Digital danger zone: tackling cyber security
Protecting the Middle East's energy infrastructure from cyber threats
The protection of critical national infrastructure has long been a serious concern to governments in this region, but an all-encompassing approach means achieving this is no longer limited to physical security. The widespread use of interconnected networks and control systems in national oil, gas, power, water and electricity sectors, means there is now a very real and growing need to enhance cyber security, highlighted by an ever-increasing number of international attacks.
Indeed, as a region responsible for much of the world’s energy, GCC countries are placing cyber defence as one of their priority areas for development. Saudi Arabia has plans to spend $3.3bn on oil and gas infrastructure security and Qatar, Oman, Kuwait and the UAE are set to follow suit over the coming years.
“The cyber security threat to energy installations is surprisingly widespread, running across utilities and distribution networks to generation, refining, and even drilling and exploration. Most security professionals now say that if you think you have not had your security breached then you just haven’t detected it,” says Professor Paul Dorey, director at CSO Confidential.
“Wherever there is digital technology there is the potential of cyber threat. What can change between industry sectors is the nature of the motivation of attack. Basic utilities have less information of commercial value to steal than do exploration companies bidding for assets, however both have the potential to create widespread disruption if their operations are stopped or disrupted by attack on critical cyber systems such as industrial control,” Dorey adds.
Governments and large corporations all over the world should be wary of a growing cyber menace in 2012 in particular, according to experts at Kaspersky Lab. Not only will there be a dramatic increase in the number of targeted attacks on state institutions and large companies, it is also likely that a wider range of organisations will bear the brunt of the expected onslaught.
“At the moment, the majority of incidents affect companies and state organisations involved in arms manufacturing, financial operations, or hi-tech and scientific research activities. In 2012 companies in the natural resource extraction, energy and transport industries will be affected, as well as information security companies,” warns Alexander Gostev, head of the global research and analysis team at Kaspersky Lab. “Attacks will range over more of the world than ever before, spreading beyond Western Europe and the US and affecting East Europe, the Middle East and South-East Asia.”
It has been reported that there was more than a 40 per cent increase across the Middle East in computers infected by malware in 2011. The threat of such viruses was highlighted by the discovery in 2010 of the most sophisticated cyber attack to date, Stuxnet. It was a vicious computer worm with highly specialised malware coded to target specific Supervisory Control and Data Acquisition (SCADA) systems and disrupt their operational activities but without the operators being aware of such changes.
“SCADA networks are widely used in all industrial sectors and provide essential services and commodities in a very efficient manner,” explains Dr Nick Coles, founder and organiser of the International Forum to discuss the cyber security of energy and utilities sectors in the Middle East.
“However, they were originally designed to maximise functionality with little attention paid to security. Consequently performance, reliability and safety of these highly complex and interconnected systems are invariably robust, but the security is weak, making them vulnerable to disruption of service, process redirection or manipulation of operational data that could result in public safety concerns and even loss of life,” adds Coles.
The management need for information and remote control in the modern energy business has led to the adoption of common network protocols and the connection of many of these SCADA and Industrial Control Systems (ICS) to the corporate network.
While these changes have resulted in business benefits, they also have meant that control system security is even more prone to the same cyber threats faced by corporate networks.
The Stuxnet worm demonstrated that it can cause real damage in public safety, the economy and the environment. On the other hand, Stuxnet drew attention to the enhanced cyber security needs for ICS systems.
As a result of this Stuxnet attack, which had a profound influence on cyber security, countries have published national cyber strategies and programmes in order to regulate and clarify their security risks and threats. An example of intergovernmental cooperation is the recent US-EU joint cyber security exercise to defend against potential attacks.
The cyber threats are by no means limited to the Stuxnet concern. The Night Dragon virus drew attention to the ability of such viruses to steal highly sensitive competitive information from oil and gas companies especially, and these are now being superseded by a new type of digital infection, the Advanced Persistent Threat (APT). These viruses can upload and propagate themselves into IT/ICS systems without any immediate noticeable affect and can collect intelligence data over a long period of time without detection.
The Night Dragon attacks work by methodical and progressive intrusions into the targeted infrastructure. Using several locations in China, Night Dragon attackers leveraged command and control servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil, gas, and petrochemical companies, as well as individuals and executives in Kazakhstan, Taiwan, Greece, and the United States to acquire proprietary and highly confidential information.
The primary operational technique used by the attackers comprised a variety of hacker tools, including privately developed and customised RAT tools that provided complete remote administration capabilities to the attacker. RATs provide functions similar to Citrix or Microsoft Windows Terminal Services, allowing a remote individual to completely control the affected system.
