exploit development takes advantage of vulnerabilities that many know little about. Increased connectivity among networks, remote sites, and third parties has increased the possibility of new vulnerabilities in a network design.

    Finally, potential consequences can change in their value and characteristics. Evolving architectures can change the technical consequences, while a public perception in flux requires an organization to place a value on negative perception associated with incidents.

    The oil and gas sector is already facing these challenges in the market and the technological landscape. It can only be anticipated that the elements of risk will continue to evolve and at different rates, which requires industry to focus on preparedness rather than reaction measures.

    Great strides have been made in securing infrastructure. The changing elements of risk, however, prove that we must continue to keep security in focus as energy systems evolve to meet the demands of the future.

    Global events

    Global changes and events affect industry perspective, the market, and general preparedness. These events spur a shift in focus and awareness, which can create a change in how security is viewed and prioritized.

    Certainly weather hazards such as hurricanes, tornadoes, floods, and ice storms often increase the need to review backup procedures, reevaluate the location of control centers, and address survivability. Other events such as transportation risks and global political instability generate the need to assess the organization's position on preparedness, accessibility of staff, physical security and responses to public perception.

    All these events require the need to consider cyber security, even in relationship to other risks addressed by physical security and company policies. Many industry members have suggested that these events illustrate the need to address cyber security as part of operations, but that some organizations have shifted focus to physical security rather than investing in cyber.

    In reality, a balanced approach to cyber and physical can increase the impact in both areas and maximize investment in security in general. In any case, global events have a decided effect on the application and maintenance of cyber security. Hurricanes Katrina and Rita in 2005 on the US Gulf Coast provided a great deal of after-action evidence to review, both from cyber and physical preparedness perspectives. Hurricane Ike in 2008 on the Texas Gulf Coast, though not as severe, then illustrated a better prepared industry that dealt with challenges quickly and maintained the critical flows of energy.

    Standards, guidelines

    Early in the I3P project, industry and vendors indicated that standards and guidelines were necessary to facilitate application of security solutions. In efforts to ensure industry created those guidelines, industry forums and bodies stepped up to create guidance with a security focus. Guidance took the form of written standards, conferences and workshops, and outreach efforts.

    Members of industry frequently point out that guidelines should be developed to facilitate the application of controls that support secure operations rather than requiring large investments of resources or redesigns that hinder or slow operations. Working together, such industry bodies as the American Petroleum Institute, the National Petrochemical and Refiners Association, and the Instrument Society of America can ensure guidance is available that provides a clear benefit to industry.

    Standards that provide a backbone for organizational and operational policies are extremely beneficial. Consistently throughout the research on the I3P project, the role of policy that supports technology-based and operationally based security controls has remained critical. The need to react accordingly to information during an incident, meet organizational objectives, and ensure continuity of operations relies heavily on policy and guidelines.

    Many in industry have suggested that cyber-security regulation will only increase. The best preparation for industry is to become involved in establishing standards that may provide a solid technical foundation for those regulations while meeting operational objectives. The rapid deployment of new technologies within the smart-grid environment and understanding how fossil-energy systems may interconnect and interface in the future require preparation and analysis now to maximize opportunity, support system design choices, and minimize operational impact.

    There are many challenges in standards development. Developing guidance that is not product or technology specific that may date the document, while providing enough detail to be useful, can be difficult. The benefits that industry brings from an operational view, business and practicality sense, however, are extremely valuable. The end result is typically a useful product and a positive experience.

    Often in this competitive market, cyber or operational information is not readily shared. Complete security incident data will likely never be openly shared for obvious reasons. Industry members, however, have been very willing to participate in developing guidance, brainstorming on protective measures, sharing ideas, and participating in industry-wide events. A continued commitment to these activities will ensure that security in this sector will continue to evolve throughout life-cycle, market, and global changes.

    Pennwell web 600 370

    Market effects

    Many events, certainly those with the magnitude of Sept. 11, 2001, affect the culture, technology, and business investments of the energy industry. Certainly, the market changes over the past 5 years have affected all areas. The shift from large budgets, expansions, and new ideas, to tighter belts, critical decisions, and reductions has affected the focus on security and survivability. Examples are:

    • Tough choices on spending while maintaining operational and business objectives.
    • The need to rank main goals and prioritize objectives.
    • Choosing solutions wisely, such as robust all-in-one technology solutions vs. piecemeal tools and applications at a lower cost.
    • Utilization of staff resources. Can a dedicated security staff be afforded? What about training budgets?
    • Participation in industry forums, maximizing information sharing and lessons learned in cyber security.

    In times of tighter budgets, a few overarching ideas about security can be applied to maximize the investment of time and money. These include:

    • Define an approach up front, before application of new security controls.
    • Rank priorities.
    • Balance a lower cost operational security option with technology choices.
    • Select an approach that does not include a large system redesign with hardware, software, and staff resource implications.
    • Identify and address high-value targets first.
    • Minimize major gaps and address "low hanging fruit" that provides a good return on resource investment.
    • Consider the life cycle and long-term costs and return on investment. These can be tough to define but attempt to weigh the risks.
    • Consider a perspective that includes cyber security as another critical operational element.
    • Define the role of people, processes, and technology.
    • Utilize research, technical guidance, and standards to help.
    • Convey organizational objectives and maintain good intraorganizational communication.

