OT Insights CenterOil and GasChecklist: 9 Best Practices to Safeguard Upstream Oil & Gas Operations from Cyber Attacks

Checklist: 9 Best Practices to Safeguard Upstream Oil & Gas Operations from Cyber Attacks

Upstream Oil & Gas production has a unique range of threats and risks to consider when compared to other industrial operations.

Our checklist infographic takes a dive into what to consider and secure when it comes to Upstream operations.

Some highlights of what is covered:

  CIE and IT Best Practices that apply to upstream and cyberattacks preparedness.

  Onsite security, personnel security, and employe training that goes a long way.

Protecting against remote threats without restricting outside connectivity

Download our infographic checklist to make sure that you’ve covered all your bases in securing your upstream operations.

About the author

Kevin J. Rittie

With over 30 years in the control system market, Kevin Rittie is a seasoned software and cybersecurity professional who has led diverse development groups with budgets up to $10M. He has a comprehensive background, starting as a project engineer and software developer, and has excelled in roles such as Product Management, Cybersecurity, Sales, and Marketing. Kevin's innovative contributions include leading the design of a patented control visualization architecture and driving the development of energy management solutions, culminating in the establishment of his own business, RevelationSCS, focused on change management, software practices, and securing critical infrastructure.

Share

Fill out the form and get it by email​

The post Checklist: 9 Best Practices to Safeguard Upstream Oil & Gas Operations from Cyber Attacks appeared first on Waterfall Security Solutions.

Waterfall Security Solutions and Terilogy share the goal of making Waterfall’s Unidirectional Gateways – the world’s most advanced network perimeter protections – more readily available to customers in Japan and in the region. Terilogy is already the top distributor of Nozomi Networks OT security products and already has a track record of successfully deploying Waterfall’s unidirectional products. This new partnership helps Terilogy to better serve Japanese critical infrastructure customers in infrastructures that include electric power, manufacturing, refineries, and chemical plants.

Unidirectional Gateways

Unidirectional Security Gateways from Waterfall provide unbreachable protection for OT networks, while enabling unlimited visibility into operations. The unbreachable protection stems from the fact that the gateway hardware is physically able to send information in only one direction – from the OT network to the IT network. There is physically no way to send anything back, which is important because all cyber-sabotage attacks are information. This means that if no information can get back into the OT network through the Unidirectional Gateway hardware, then no cyber-sabotage attacks can get back either.

Visibility into operations is made simple by server replication. The gateways make copies of a wide variety of industrial data sources, such as OPC servers, historian servers, pub/sub servers, and relational database servers. Enterprise and even Internet users can use the enterprise copies of the servers normally – all the data that is allowed to be shared with external users can be found in the unidirectionally-synchronized enterprise servers.

Evolving Standards and Guidance

The Japanese Cabinet Cyber Security Center and the Cyber Security Strategy Headquarters have revised their guidance to strengthen protection of critical infrastructure. These changes are no surprise – in recent months authorities in other jurisdictions have responded to the Colonial Pipeline attack and other attack on OT infrastructures with stronger regulations for pipelines, rail systems and many other kinds of industrial infrastructures.

The new partnership between Waterfall and Terilogy enables the strongest kind of protection for critical infrastructure and manufacturing control networks for Japanese owners and operators. Deploying Unidirectional Gateways creates a strong defensive posture that stands the test of time. Even if cyber attacks become more sophisticated and more automated in the years ahead, even if ransomware criminal groups phish passwords and other credentials for large numbers of OT systems – none of these attacks can penetrate Waterfall’s unidirectional hardware today, nor will they be able to breach the hardware tomorrow, or in the years ahead. Unidirectional protection is strong protection that dramatically simplifies compliance with cybersecurity standards and guidance.

Looking Forward

Critical infrastructure products and services must be both reliable and seamlessly deployed. Waterfall’s partnership with Terilogy emphasizes both firms’ continued commitment to improving OT security in Japan with the strongest and most powerful OT security available. Automation of industrial operations is only going to increase in the years ahead, as the cyber threat environment becomes more challenging. Unidirectional Gateways enable safe integration of IT and OT systems and so speed up the deployment of new IT/OT integration and automation initiatives in thoroughly-secured designs.

