Upstream operations are seriously exposed and under threat from a new generation of cyber attackers. Local and international help is at hand. Find out more ahead of the Abu Dhabi International Cyber Security Forum later this month
Oil & Gas senior executives and technology experts in the field of cyber security are coming together in an unprecedented way in Abu Dhabi this month to address the critical infrastructure threats and countermeasures surrounding modern oil and gas companies.
The Cyber Security International Forum for Energy and Utilities was created to share first hand knowledge and experience of international cyber security organizations who are leaders in the Middle East market, as well as to showcase the realism associated with (in)secure data and problematic issues associated control systems within energy companies.
Raising awareness about the necessity of securing data in the age of general internet accessibility is the hot topic of 21st century’s fast and mostly unpredictable technical development.
The protection of critical national infrastructures has long been a serious concern to Governments in this region and, as a recent attacks on Iran’s oil and nuclear systems demonstrates, is no longer limited to the physical security of important assets.
The scope of motivation potentially behind a cyber-attack on a nation’s energy infrastructure is a broad remit. “At the forefront of popular consciousness are of course other nation states, criminals, terrorists, hackers and even disgruntled employees,” explains Justin Lowe, a smart energy expert at PA Consulting Group.
“This makes cyber attacks difficult to defend against because the attacker could be located anywhere in the world, and could even be internal to the impacted organisation,” he adds.
Given the widespread use of interconnected networks and control systems in national oil, gas, power, water and electricity sectors, there is a very real need to enhance their cyber security given the ever increasing number of international attacks.
It has been reported that there was more than a 40% increase across the Middle East in computers infected by malware in 2010. The threat of such viruses was highlighted by the discovery that same year of the most sophisticated cyber attack to date, Stuxnet.
It was a vicious computer worm with highly specialised malware coded to target specific Supervisory Control and Data Acquisition (SCADA) systems and disrupt their operational activities but without the operators being aware of such changes.
“The cyber security threat to energy installations is surprisingly widespread, running across utilities and distribution networks to generation, refining, and even drilling and exploration.
Most security professionals now say that if you think you have not had your security breached then you just haven’t detected it,” says Professor Paul Dorey, director at CSO Confidential.
SCADA networks are widely used in all industrial sectors and provide essential services and commodities in a very efficient manner. However, they were originally designed to maximize functionality with little attention paid to security.
Consequently performance, reliability and safety of these highly complex and interconnected systems are invariably robust but the security is weak, making them vulnerable to disruption of service, process redirection or manipulation of operational data that could result in public safety concerns and even loss of life.
Article continues on next page …
Added to which the management need for information and remote control has led to the adoption of common network protocols and the connection of many of these SCADA and Industrial Control Systems (ICS) to the corporate network.
While these changes have resulted in business benefits they also have meant that control system security is even more prone to the same cyber threats faced by corporate networks.
Internationally there is a drive to improve efficiency and increase production from oil and gas assets and none more so than in the Middle East where the digital oilfield (DOF) implementation is gaining interest and value.
However, with these changes comes the extra threat of cyber attack and it is imperative to understand what E&P data exists, where it needs to flow and where the security risks are in order to keep DOF implementation secure. However, it is not limited to upstream oil & gas development as attacks across the full oil & gas spectrum have been observed.
“This is taking place in the context of a time when many existing oil and gas reserves are going into or are already in decline and new reserves are more difficult to find, develop or produce.
These changes result in a more complex, integrated energy infrastructure with a greater reliance on information technology, operations technology, and communications,” explains Lowe. As a result, this evolving energy infrastructure is more vulnerable to cyber security issues.
In the Middle East, with it being a major supplier of much of the world’s energy, GCC countries are placing cyber defence as one of their priority areas for development. Saudi Arabia has plans to spend $3.3 billion on oil & gas infrastructure security and Qatar, Oman, Kuwait and the UAE are set to follow suit over the coming years.
The vulnerabilities in the oil and gas business are very real, adds Eric Byres, CTO and VP Engineering of Tofino Security Product Group, Belden Inc. “There are real weaknesses.
The systems deployed in the energy sectors were never designed to be secure – they were designed to be safe, reliable and productive. Unfortunately the hackers have discovered this in the past year and the list of known product vulnerabilities has exploded,” he warns.
The cyber threats are by no means limited to the Stuxnet concern as serious as it most certainly is. The Night Dragon virus drew attention to the ability of such viruses to steal highly sensitive competitive information from oil and gas companies especially and are now all part by a new type of sophisticated digital infection collectively termed the Advanced Persistent Threat (APT).
These viruses can upload and propagate themselves into IT/ICS systems without any immediate noticeable affect and can collect intelligence data over a long period without detection.
Most recently another new virus, Duqu, has appeared in the Middle East and may differ from its predecessors in that it gathers intelligence data such as design documents and assets from ICS systems in order to plan for a future cyber attack.
“At the moment, the majority of incidents affect companies and state organizations involved in arms manufacturing, financial operations, or hi-tech and scientific research activities. In 2012 companies in the natural resource extraction, energy and transport industries will be affected, as well as information security companies,” warns Alexander Gostev, headed of the global research and analysis team at Kaspersky Lab.
“Attacks will range over more of the world than ever before, spreading beyond Western Europe and the US and affecting Eastern Europe, the Middle East and South-East Asia,” he adds.
If Stuxnet was a wake-up call for industry then Duqu is further evidence of the severity of attacks.
There is an exponential increase in cyber attacks from increasingly sophisticated
malware and it can be argued that what is needed to combat such threats are robust yet simple and easy to implement cyber security technology, sustained and updated education in this area, enhanced public-private partnerships and well thought out cyber security standards that industry can easily follow in order to truly protect industry plants and assets.
Don’t Miss: Abu Dhabi International Cyber Security Forum
When: 21 – 24 May 2012 Hilton Abu Dhabi
Website: www.csuae.org
The Forum will address the business needs for cyber security, the threats facing IT and Industrial Control Systems(ICS) and the best practices for security improvement . It will feature appropriate use of standards , how to respond to cyber security incidents , the human and correct design aspects of cyber security. The Forum includes an in- depth workshop on the security insights for SCADA & ICS.