    The oil and gas industry has survived many market changes over many decades. One can expect approaches on technology, operations, and cyber security to continue to adapt to continuous market changes in the future.

    Future

    Given the changes in the market and industry over the past several years, one can expect to see changes in the approach to cyber security in the near and longer term. Several infrastructure-scale areas will be relevant when addressing cyber security in the next few years. The accompanying diagram illustrates the presence of risk and interconnected areas.

    • Emerging technologies. These are adaptive technologies that facilitate protection, detection, response, and decision making. Combining protection and response is particularly attractive and presents a good return on investment.

    • Integration with renewable energy systems. Many are now focusing on the inclusion of solar, wind, and other renewable energy sources in their systems and operations. Industry is also currently engaged in discussions on the role and impact of smart grid in the oil and gas infrastructure.

    • Emerging standards and regulation. New policies and regulations that focus on cyber security may emerge that could include technical and operational guidelines. Traditionally, these standards and regulations focused on safety, but cyber security may be considered, just as physical security, as an operational element.

    • Market changes. Adaptability of security implementations, including technology and operations, may be the key to surviving market changes. Balancing available budgets with short and long-term needs, as well as carving out the role of security in the future of the organization is important.

    • Changing work force. Many discussions are under way within industry on how to deal with a changing workforce and the retirement of those with critical skill sets. Operational learning curves and lack of experience can lead to an unintentional incident from a trusted insider. Conversely, awareness of emerging technologies among younger workers through recent education can be an advantage.

    A great deal of research exists, lessons learned from global events, and shared experiences that can be built upon to ensure secure critical infrastructure. Understanding potential threats, vulnerabilities, consequences, and effects is essential to moving forward with continued risk mitigation.

    Maintenance that includes continual reduction in vulnerabilities is required for a company to stay abreast of new security risks and meet the needs of a changing infrastructure. Recommendations for the future include broadening the view of cyber security to include emerging technologies such as advanced situational awareness tools or renewable energy components. Increased interconnection and interoperability can also be expected and will require cyber-security considerations throughout a system's life-cycle.

    An increased need for a return on investment from cyber security and its role in business strategies is expected. This requires that cyber security be continually recognized as a key organizational objective, a thread that must exist through staffing, market, and organizational changes. Successful, uninterrupted operations can continue with the perspective that security has a permanent role in the organization.

    Acknowledgments

    Sandia is a multiprogram laboratory operated by Sandia Corp., a Lockheed Martin Co., for the US Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000.

    This material is based upon work supported by the US Department of Homeland Security under Grant Award Number 2006-CS-001-000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by Dartmouth College.

    References

    1. McIntyre, A., Stamp, J., Cook, B. and Lanzone, A., "Workshops identify threats to process control systems," OGJ, Oct. 9, 2006, p. 44.

    2. Institute for Information Infrastructure Protection. "About the I3P," http://www.thei3p.org/about; August 2009.

    3. Institute for Information Infrastructure Protection. "Research Initiatives." http://www.thei3p.org/research; August 2009.

    4. McIntyre, A., Stamp, J., and Cook, B., "I3P Risk Characterization Report," I3P Research Report, 2007; http://www.thei3p.org/docs/publications/researchreport9.pdf.

    5. McIntyre, A., and Henrie, M., "Organizational Communication for Security Risk Reduction and Survivability," Energy Telecommunications and Electrical Association. Houston, April 2009.

    6. McIntyre, A., Lanzone, A., and Stamp, J., "I3P Preliminary Risk Characterization Report," I3P Research Report, 2006. http://www.thei3p.org/docs/publications/researchreport6.pdf.

    7. API 1164 Standard "Pipeline SCADA Security, Second Edition," Washington: American Petroleum Institute, 2009.

    The author

    Pennwell web 120 131
    Annie McIntyre ([email protected]) is a senior member of the technical staff at Sandia National Laboratories, Albuquerque. In the energy systems analysis organization, her primary areas of research include threats, vulnerabilities, and protection of critical infrastructure systems under initiatives such as the Institute for Infrastructure Information Protection (I3P), National SCADA Test Bed, and Renewable Systems Integration. Before her work in critical infrastructure, McIntyre served as IO Laboratory Chief and Information Warfare Lead for future combat systems assessments at the Army Research Laboratory, White Sands Missile Range, NM. She previously served as New Mexico Regional Manager for Concurrent Technologies Corp., a defense and energy contractor. McIntyre holds a BS from New Mexico Tech, Socorro, an MS from Troy State University, Troy, Ala., and is a member of the American Association of Petroleum Geologists.

    More Oil & Gas JOurnal Current Issue Articles
    More Oil & Gas Journal Archives Issue Articles
    View Oil and Gas Articles on PennEnergy.com

    Continue Reading