Cyber Security of Oil and Gas

20 Oct 2009

Security for Oil Industry Operators’Cyber Critical Infrastructure

Security for Oil Industry Operators’ Cyber Critical Infrastructure Key Security Issues of Communication Conversion Strategies

20 Oct 2009


Agenda- Process Automation Infrastructure- Business Automation Infrastructure- Integrated Business & Process Automation- Enterprise Digital Nervous System- Traditional Communication Architecture- Comm. Convergence Strategies / Architecture - Security Challenges / Mitigation - Q & A

20 Oct 2009


Real-time Process Automation (Operations Perspective)

Human Layer

Physical LayerPetroleum Industry Process Infrastructure Civil facilities Infrastructure

etc

Flow lines & Pumping Units

Power & Water Structures

Reservoirs, Wells, Surface & subsurface Facilities

etc

Real-time Operation Centers

Administration Buildings

Fields Constructions

etc

RTU s / PLC s / Meters

Process Control Communication Networks

Supervisory Stations

Recovery from Failures / etc

Management

Security Enforcement

Operations staff: Monitoring & Control of Physical process

Process Control Layer (SCADA/DTC, etc)

Communications equipment Status Monitoring / etc

Valves Status & Control Signals

Access Control / Fire Fighting/ HVAC / Surveillance

Oil Flow Monitoring / Pressure Readings

20 Oct 2009


Business Automation (IT Perspective)

Human Layer

IS/IT Layer

Physical Layer

HRMS / Financial/

etc

Petroleum Industry Process Infrastructure

Civil Infrastructure Other Physical Assets

Internet Access

KM Office Automation

/Collaboration

EmailGISCMMSERP

etc

Transportation Facilities

Labs

Maintenance Workshops

IT Networks

IT Services

Computers

IS Applications

Operations-Staff / etc

Employees

Non-Operations Staff

Managers

Petroleum Technical

Applications

20 Oct 2009


IS/IT Layer

Human Layer

Physical Layer

Petroleum Industry Process

Infrastructure


IS/IT Applications & ServicesInfrastructure

IT PerspectiveGlobal Perspective

Enterprise Communications

Human Layer

Enterprise IS/IT

Physical Layer

Petroleum Industry Process Infrastructure


Process control Layer

Operations Users Non-Operational Users

Non-operational Information

operational Information

Enterprise Information (Operational + Non-Operational

Integrated Business & Process Automation

Muxs, Routers, Switches, Security Appliances, etc

Copper Twisted Pairs, Coaxial, etc

Carrier Waves (Satellite, Microwave, etc

Fiber Cables

Process Control Layer

Human Operations Layer

Physical LayerPetroleum Industry Process

InfrastructureCivil Infrastructure

Operational Perspective

Process Control ApplicationsInfrastructure

+=

20 Oct 2009



Oil Operator’s Operating Model

Technology Domain

Cyber Critical Infrastructure

Business Domain

IS/IT RT Process Control

Enterprise Digital Nervous System

20 Oct 2009


The Analogy

Enterprise Information Systems

Process Control Systems


External world

Corporate IT Systems Data

Input & reporting

Field Equipment: PLC, RTU, Meters, etc

Actuators

Process

Sensors

Brain

Autonomic Nervous System

Spinal cord & Other Nerves

Somatic Nervous System

Human Senses

Muscles

http://images.google.com/imgres?imgurl=http://informl.com/wp-content/uploads/2008/05/brain_witelson.jpg&imgrefurl=http://informl.com/2008/05/01/brains-are-applesauce/&h=326&w=324&sz=21&hl=en&start=1&tbnid=1IdkHJo8JnkN3M:&tbnh=118&tbnw=117&prev=/images%3Fq%3Dbrain%26gbv%3D2%26hl%3Den



http://rds.yahoo.com/_ylt=A9G_bHNEuo1IPWABr86JzbkF;_ylu=X3oDMTBqczRiNXN2BHBvcwM0MgRzZWMDc3IEdnRpZAM-/SIG=1jkre4g09/EXP=1217334212/**http%3A/images.search.yahoo.com/images/view%3Fback=http%253A%252F%252Fimages.search.yahoo.com%252Fsearch%252Fimages%253Fp%253DAutonomic%252Bnervous%252Bsystem%2526js%253D1%2526ei%253Dutf-8%2526fr%253Dsfp%2526xargs%253D0%2526pstart%253D1%2526b%253D22%2526ni%253D21%26w=138%26h=174%26imgurl=dfwacupuncturechiropractic.com%252FImages%252FAutonomicNervousSystemB.jpg%26rurl=http%253A%252F%252Fdfwacupuncturechiropractic.com%252F%26size=6.3kB%26name=AutonomicNervousSystemB.jpg%26p=Autonomic%2Bnervous%2Bsystem%26type=JPG%26oid=cd4247305dfff4ca%26no=42%26tt=1,554%26sigr=1169aft5l%26sigi=1214ilhen%26sigb=13oaqf58g



