Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
DYNAMIC POSITIONING CONFERENCEOCTOBER 9‐11, 2017
TESTING/RISK
Cybersecurity in the Oil and Gas Industry – What’s Here and What’s Coming
Aarushi Goel GoDaddy
Why is security of O&G a concern?
List of Top 16 Critical Infrastructures
Critical Infrastructures
Chemical SectorCommunications
Sector
Critical Manufacturing
Commercial facilities
Dams Sector
Defense
Emergency services
EnergyFinancial Services
Food and Agriculture
Healthcare
IT sector
GovernmentFacilities
Nuclear reactors
Transportation system
Water management
Ability to use Big Data and Other leading data analytics techniques for◦ Predictive analysis and Data modelling◦ Achieving business goals◦ Real time data analysis and data mining
Remote access to Offshore Rigs and Ships◦ Reduced downtimes in case
of technical failures◦ Reduced Human risk◦ Reduced Cost and Time
Plant shutdown Equipment damage Utilities interruption Production cycle shutdown Inappropriate product quality Undetected spills Safety measures violation resulting in injuries and even death
* Drilling and production
* Tradeoffs in Efficiency vs Security
* Technical set up of ICS
UPSTREAM
* Disruption of supply
* Undetected spills
* Illegal pipeline tapping
* Attacks on maritime transport
MIDSTREAM
* Unauthorized access to refineries
* Accessibility of refinery data
* Violation of industry regulations
DOWNSTREAM
IDENTIFY(ID)
PROTECT(PR)
DETECT(DE)
RESPOND(RS)
RECOVER(RC)
Five Main Stages Of NIST Framework
- Physical devices- Software & Applications- Roles & Responsibilities
ASSET MANAGEMENT
- Organizational mission and objectives
- Role in Supply Chain- Dependencies and
Critical functions
- Info security policy- Security roles &
responsibilities- Legal & Regulatory
requirements
- Asset vulnerabilities- Threats are identified- Business impacts and
likelihood- Risk Responses
- Risk Management strategy determines
- Organizational Risk Tolerance
BUSINESS ENVIRONMENT
GOVERNANCE
RISK ASSESSMENT
RISK MANAGEMENT
Access Control •Identities &
Credentials•Physical and
Remote access
Awareness and Training•Security training•Training
corresponding to each security level
Data Security •Software
applications to protect data•Development
around Confidentiality, Integrity and Availability is focused
Information Protection Processes and Procedures •Backups•Data destroy
policy•Data transfer
policy
Maintenance•Maintenance of
hardware and software assets•Logging
Protective Technology • Periodic
auditing•Communications
& Control Systems protected
Anomalies and Events
•Baseline of N/W operations
•Detected events analyzed
• Event data are aggregated and correlated from multiple sources
• Impact of events is determined
Security Continuous Monitoring
•Network continuously monitored to detect attacks
•Monitoring for unauthorized personnel, connections, devices, and software is performed
•Vulnerability scans
Detection Processes
•Roles and responsibilities for detection
•Detection processes are tested
• Event detection information is communicated to appropriate parties
Response Planning Response plan is executed during or after an event
Communications Events are reported, personnel know their roles,
coordination with stakeholders
Analysis Incident anomalies are investigated, forensics are performed, Incidents categorized for responses
MitigationIncidents are mitigated, incidents are documented for future
Improvements Response plans incorporate lessons learned, Response strategies are updated
Recovery Planning •Recovery plan is executed during or
after an event
Improvements •Recovery plans incorporate lessons
learned•Recovery strategies are updated
Communications •Reputation after an event is repaired•Public relations are managed•Recovery activities are communicated
to internal stakeholders
Baseline measurement
Target Measurement
Identify and Prioritize
opportunities for improvement)
Assess progress towards the target state
Communicate to stakeholders
Risk Assessment Matrix (RAM)
Adopt Cybersecurity measures to achieve business objectives
Tighten the security of any O&G organization using NIST Security framework
Not a technical framework, can be embedded into the current architecture of any organization
Protect your Facility from the New Wave of Security Threats
https://www.northstudio.com/sites/default/files/inline-images/security-lock.jpg http://www.dts-solution.com/category/oil-and-gas-sector/ https://farm2.staticflickr.com/1505/25865370540_6bc7d43309_b.jpg https://simplecore.intel.com/insight-tech/wp-content/uploads/sites/45/2017/07/LannerFig1.png https://energyhq.com/app/uploads/2017/04/17OER10973_EHQ_Up-Mid-Downstream_Infographics_Progression_-
1.jpg http://img.thedailybeast.com/image/upload/v1492111436/articles/2016/07/09/the-terrifying-u-s-israeli-computer-
worm-that-could-cause-world-war-iii/160707-stern-zero-days-embed-1_kbcwgo.jpg