Oil & Gas Connectivity – The Kuala Lumpur Meeting 2015
The Oil & Gas Cyber Security
Ecosystem:
Big Data, M2M/IoT, and the Cloud
Martin JarroldChief, International Programme Development
Global VSAT Forum
www.gvf.org
12-13 November 2015
Cyber-Attacks Affect Everyone
No part of industry, commerce, government, civil society, or, lessdirectly, the individual Internet user as a customer of onlineservices, is exempt from cyber-attacks
Targets include:
banks and financial institutions
healthcare facilities
utilities and other critical infrastructure
oil, gas and petrochemical upstream and downstream facilities
retail and consumer databases
vehicle and other mobile asset-tracking systems
telecommunications service providers
and, the satellite industry
Constant Threat
Growing menace, orchestrated by a wide variety of differentlymotivated perpetrators:
- mischievous and socially maladjusted IT geeks
- through to nation-state government agencies
Via
- neighbourhood thugs
- cyber-warriors
- industrial spies
- traditional trans-national criminal organizations
- organized cyber-crime groups
- Hacktivists
- state-sponsored proxy fighters
- and terrorists
Cyber-Security Resilience & Industry
Impossible to defend against all cyber-risks emanating from all theseforces
Volume, as well as variety and sophistication, makes it difficult to achieve100% prevention
However…
- Mission-critical communication networks must be made resilientenough to bounce back from an attack instantly
- Efforts to build this resilience has forced massive expansion in thecyber-security industry
- Currently the global market is estimated at 80billion
- Forecast to increase to over 140billion by 2019
Oil & Gas, and Satellite
Oil and gas sector – critically and increasingly dependent on an ever-more complex ICT infrastructure – has been targeted in well-knowncyber-attacks
Commercial broadband satellite industry – a key networkingcommunications solution provider to the oil and gas industry across itsupstream, midstream, and downstream segments – is currently subjectto a greater degree of networking security-related scrutiny than everbefore
Two industries have a clear customer and provider commoninterest in working to ensure that cyber-security prevails
Vigilance
Constant preparation for, and need for vigilance against, the threat ofcyber-attack must not be compromised by any infrastructure andsystems security investment budget caps that may follow from theongoing price per barrel oil market slump
The most famous cyber-attack on the oil and gas industry happened in2012 when 30,000 computers in Saudi Aramco’s network were crippledby an attack by terrorists
The operations of the largest oil producer in the world were disrupted formonths, but, although the terrorists actually failed to stop oil and gasproduction, the attack was one of the most destructive cyber-securitystrikes against a single business
During the current, or any other, downturn, it is critical that oil and gascompanies maintain capital investment in respect of managing cyber-security risk exposure. Now, more than ever, that data needs to beprotected
Critical…
Thanks to accelerating advances in ICT, the oil and gas industry hasbeen able to automate many of its processes to ensure a safer and morecost-effective approach to exploring for, producing, and distributingenergy resources
Companies have been able to significantly reduce costs throughreplacement of many inefficient manual processes, but with automatedequipment being controlled by IT through the Internet, there needs to bea greater focus on security of networks
The evolution of cyber-threats and the exploitation of data vulnerability isescalating, and the proliferation of sophisticated efforts by maliciousactors to steal and monetize corporate data or leverage it to assertpower, track trends/behaviour, etc., or cause physical disruption inoperations, is a growing concern in the energy industry
DDoS
One such consideration is protection against Direct Denial of Service(DDoS) attacks, which pose a serious risk to the oil and gas industry. Forexample, DDoS attacks can be used to disrupt the hazard managementsystems at production and storage facilities. This can have potentiallycatastrophic consequences, or at very least cause significant downtime,leading to damage to commercial reputation and an advantage forcommercial competitors, both domestic and overseas
Passwords…
Another consideration is the connectivity of field equipment.From mobile devices used by workers, to remotely-accessedpumps, sensors, and valves, all are now connected tonetworks over IP, and lack of focus on securing theseconnections has left them vulnerable to attack. For example,many such connections may be secured by the originalpassword they were supplied or installed with, and apassword which has never been changed is simple forcyber-attacker to exploit
CSTF 1
Centralized process and systems control in the oil and gas sector isstrategically dependent on global satellite communications, an industrythat – as noted above – shares in the fight to preserve cyber-security
In 2014, the GVF, the satellite industry’s only global representative body,established its Cyber Security Task Force (CSTF) as a coordinationcenter for satellite security knowledge
Following a not insignificant volume of print and online media reportsabout satellite networks security, beginning around mid-2013, a GVFFebruary 2014 press release noted that the satellite industry required a:
“…global initiative to address escalating cyber-security threats with theestablishment of a task force that will identify best practice and provide guidanceon how users and industry can optimize the application of VSATs to reinforcenetwork integrity.”