http://images.google.com/imgres?imgurl=http://www.ets-sideeffects.netfirms.com/Spinal.gif&imgrefurl=http://www.ets-sideeffects.netfirms.com/thebody.html&h=423&w=300&sz=32&hl=en&start=3&tbnid=cWXAzNWSUqE3mM:&tbnh=126&tbnw=89&prev=/images%3Fq%3D%2522Spinal%2Bcord%26gbv%3D2%26hl%3Den



http://images.google.com/imgres?imgurl=http://thebrain.mcgill.ca/flash/i/i_01/i_01_cr/i_01_cr_ana/i_01_cr_ana_2a.jpg&imgrefurl=http://thebrain.mcgill.ca/flash/i/i_01/i_01_cr/i_01_cr_ana/i_01_cr_ana.html&h=380&w=210&sz=59&hl=en&start=8&tbnid=QIPp6y0y4wlmUM:&tbnh=123&tbnw=68&prev=/images%3Fq%3D%2522Somatic%2Bnervous%2Bsystem%26gbv%3D2%26hl%3Den



20 Oct 2009


RT Monitoring & Control Field Equipment @ Rigs, Wells, De-gassing Stations, etc

Traditional Communications Architecture

Field 1 Field 2 Field 3 Field 4 Field 5

Onshore HQ : Back office Support, Administration &

Integrated Operations

RTU PLC Meter RTU PLC

Process Control Network

IS/ IT NetworkTelephony Network

- Separate Networks

- Different Network Management Systems- Different Services: Voice, data, Process

- Separate Support Staff

Key Issues:

20 Oct 2009


Converged Communications ArchitectureVision: Connected EnterpriseFrom Wells to Terminals

- Network conversions

- Network Management convergence- Service Convergence: UC

- Comm. Management Centralization

Key Strategies:

Key Security Challenges :- Maintaining the Security of Process Control Systems- Maintaining the Networks Security- Maintaining Network Management Security - Securing UC

instant messaging presence informationIP telephony video conferencingspeech control Voicemaile-mail SMS fax

20 Oct 2009


Securing the Integration of Process Control Systems

ISA99 / EttF based defense-in-depth architecture

ANSI/ISA99 (International Society of Automation): Security Guidelines and User Resources for Industrial Automation and Control Systems

ISA-S95/ IEC 62264: International Standard for Enterprise Control System Integration (object model, data, …).

Defense-in-depth Strategies: such as Ethernet-to-Factory (EttF) and others

Mirroring:Use applications and historian servers’ mirroring to ‘de-stage’ the interface between IS and process control systems.

Multi-homing:Use of multi-homed servers to ‘proxy’ the interface between the IS and the process control systems.

20 Oct 2009


Maintaining the Networks SecurityOPC UA: Use OPC Unified Architecture for secures date exchange between the process control systems and enterprise IS

Signed Message Exchange: Messages exchanged via OPC UA should be signed

VLAN security best practices Separate VLANs should be used for process control systems to ensure separate broadcast domains are dedicated to their traffic. Best Practice for mitigating MAC Flooding, ARP Spoofing, VLAN hopping, etc IEEE 802.1X: Standard for Network Access Control for IEEE 802.16 and IEEE 802.11 based networks

Computer & User certificates: If wireless devices (e.g. Laptops or PDAs) are used to access the network, they should be secured by computer digital certificates. Users certificates should be used as well

20 Oct 2009


Maintaining Network Management Security MRP (IEEE 802.1ak-2007 amendment): Multiple Registration Protocol (MRP) can be used for LAN convergence to allow the same hardware switches to comprise computers from both control system VLANs and IS/UC VLANs

SNMPv3: Simple Network Management protocol version 3 for WAN management.

X.509: An authentication certificates standard which can be used for authenticating remote dialup users and computers intended to do network management tasks.

Dedicated Management Platform(s): The management VLAN should be accessed only by the network management computers which are dedicated for management purposes.

Dedicated Trusted Specialists: Access should be limited to specific specialized authorized persons.

Private Networks:If remote access is needed for network troubleshooting, Internet should not be used. Instead, PSTN or ISDN dialup access should be used. If third party access to the network is allowed (e.g. for vendor support), ISDN/PSTN should be also used, Internet VPN based access should be avoided for network management purposes.

Certificates: Authentication should be done in the user level and computer level. Support from third party should be secure.

20 Oct 2009


Securing UC Secure Real-time Transport Protocol (SRTP): It defines a profile of RTP (Real-time Transport Protocol) and is intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications.Transport Layer Security (TLS):To encrypt network connections at the Transport Layer end-to-end. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).Session Initiation protocol (SIP): is a signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol.Ports:Use UC software with reduced open ports requirements for audio /video support.Encryption:Use encrypted network communications.Configuration:Use vendor provided best practice for secure deployment and configuration of UC applicationsSIP Configuration:Ensure that all SIP communications between servers and communications between clients and servers occur over TLSEdge Servers:Deploy edge servers to allow internal and external users to safely engage in Instant Messaging (IM),

20 Oct 2009


Q & A

Thank You

Documents

Cyber Security of Oil and Gas