cyber risks in industrial systems -...

Cyber Risks in Industrial Systems Presented at Kuwait Petroleum Corporation’s 4th ERM Conference John J. Brown, Deloitte & Touche LLP

Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 2

Oil and gas industry cyber threat landscape

Technology use in the industry

Cyber security concerns

Examples of compromises

Secure.Vigilant.Resilient.TM

Specific considerations

Presentation agenda


Oil and gas cyber threat landscape The cybercrime landscape has evolved into a set of highly specialized criminal products and services that are able to target specific organizations, regions, and customer profiles by using sophisticated tools which routinely evade present-day security controls


Technology adoption in the oil and gas industry

Source: Connected barrels: Transforming oil and gas strategies with the Internet of Things, Deloitte University Press, 2015

Assimilating diverse data sets: smart sensors, machine-to-machine, big data

Pipelines of information: shifting to a data-enabled infrastructure

From inside out to outside in: optimizing the supply chain and customer experience

Economic realities are positioning the Internet of Things (IoT) for rapid and widespread adoption, along with increased use of technology in operations; IoT integrates sensing, communications, and analytics capabilities

Technology maturity and business priorities


Technology is full of exploitable gaps Unfortunately, advancements in systems and technology are vulnerable to misuse by individuals and organizations for purposes of self-enrichment or to inflict harm on others

Oil and gas companies are prime targets for exploitation by cyber criminals:

high-value intellectual property

strategic nature of their physical assets

Misconceptions exist of the security of:

Process Control Networks (PCN)

Supervisory Control and Data Acquisition (SCADA) systems

Technology trends have led to an erosion of the traditional IT perimeter, driven by many factors, including:

widespread use of mobile technologies

cloud-based technology options

data-sharing between corporations, suppliers and partners

Attacks in the past few years have revealed a new breed of threat, fueled by the rise of nation-state and ideologically motivated attackers. Examples:

Stuxnet

Shamoon

Havex


Many scenarios and combinations of scenarios exist, but they can generally be grouped into three categories

Potential cyberattack scenarios

Operational Disruption

Espionage and Data Leakage

Physical Harm

By gaining access to SCADA application servers, booster station control systems, or operations consoles, attackers could shut down or damage pipelines, or trigger overpressure and release conditions, causing severe equipment damage.

Internet-accessible process control network equipment could be used to gain access to corporate systems that house proprietary decision analytics, or development plans, undermining competitive advantage and growth strategies.

Unauthorized access to components of the process control network could result in explosions or other forms of physical damage that could cause threats to human life or the environment, with long-term cost and reputational implications.

Cyberattack Category

Example of Cyberattack


These three examples provide an illustration of well-known attacks; many more examples exist and the frequency of attacks appears to be increasing

Examples of specific cyberattacks on industrial control systems

Stuxnet1

• Targets SCADA and industrial control systems (ICS) • Employs “watering hole” tactics to spread (i.e., ICS manufacturer update sites)

• Havex operates as Remote Access Trojan (RAT)

Havex3

• Targeted centrifuges in Iranian nuclear fuel enrichment operation in 2010

• Operated through industrial controller devices • Caused centrifuges to spin at high speeds until they self-destructed

Shamoon2

• Affected tens of thousands of computers at Saudi Aramco and RasGas Co Ltd. in 2012

• Operates by “wiping” hard disks, preventing booting up • In January 2017, Saudi government issued a warning about Shamoon 2

Sources: 1. IEEE Spectrum, posted 26 Feb 2013, by David Kushner, “The Real Story of Stuxnet” 2. Thomson Reuters Technology News, January 23, 2017, “Saudi Arabia warns on cyber defense as Shamoon resurfaces” 3. SC Media, June 25, 2014, “’Havex’ malware strikes industrial sector via watering hole attacks”


Source: IEEE Spectrum, posted 26 Feb 2013, by David Kushner, “The Real Story of Stuxnet”


Practical approach to cybersecurity A business risk and cyber threat aware approach, led at the executive level, and founded on the Secure.Vigilant.Resilient.TM platform, can help reduce problems


Crisis Management

Risk Analytics

Third-Party Management

Workforce Management

Identity and Access

Management Application

Security

Data Protection

Infrastructure Security

Threat Management

Enterprise-wide approach to cybersecurity, including technology systems


Critical focal areas to manage technology cyber risks Three solution areas have special applicability to managing technology risks

Asset, configuration and patch management Antivirus and malware protection Secure network design, network and application firewall Intrusion detection and prevention Network admission control E-mail security Specific and Certificate Management Web Proxy Remote access Endpoint protection (including mobile devices) Secure file transfer and storage Device to device authentication

Hiring Onboarding Training - overall and role-based Awareness Risk profiling (including insider threat management)

Evaluation & selection Contract & service initiation Security and performance monitoring Service termination Fourth-party relationships Concentration risks

Infrastructure Security Workforce Management

Vigilant Secure Resilient

Third-Party Management


Technology requires special consideration for cyber security

The ICS is isolated Often, employees and external parties bring portable media and computers into facilities for legitimate purposes. However, there are many examples where these devices were infected and caused damage or operational loss.

Firewalls separate the IT and OT networks Firewall configurations are often too permissive, because flexibility and access to external parties are deemed critical business requirements. For example, support of the operational technology (OT) environment by original equipment manufacturers (OEMs) and system integrators (SIs) often exists outside the information technology (IT) environment.

Security is seen as the responsibility of the integrator Often, ICS security is not covered in the service level agreements (SLAs) and contracts with the SIs and various OEM vendors. Even when covered, these contracts rarely include statements for keeping security mechanisms up to date.

ICS and the IoT bring many benefits to the oil and gas industry; but they also introduce cyber security concerns that require special attention

Reasons used to exclude cyber security in ICS

Steps to follow for cyber security

Understand the threats to the organization and determine the target security level

Gain insight into the existing security capabilities of the organization

Understand the gaps, and define and implement preventive measures

Monitor the infrastructure and applications to detect anomalies

Respond to incidents and recover to business-as-usual

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms. Copyright © 2017 Deloitte Development LLC. All rights reserved. 36 USC 220506

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

cyber risks in industrial systems -...

Documents