cyber risks in industrial systems -...
TRANSCRIPT
Cyber Risks in Industrial Systems Presented at Kuwait Petroleum Corporation’s 4th ERM Conference John J. Brown, Deloitte & Touche LLP
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 2
Oil and gas industry cyber threat landscape
Technology use in the industry
Cyber security concerns
Examples of compromises
Secure.Vigilant.Resilient.TM
Specific considerations
Presentation agenda
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 3
Oil and gas cyber threat landscape The cybercrime landscape has evolved into a set of highly specialized criminal products and services that are able to target specific organizations, regions, and customer profiles by using sophisticated tools which routinely evade present-day security controls
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 4
Technology adoption in the oil and gas industry
Source: Connected barrels: Transforming oil and gas strategies with the Internet of Things, Deloitte University Press, 2015
Assimilating diverse data sets: smart sensors, machine-to-machine, big data
Pipelines of information: shifting to a data-enabled infrastructure
From inside out to outside in: optimizing the supply chain and customer experience
Economic realities are positioning the Internet of Things (IoT) for rapid and widespread adoption, along with increased use of technology in operations; IoT integrates sensing, communications, and analytics capabilities
Technology maturity and business priorities
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 5
Technology is full of exploitable gaps Unfortunately, advancements in systems and technology are vulnerable to misuse by individuals and organizations for purposes of self-enrichment or to inflict harm on others
Oil and gas companies are prime targets for exploitation by cyber criminals:
high-value intellectual property
strategic nature of their physical assets
Misconceptions exist of the security of:
Process Control Networks (PCN)
Supervisory Control and Data Acquisition (SCADA) systems
Technology trends have led to an erosion of the traditional IT perimeter, driven by many factors, including:
widespread use of mobile technologies
cloud-based technology options
data-sharing between corporations, suppliers and partners
Attacks in the past few years have revealed a new breed of threat, fueled by the rise of nation-state and ideologically motivated attackers. Examples:
Stuxnet
Shamoon
Havex
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 6
Many scenarios and combinations of scenarios exist, but they can generally be grouped into three categories
Potential cyberattack scenarios
Operational Disruption
Espionage and Data Leakage
Physical Harm
By gaining access to SCADA application servers, booster station control systems, or operations consoles, attackers could shut down or damage pipelines, or trigger overpressure and release conditions, causing severe equipment damage.
Internet-accessible process control network equipment could be used to gain access to corporate systems that house proprietary decision analytics, or development plans, undermining competitive advantage and growth strategies.
Unauthorized access to components of the process control network could result in explosions or other forms of physical damage that could cause threats to human life or the environment, with long-term cost and reputational implications.
Cyberattack Category
Example of Cyberattack
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 7
These three examples provide an illustration of well-known attacks; many more examples exist and the frequency of attacks appears to be increasing
Examples of specific cyberattacks on industrial control systems
Stuxnet1
• Targets SCADA and industrial control systems (ICS) • Employs “watering hole” tactics to spread (i.e., ICS manufacturer update sites)
• Havex operates as Remote Access Trojan (RAT)
Havex3
• Targeted centrifuges in Iranian nuclear fuel enrichment operation in 2010
• Operated through industrial controller devices • Caused centrifuges to spin at high speeds until they self-destructed
Shamoon2
• Affected tens of thousands of computers at Saudi Aramco and RasGas Co Ltd. in 2012
• Operates by “wiping” hard disks, preventing booting up • In January 2017, Saudi government issued a warning about Shamoon 2
Sources: 1. IEEE Spectrum, posted 26 Feb 2013, by David Kushner, “The Real Story of Stuxnet” 2. Thomson Reuters Technology News, January 23, 2017, “Saudi Arabia warns on cyber defense as Shamoon resurfaces” 3. SC Media, June 25, 2014, “’Havex’ malware strikes industrial sector via watering hole attacks”
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 8
Source: IEEE Spectrum, posted 26 Feb 2013, by David Kushner, “The Real Story of Stuxnet”
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 9
Practical approach to cybersecurity A business risk and cyber threat aware approach, led at the executive level, and founded on the Secure.Vigilant.Resilient.TM platform, can help reduce problems
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 10
Crisis Management
Risk Analytics
Third-Party Management
Workforce Management
Identity and Access
Management Application
Security
Data Protection
Infrastructure Security
Threat Management
Enterprise-wide approach to cybersecurity, including technology systems
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 11
Critical focal areas to manage technology cyber risks Three solution areas have special applicability to managing technology risks
Asset, configuration and patch management Antivirus and malware protection Secure network design, network and application firewall Intrusion detection and prevention Network admission control E-mail security Specific and Certificate Management Web Proxy Remote access Endpoint protection (including mobile devices) Secure file transfer and storage Device to device authentication
Hiring Onboarding Training - overall and role-based Awareness Risk profiling (including insider threat management)
Evaluation & selection Contract & service initiation Security and performance monitoring Service termination Fourth-party relationships Concentration risks
Infrastructure Security Workforce Management
Vigilant Secure Resilient
Third-Party Management
Kuwait Petroleum Corporation 4th ERM Conference Copyright © 2017 Deloitte Development LLC. All rights reserved. 12
Technology requires special consideration for cyber security
The ICS is isolated Often, employees and external parties bring portable media and computers into facilities for legitimate purposes. However, there are many examples where these devices were infected and caused damage or operational loss.
Firewalls separate the IT and OT networks Firewall configurations are often too permissive, because flexibility and access to external parties are deemed critical business requirements. For example, support of the operational technology (OT) environment by original equipment manufacturers (OEMs) and system integrators (SIs) often exists outside the information technology (IT) environment.
Security is seen as the responsibility of the integrator Often, ICS security is not covered in the service level agreements (SLAs) and contracts with the SIs and various OEM vendors. Even when covered, these contracts rarely include statements for keeping security mechanisms up to date.
ICS and the IoT bring many benefits to the oil and gas industry; but they also introduce cyber security concerns that require special attention
Reasons used to exclude cyber security in ICS
Steps to follow for cyber security
Understand the threats to the organization and determine the target security level
Gain insight into the existing security capabilities of the organization
Understand the gaps, and define and implement preventive measures
Monitor the infrastructure and applications to detect anomalies
Respond to incidents and recover to business-as-usual
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms. Copyright © 2017 Deloitte Development LLC. All rights reserved. 36 USC 220506
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.