About Waterfall Security

Waterfall Security Solutions’ unbreachable OT cybersecurity technologies keep the world running. For more than 15 years, the most important industries and infrastructure have trusted Waterfall to guarantee safe, secure, and reliable operations. The company’s growing list of global customers includes national infrastructures, power plants, nuclear generators, onshore and offshore oil and gas facilities, refineries, manufacturing plants, utility companies, and more. Waterfall’s patented Unidirectional Gateways and other products combine the benefits of impenetrable hardware with unlimited software-based connectivity, enabling 100% safe visibility into industrial operations and automation systems.

About Terilogy

Terilogy Co., Ltd. was established in 1989 and handles a wide range of products from hardware to software and service offerings to meet market and customer needs in four core segments: security, networking, monitoring, and solution services as a technology value creator. With more than 300 customers, mainly large corporations and telecommunications carriers, the company has extensive experience and a proven use case in network-related business.

The post Strengthening OT Security in Japan appeared first on Waterfall Security Solutions.

More generally, the war in the Ukraine caused a great many cyber incidents, most of them in the Ukraine, and most of them impacting business and government systems. Critical infrastructures and other OT providers world-wide were put on high alert early in the year, though “risk fatigue” set in within a few months of no attacks on industrial infrastructures. The reports I’m hearing from my contacts in the industry suggest that in most organizations, risk awareness has long since slipped back to very close to historically “normal” levels.

OT Security Trends 2022

So, what are we seeing, by the numbers? Last year we identified 22 cyber attacks that shut down physical operations or otherwise produced undesirable physical consequences, attacks that affected roughly 100 sites in process and discrete manufacturing industries. We hope to update this report in 2023 for the year 2022, and the year is not over, but we do have some preliminary numbers to share. In the last report, we projected that cyber attacks with OT consequences in these industries would more than double, from 22 to roughly 50. The numbers we have to date confirm that projection.

Through the end of June, we counted 25 attacks on these industries. The industries most impacted were transportation and discrete manufacturing. Almost all the attacks were ransomware, again this year. Two noteworthy exceptions were hacktivist attacks – hacktivists halted trains in three cities in Belarus and set a steel mill on fire in Iran. Only a single attack was noted in the first half on oil and gas infrastructure – the attack that shut down oil movements at the Oiltanking / Mabanaft tank farms.

Ransomware attacks continue to become more sophisticated, trailing nation state attack tools and techniques by less than five years. The bad news: if this trend continues, we should expect to see at least some ransomware actors using PIPEDREAM / INCONTROLLER class attack tools against industrial targets before 2028.

OT Security – Trends in Defenses

OT security incident reporting requirements are increasing in many jurisdictions. Germany passed stringent reporting laws recently, and reporting laws are being debated in the USA as well. Will these new laws result in more public disclosures of cyber attacks with physical consequences? Personally, I don’t foresee greater public disclosures of big incidents, though the new rules may increase reporting of smaller incidents. If the lights go out in a big city, or the there is a “boil water” advisory because of a cyber incident, it is hard to keep that from the public eye, even without new laws.

In the USA, the TSA continues to issue updated rules for petrochemical pipelines, as a result of the Colonial Pipeline incident. The organization also issued new rules for rails. A common theme in these rules is the directive to keep OT networks independent of IT networks, so that if an IT network is crippled by a cyber attack, physical operations can continue unimpeded. In a sense, this is not surprising – pretty much everyone I talk to has assumed that this has been the whole point of OT cybersecurity initiatives for the last decade. Keep the lights on, keep clean drinking water in the taps, and so on. Ever since the attack that shut down the Colonial Pipeline, however, TSA directives have been making this point explicitly, for the first time.

OT Security Engineering

On the defensive side, a potentially more important development in 2022 is the report by the US Department of Energy on a National Cyber-Informed Engineering Strategy. The report does not explain how to do cyber-informed engineering, instead it gives a few examples, says “we need this” and lays out a plan to develop a body of knowledge that will become cyber-informed engineering.

What is it? The report gives examples of physical, unhackable mitigations for cyber attacks. These are mitigations the engineering profession has used for decades – buckle-valves to prevent over-pressurization of boilers and other pressure vessels, centrifugal kill-switches to prevent over-speed rotations of steam turbines and other heavy, rotating equipment, manual operations as a fall-back for critical infrastructures, and so on. These are tools that are unique to the OT space, and until very recently were not recognized as important parts of cybersecurity programs.

In a sense this is no surprise – these are not cybersecurity mitigations. Where is an over-pressure valve in the NIST Cybersecurity Framework? It’s not there. The framework is blind to this kind of solution. In a real sense, these OT tools and techniques are not part of the cybersecurity solution domain. They are, however, ways to address cyber threats to physical operations. After all, the engineering profession has been dealing for over a century with physical threats to public safety. Cyber threats are just another threat to public safety that must be considered in physical designs. Many of the mitigations that engineers have used for a century to prevent unacceptable physical outcomes also work against cyber threats – work just as effectively as they work against the equipment failures and human errors and omissions they were designed to address decades ago.