Most recently another new virus, Duqu, has appeared in the Middle East and potentially differs from its predecessors in that it gathers intelligence data such as design documents and assets from ICS systems for example in order to plan for a future cyber attack.
If Stuxnet was a wake-up call for industry then Duqu is further evidence of the severity of attacks. So it can be seen there is an exponential increase in cyber attacks from increasingly sophisticated malware and what is needed to combat such threats are robust yet simple to implement cyber security technology, sustained, consistent and updated education in this area, enhanced public-private partnerships and well thought-out cyber security standards that industry can easily follow in order to truly protect industry plants and assets.
The scope of motivation potentially behind a cyber-attack on a nation’s energy infrastructure is a broad remit. “At the forefront of popular consciousness are of course other nation states, criminals, terrorists, hackers and even disgruntled employees,” explains Justin Lowe, a smart energy expert at PA Consulting Group.
“This makes cyber attacks difficult to defend against because the attacker could be located anywhere in the world, and could even be internal to the impacted organisation,” he adds.
Despite the huge variety in aggressor origins, Eric Byres, CTO and VP Engineering of Tofino Security, Belden Inc and the world’s foremost authority on ICS security, says that often the real dangers are overlooked. “People tend to focus on terrorists and hackers, but currently criminal groups are a more likely aggressor. There are lots of financial motivations. Impacting the production of a competitor, short selling the shares of a company undergoing a production, environmental or safety incident or extorting money under the threat of a disruption are all potentially profitable activities for a criminal group.”
These same motivations could also be attractive to nation-states or political groups. However, unlike terrorist or state-sponsored sabotage, which still tends to be accompanied by violence and a tendency for the spectacular, Dorey notes that unless attackers admit to perpetrating an attack victims are left with complicated difficult forensic tracing which could lead to an involuntary accomplice (like someone’s computer owned by a botnet) as much as the real perpetrator.
“However, good intelligence work does tell us that the attackers do tend to fall into three groups categorised by motives and capability: State Actors – concerned with economic espionage, possibly also carrying out intelligence into the possibility of disrupting critical national infrastructure. Secondly, organised crime, which is typically looking for opportunity for fraud or information theft. And finally, ‘Hactivists’, individuals or organisations often protesting against the political, economic, social or environmental activities of companies of governments. This includes both highly connected and capable attackers but also a whole raft of technically unsophisticated and inexperienced attackers,” says Dorey.
As touched on above, the vast majority of control systems were not built with security in mind. The introduction and proliferation of standardised IT systems and IT networks in industrial control systems has brought the possibility of cyber attacks deeper into focus.
The criticality to Middle Eastern nation states, and their customers for a reliable and uninterrupted, predictable power supply has never been sharper. Looking at the growth of asset management and production expectations, the importance of rolling out intelligent systems which can deliver this requires technology which many see as the core vulnerability to cyber attack.
“This is taking place in the context of a time when many existing oil and gas reserves are going into or are already in decline and new reserves are more difficult to find, develop or produce. These changes result in a more complex, integrated energy infrastructure with a greater reliance on information technology, operations technology, and communications,” explains Lowe. As a result, this evolving energy infrastructure is more vulnerable to cyber security issues.
Improved efficiency and increased production from utilites assets is driving the adoption of wider digital implementation. With these changes come the extra threat of cyber attack and it is imperative to understand what E&P data exists, where it needs to flow and where the security risks are in order to keep DOF implementation secure.
“To coincide with this need for more integrated IT, there has been a dramatic increase in cyber security risks. There are now well publicised security incidents affecting oil, gas, electricity and water companies and infrastructures. The sophistication of these attacks has increased over the last few years and it is now time for all energy companies to identify and evaluate the risks they and how they address them,” he adds.
The vulnerabilities in the energy business are very real, adds Byres. “There are real weaknesses. The systems deployed in the energy sectors were never designed to be secure – they were designed to be safe, reliable and productive. Unfortunately the hackers have discovered this in the past year and the list of known product vulnerabilities has exploded,” he warns.
Of course, failures in computer systems can and do happen by accident, but these should be managed separately to a cyber security strategy, stresses Dorey.
“A security incident comes from deliberate malicious intent and needs defence and detection mechanisms that look to outthink a deliberate adversary - this is not the case with mistakes and is why safety risk management does not automatically extend to security concerns.
“Some security attacks (like propagating viruses) spread to and impact systems that the attacker did not intend to attack, and many industrial control systems have suffered from this type of ‘collateral damage’ rather than being deliberately targeted. Accidental or not it is still key that ICS systems are defended against unintentional spread,” he adds.