Essentially, the CSTF is encouraging equipment vendors and networkoperators to implement robust protection measures, abandoning widelydiscredited practices where they still exist
CSTF 2
GVF CSTF – which includes members representing earthstation/terminal equipment manufacturers and vendors, networkoperators, and end-users of VSAT systems – has produced the GVFProduct Security Baseline (PSB)
A voluntary specification detailing requirements and recommendationsfor all VSAT hardware and software that supports or transmits on an IPv4or IPv6 network
The Task Force has now also prepared the Satellite Service ProviderSecurity Document (SSPSec)
Further details of these documents are available to members of GVF bycontacting the Task Force chairman, and in the first instance bycontacting me at [email protected]
ONG-ISAC
The year 2014 also saw the creation of the Oil and Natural Gas InformationSharing and Analysis Centre (ONG-ISAC). This entity is in the process ofbecoming operational to advance cross-company collaboration sharing of cyber-security threat intelligence, including specific oil and gas industry threats. Thesecurity of oil and gas critical infrastructure ICTs is highly complex and bringstogether three facets of the modern digitized world:
Big Data – The continuous churn of enormous amounts of information beinggathered and sifted for specific purposes
Cloud Computing – The online storage and repository of this data using massivenetworks of computing resources, with less information stored on local harddrives and more data aggregated together and hosted on servers somewhere onthe planet
Internet of Things (IoT) – The all-things-connected phenomenon – forecast toencompass nearly 50 billion connected devices by 2020, with an average ofmore than six connected devices per person – gathering this data
Big Oil, Big Data
Despite the negative impact of current market conditions we are still inthe era of ‘Big Oil’. With ‘Big Oil’, and as the Digital Oilfield of todayincreases in sophistication, we have Big Data – solutions and services tostore, manage, protect and analyze information extracted from the largevolume of data streams generated by the oil industry. These streamscome from such sources as drilling equipment, seismic sensors, andsecurity applications installations, with much increasingly generated outof the rapidly expanding satellite communications/Machine-2-Machine(M2M) interface
IoT in Oil & Gas
It is the IoT which will be the ultimate realization of a future universalM2M environment which will far exceed the potential boundaries andlimited scope of even the greatest reach of a legacy supervisory controland data acquisition (SCADA) systems environment. The IoT will bringubiquitous computing, and an integrated digital and physical world.Improved sensor device capabilities will facilitate business logic at theedges of networks as decision-making is based on real-time readingsfrom sensor networks. Satellite M2M is growing fast, and the aggregatedtarget markets make its potential for the satellite industry very important
The Cloud
Applications and Connectivity Imperatives for the Digital OilfieldThe definition of the Digital Oilfield brings together Cloud serverapplications which facilitate the transfer of oil/gasfield IT infrastructure,and IT personnel expertise, away from multiple offshore, or other remotelocations, to centrally located headquarters/regional offices in support offully integrated operations which comprise ‘always-on’, real-time, well-head/drilling measurements and data networking/sharing, along withvideo-based equipment and instrument monitoring, video-based remotesurveillance for safety and security, and video conferencing. Additionally,it encompasses components of crew welfare/training, and also BringYour Own Device (BYOD) environments, and it is also linked with theprioritization of mission-critical traffic flows over less critical traffic
GVF CyberSecurity Task Force
Rakesh Bharania
Chair, GVF Security Task ForceNetwork Consulting Engineer, Cisco Tactical Operations
December 3, 2014
Update on Activities and Security Implications for HTS
Cisco Public 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Timeline of recent media reports…