Wrapping Up

In a sense, the future of OT cybersecurity may seem bleak. In the name of increased efficiencies and organizational flexibility, we continue to deploy more and more computer automation – more and more targets for cyber attacks. And data in motion is the lifeblood of modern automation, so we continue to deploy more and more connections into and between our automation systems and components. The problem with this is that all cyber-sabotage attacks are information. Every one of these connections is another opportunity for our enemies to attack our constantly increasing number of targets. Neither of these trends is likely to reverse in the foreseeable future. The OT security problem is likely to get much worse before it gets any better. If you talk to young people, point out that there is job security in the OT cybersecurity world – we will need people to address this problem for decades into the future.

In another sense, there is progress. Standards and regulations are getting stronger, awareness is increasing, and more and more owners and operators are taking action. In particular, I have high hopes for the future of cyber-informed engineering, or “industrial security engineering” if you prefer. For too long, the engineering profession has been the junior partner in OT security programs – coming hat in hand to the enterprise security experts, asking how we might protect our systems from the consequences of cyber attacks. What the DOE report highlights is that the engineering profession has powerful tools to bring to the table – not tools to improve cybersecurity, but tools to manage physical due to cyber risks.

With that I leave you for 2022. To those who celebrate Christmas, as I do, I wish you a merry Christmas! To those who celebrate other kinds of holidays at this time of year, I wish you a happy holidays! And to everyone reading, I wish you a peaceful and prosperous 2023, and look forward to working with you throughout the year, to make our world a safer place.

The post OT Security Trends – 2022 In Review appeared first on Waterfall Security Solutions.

Listen now or Download for later

The Industrial Security Podcast Hosted By Andrew Ginter and Nate Nelson AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS​

Previous episodes

The post Secure PLC Coding Practices – Sarah Fluchs & Vivek Ponnada | Episode #64 appeared first on Waterfall Security Solutions.

Dig deeper – download the accompanying ebook here

THE INDUSTRIAL SECURITY INSTITUTE
OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 16 – Vendor Back Door
An industrial site has outsourced a remote support function to a control system component A software developer at a software vendor inserts a back door into software used on industrial control systems networks. The software may be ICS software or may be driver, management, operating system, networking, or other software used by ICS components. The back door may have been installed with the approval of the software vendor as a “support mechanism” or may have been installed surreptitiously by a software developer with malicious intent. The software checks the vendor website weekly for software updates and notifies the user through a message on the screen when an update is available. The software also, unknown to the end user, creates a persistent connection to the update notification website when the website so instructs, and permits personnel with access to the website to operate the machine on the ICS network remotely. Hacktivist class attackers discover this back door and compromise the vendor’s software update website with a password phishing attack. The attackers then use the back door to impair operations at industrial sites associated with businesses the hacktivists have imagined that they have some complaint against. Note that antivirus systems are unlikely to discover this back door, since this is not the autonomously propagating kind of malware that AV systems are designed to discover. Sandboxing systems are unlikely to discover it either, since the only network aware behavior observable by those systems is a periodic call to a legitimate vendor’s software update site asking for update instructions.

THE TOP 20 CYBERATTACKS ON INDUSTRIAL CONTROL SYSTEMS
These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision makers who are not familiar with cyber security.

ABOUT ANDERW GINTER
At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.

The post Vendor Back Door | The Top 20 Cyber Attacks on Industrial Control Systems #16 | iSi appeared first on Waterfall Security Solutions.

THE INDUSTRIAL SECURITY INSTITUTE
OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 15 – Compromised Remote Site
In a SCADA system such as might control an electric distribution system or water distribution system, an attacker targets a substation or pumping station that is physically remote from any potential witnesses. The attacker physically cuts the padlock on a wire fence around the remote station and enters the physical site. The attacker locates the control equipment shed typically the only roofed building at the site and again forces the door to gain entry to the shed. The attacker finds the only rack in the small site, plugs a laptop into the Ethernet switch in the rack, and tapes the laptop to the bottom of a piece of computer equipment low in the rack where it is unlikely to be detected. The attacker leaves the site. An investigation ensues, but the investigators find only physical damage and nothing apparently missing. The extra laptop low in the rack is not noticed. A month later, the attacker parks a car near the remote site and interacts with the laptop via Wi-Fi, enumerating the network and discovering the connections back into the central SCADA site. The attacker uses the laptop to break into equipment at the remote site, and from there into the central SCADA system. The attacker then uses Ukraine style techniques to cause physical shutdowns.