Despite the myriad threats, experts largely agree on the approach necessary to avoid a catastrophe, be it commercial, environmental or otherwise.
“The very first place to start is to do a risk analysis to determine exactly what is the “worst-case scenario” for a specific plan or company,” says Byres. “Then companies need to develop mitigation strategies to make sure those scenarios never occur. For example, in the oil and gas industry, the Safety Integrated System (SIS) is the last line of defense against a major process disaster. Unfortunately these systems are often only loosely secured, if at all, so protecting these needs to be a priority.
In industrial control systems the main weaknesses exploited are the connections with other business, industrial or engineering systems, and even the internet. In many cases these systems were not originally designed with cyber security in mind, so weaknesses around access control and communications resilience can be straightforward to find and exploit. This is further exacerbated by the fact that updating or patching these systems to address known weaknesses can be logistically challenging in production environments.
“It is also important to understand that even where systems are isolated there are still risks – attacks can still be performed by individuals or by intentionally planting or accidentally transferring malicious code into these systems,” says Lowe.
“A common security approach is to secure the connection between systems but often the systems themselves remain vulnerable behind these secure connections. The vulnerability of the core systems is the real issue as it is very difficult to manage the ongoing security of these systems,” he adds.
A key area to focus on are new projects where new systems and technologies are being deployed. It is essential that cyber security risks are identified and addressed as part of these projects as bolting on security later is costly and less effective than getting it right from the start.
Throughout the local upstream industry there is an understanding of the risks, and the need for a coordinated security strategy, however the cross-over responsibilities between project engineers and senior managers can lead to confusion over where best to start.
Dorey says the biggest management challenge in industrial control systems is the gulf between security expertise – usually held within the IT function – and deep engineering and industrial control knowledge, held by the plant engineers and technology team.
“Some IT security solutions work well in the ICS environment and others are disastrous. Getting teams cross-trained and skilled with hybrid security and ICS knowledge must be a priority. Security vendors also need to significantly improve their understanding and build industrial strength security solutions, a few key suppliers understand the requirements but most just offer standard IT solutions which could even create rather than solve security problems,” he warns.
The security challenges are significant, and there is no silver bullet solution to cyber security either in the corporate environment or industrial operational environment.
“New technology solutions are being developed all the time – many of which are very useful in securing systems. However, many organisations naturally focus on technology as the main method of dealing with security risk. The best safeguard is understanding the risk and establishing a security culture within the organisation to address the risks. Ultimately, organisations rely on people, process and technology to be secure,” explains Lowe.
“One of the most effective safeguards an organisation can invest in is being prepared to detect and respond to a security incident. This can be as simple as developing some pragmatic procedures and can be more valuable than spending significant funds on the latest security technology solution,” he adds.
Additionally, the step to wireless, which has always raised security related questions from the industry, may actually be helping migrate upstream firms into safer territory.
“Frankly most of the wireless deployments I see are better than the wired ones in terms of security. People see the word ‘wireless’ and they immediate ask themselves: What do I need to do about security? With wired systems, security never crosses their mind,” Byres states.
Whilst wireless networking can introduce potential security risks to networks and facilities, many secure wireless solutions have been developed.
“Companies implementing wireless solutions in the industrial environment should only do so having been informed by a thorough risk assessment and should design the wireless solution to address the identified risks,” explains Lowe. “These should be reviewed on a regular basis and action taken as required to maintain security levels against an evolving threat and risk landscape.”
Many local energy companies are only just beginning to recognise the cyber security risks. However, that recognition has kick-started an appetite to address, explore and counter future threats.
The upcoming Abu Dhabi International Forum to discuss the cyber security of energy and utilities sectors in the Middle East is proof that the threat is being taken seriously by energy and utility players throughout the region.
With participation from leading cyber security luminaries, and their local upstream energy and utility counterparts, means local business leaders are embracing the need for rapid, but planned adoption of a cyber security framework.
The Middle Eastern energy industry could not be more vital to meeting the Gulf’s aspirations, as well as the stability and general wellbeing of the global economic system. The threat is being tackled, but the oil and gas industry, and its utilities counterparts cannot pause for deliberation. Action to match good intentions is now as critical as the challenge.
Don’t Miss: Abu Dhabi International Cyber Security Forum
When: 21 – 24 May 2012
Where: Hilton Abu Dhabi
The Forum will address the business needs for cyber security, the threats facing IT and Industrial Control Systems(ICS) and the best practices for security improvement . It will feature appropriate use of standards , how to respond to cyber security incidents , the human and correct design aspects of cyber security. The Forum includes an in depth workshop on the security insights for SCADA & ICS