Cisco Public 18Cisco Public 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
1/9/2014: IntelCrawler report:
Scan of entire IPv4 address space “found approximately 313 open UHP VSAT Terminals, 9045 open HUGHES Terminals, 1142 SatLinkVSAT”, “use of default passwords, telnet”
Timeline: VSAT Security In the Media in 2014
Cisco Public 19Cisco Public 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
1/31/2014: CERT/CC Publishes Bulletin on BGAN
Vulnerability Note VU 250358:
“Firmware developed by Hughes NetworkSystems used in a number of BGAN satelliteterminals contains undocumented hardcodedlogin credentials (CWE-798) … containsinsecure proprietary protocol on TCP 1827that can be used to perform privileged operations (CWE-306)
Timeline: VSAT Security In the Media in 2014
Cisco Public 20Cisco Public 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
2/20/2014: GVF AnnouncesCybersecurity Task Force
“…global initiative to address escalating cyber-security threats with the establishment of a task force that will identify best practice and provide guidance on how users and industry can optimize the application of VSATs to reinforce network integrity.”
Timeline: VSAT Security In the Media in 2014
Cisco Public 21Cisco Public 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
4/17/2014: IO Active report
“A Wake up Call for SATCOM Security”
Discussed vulnerabilities in Harris, Hughes,Thuraya, Cobham, JRC, Iridium products
Attacks included: backdoors, hardcoded credentials, insecure and undocumented protocols, weak password reset mechanisms.
Attempted coordinated disclosure with vendors &CERT/CC, but only Iridium responded to inquiries.
HUGE media uptake: industry press, BBC, Wired,Ars Technica, Christian Science Monitor, 60+ articles written
Timeline: VSAT Security In the Media in 2014
Cisco Public 22Cisco Public 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Black Hat 2014 (August)
The other shoe drops (after industry fails to respond in a meaningful way)
IO Active demonstrates live attack scenarios against satcom terminals to a packed room.
“SATCOM Terminals: Hacking By Air, Sea and Land” paper released to the public, detailing vulnerabilities in Harris, Hughes, Cobham, JRC and Iridium hardware
“The current status of the products IOActive analyzed makes it almost impossible to guarantee the integrity of thousands of SATCOM devices.”
Timeline: VSAT Security In the Media in 2014
Cisco Public 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Product Security Baseline
Cisco Public 24Cisco Public 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Voluntary specification created by the members of the task force
Representation from vendors, network operators, end-users of VSAT (FSS/MSS)
Details requirements and recommendations for all VSAT hardware and software that supports or transmits on an IPv4 or IPv6 network.
Details requirements and recommendations for all VSAT equipment and software vendors for vulnerability management, disclosure, etc.
The GVF Product Security Baseline
Cisco Public 25Cisco Public 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Current Status: GVF PSB is in “near final” state.
Task Force members have access to the specification, and should start implementation as soon as possible, since we do not know when vulnerabilities will be detailed or exploited.
Successful implementation will require a “culture of security,” may not be easy (or cheap) – but it does need to happen.
The GVF Product Security Baseline
Cisco Public 26Cisco Public 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security scrutiny of the satellite industry is higher than it’s ever been.
Exploitation of systems is widely discussed, and we should assume the bad guys are paying attention too – and using that knowledge maliciously.
GVF Security Task Force – a coordination center for satellite security knowledge
Vendors and network operators should implement robust protection, abandon widely discredited practices where they still exist.
Now - Satellite Service Provider Security Document (SSPSec)
In conclusion: This isn’t going away.
Oil & Gas Connectivity – The Kuala Lumpur Meeting 2015
Thank [email protected]