THE TOP 20 CYBERATTACKS ON INDUSTRIAL CONTROL SYSTEMS
These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision makers who are not familiar with cyber security.

ABOUT ANDERW GINTER
At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.

The post Compromised Remote Site | The Top 20 Cyber Attacks on Industrial Control Systems #15 | iSi appeared first on Waterfall Security Solutions.

Listen now or Download for later

The Industrial Security Podcast Hosted By Andrew Ginter and Nate Nelson AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS​

Previous episodes

The post In the Trenches: Cryptosystems & Connectivity – Sam Elsner | Episode #59 appeared first on Waterfall Security Solutions.

Dig deeper – download the accompanying ebook here

THE INDUSTRIAL SECURITY INSTITUTE
OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 13 – Malicious Outsourcing
An industrial site has outsourced a remote support function to a control system component vendor for example: maintenance of the plant historian. The vendor has located their world wide remote support center in a country with an adequate supply of adequately educated personnel and low labour costs. A poorly paid technician at this support center finds a higher paying job elsewhere. On the last day of employment, this technician decides to take revenge on personnel at a specific industrial client the same personnel who recently complained to the technician’s manager about the technician’s performance. The technician logs into the client site using legitimately acquired remote access credentials, two factor credentials and the permanent VPN connection to the targeted site. The technician logs into all the site’s control system computers for which the credentials provide access and leaves a small script running on each that, one week later, erases the hard drives on each computer.

THE TOP 20 CYBERATTACKS ON INDUSTRIAL CONTROL SYSTEMS
These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision makers who are not familiar with cyber security.

ABOUT ANDERW GINTER
At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.

The post Malicious Outsourcing | The Top 20 Cyber Attacks on Industrial Control Systems #13 | iSi appeared first on Waterfall Security Solutions.

Dig deeper – download the accompanying ebook here

THE INDUSTRIAL SECURITY INSTITUTE
OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 12 – IIoT Pivot
Hacktivists unhappy with the environmental practices of an industrial site learn from the popular press that the site is starting to use new, state of the art, Industrial Internet of Things edge devices from a given vendor. The attackers search the media to find other users of the same components, at smaller and presumably less well defended sites. The hacktivists target these smaller sites with phishing email and gain a foothold on the IT and ICS networks of the most poorly defended of these IIoT client sites. The hacktivists gain access to IIoT equipment at these poorly defended sites and discover that the equipment is running an older version of Linux with many known vulnerabilities, because the poorly defended site has not updated the equipment firmware in some time. The attackers take over one of the IIoT devices. After looking at the software installed on the device, they conclude that the device is communicating through the Internet with a database in the cloud from a well-known database vendor. The attackers download Metasploit to the IIoT device and attack the connection to the cloud database with the most recently released exploits for that database vendor. They discover that the cloud vendor has not yet applied one of the security updates for the database and the attackers take over the database servers in the cloud vendor. In their study of the relational database and the software on the compromised edge devices, the hacktivists learn that the database has the means to order edge devices to execute arbitrary commands. This is a “support feature” that allows the central cloud site to update software, reconfigure the device, and otherwise manage complexity in the rapidly evolving code base for the cloud vendor’s IIoT edge devices. The hacktivists use this facility to send commands, standard attack tools and other software to the Linux operating system in the edge devices in the ICS networks the hacktivists regard as their legitimate, environmentally irresponsible targets. Inside those networks, the attackers use these tools and remote command facilities to carry out reconnaissance for a time and eventually erase hard drives or cause what other damage they can, triggering unplanned shutdowns. In short, hacktivists attacked a heavily defended client of cloud services by pivoting from a poorly defended client, through a poorly defended cloud.

THE TOP 20 CYBERATTACKS ON INDUSTRIAL CONTROL SYSTEMS
These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision makers who are not familiar with cyber security.

ABOUT ANDERW GINTER
At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.

The post IIoT Pivot | The Top 20 Cyber Attacks on Industrial Control Systems #12 | iSi appeared first on Waterfall Security Solutions.

Click here to read the article>>

The post Lessons from 2020: Defeating Targeted Ransomware Attacks at Industrial Sites appeared first on Waterfall Security Solutions.