Refinery operators running ICS (Industrial Controls Systems) have many concerns, such as keeping the plant running smoothly. In this universe, information technology isn’t necessarily a high priority. However, information assets play an increasingly important role in the refining process, which means that understanding cyber security threats is vital, perhaps even a competitive advantage. Failing to understand that could be a potential disaster.
Technology security professionals protecting information assets should keep one acronym in mind: CIA. No, that’s not the intelligence agency—it refers to: Confidentiality, Integrity, and Availability. If this triad is adequately maintained, information assets have a good security posture. If any single aspect is compromised, a resulting breach can be very costly for the business, and dangerous to employees.
Before getting into potential threats, let’s understand why refineries are more vulnerable now than before. Most importantly, OT (Operational Technology) networks that support production facilities are no longer segregated from their IT counterparts—and that changes everything.
Advancements in information technology and the drive toward data-based decision-making have led to the bridging of these two environments, and production data is now widely shared and analyzed. The ‘air-gap’ that once separated OT from IT no longer exists, and attacks that previously required physical access can now come from anywhere on the planet.
Further exasperating the problem is the fact that COTS (Commercial off-the-Shelf) products are much more common now than before. These devices require maintenance and software updates more frequently than purpose-built and proprietary equipment. For example, components of OT networks may include Windows-based computing devices. Microsoft releases updates every month, including ’patches’ for security vulnerabilities. However, these systems must stay up when the refinery is running – even a short outage is unacceptable. As a result, many devices have out-of-date and vulnerable software.
Over time, the problem gets worse. Once installed, OT components can remain in production for decades – far longer than the lifespan of computing resources in business networks. This leads to operating systems or other software remaining in use without manufacturer support. The more critical these devices are, the more problems they can cause.
Cyber criminals will attack whichever systems are available, without regard for function. Attacks can be launched from remote locations and include DoS (Denial-of-Service), the introduction of malicious software (malware) such as viruses or worms, or ransomware. That last one is particularly problematic because it holds computing resources hostage; paying the price is often cheaper than restoring the affected systems. That makes for a very profitable criminal business. Any of these attacks can disrupt the confidentiality, integrity or availability of information assets. At best, it’s a nuisance; at worst, it can crash the entire facility.
So why don’t refineries simply patch their ICS computers more frequently? Downtime in a refinery is very costly, and maintenance windows don’t open as often as in business networks. According to the U.S. EIA (Energy Information Administration), refinery capacity utilization averaged 90.5 percent over the first 48 weeks of 2019.1 There’s very little time to make software updates.
Now for the bright side: Operators can and should be proactive in determining potential weaknesses.
First, every organization needs an asset management program. This should include a list of every device on the network, its OS (Operating System), and what function it provides.
According to the OTSCA (OT Cyber Security Alliance),2 asset management includes an inventory of “…resources (hardware, software, documents, services, people, facilities, etc.) that are of value to an organization and need to be protected from potential risks.”3 To be thorough, the OTCSA recommends gathering the following for all components in the refinery: 4
- System information – Asset name, vendor, type (PLC, RTU, HMI, SCADA server, remote I/O), model, serial number, OS or firmware, domain or workgroup.
- Network information – IP addresses, Mac address, domain, protocols used, open ports, gateway.
- Asset state information – Running, stop, program, test, decommissioned.
- Contextual information – Geographic, plant, and process location, CPE (Common Platform Enumeration), and other contextual aspects relevant for mapping vulnerabilities.
Gathering this information can be difficult in an OT environment. Many tools used in IT actively scan assets or require additional software to be installed; devices used in a refinery control system may not support such software, while the overhead of active scanning can disrupt service. The IT world is more mature in these practices, but they don’t have the same challenges as ICS operators.
There are other ways to create an asset inventory. For example, some available products passively monitor network traffic and dynamically build a database of devices on the ICS network. This technique is useful because it can quickly detect new or previously unknown devices. It’s crucial not only to ensure that runtime is not uninterrupted but also to detect unauthorized or malicious activity. Monitoring, whether active or passive, is also a key component of the organization’s IR (Incident Response) program. In sum, you can’t defend what you can’t see, and a holistic asset management program is the perfect remedy.
Asset management is also a key capability for broader OT and IT teams, and necessary for the next recommendation: architecture review. This involves understanding which devices communicate with one another, where security boundaries exist, and how they support the logical flow of information required to operate the plant and manage the business. Specific goals include ensuring that only those devices that need to communicate with one another can do that, and the rest have appropriate security boundaries. This can be a time-consuming and complex undertaking, and might require bringing in a third-party firm with the right expertise.
While the output of the asset management process is a database of computing resources, architecture review typically serves up topology maps. This diagram shows the logical and physical relationships of devices to one another, how they are interconnected, and what security boundaries exist between them. The inventory leads to the architecture, and that in turn leads to a threat model.
Threat modeling considers the network architecture and its potential weaknesses. Once understood, mitigating controls can be implemented to reduce the likelihood of a cyber-attack. There are many ways to approach this task.
You can use the topology maps to identify each subsystem necessary for running your plant. Now, consider what would happen if any component within each subsystem became unavailable or was otherwise compromised. Remember, it’s not only the availability of your assets that can be disruptive – it’s also the integrity of the information they manage. What would happen if the data was no longer trustworthy? And it’s the confidentiality: What would happen if ICS data fell into the wrong hands? If losing any of these characteristics in any subsystem leads to production disruption that causes revenue loss or safety issues, then they should be considered worthy of greater protection. The operator can now prioritize those subsystems relative to the others, and determine where technical controls and security boundaries are needed.
The next step in the threat modeling exercise is to consider which factors can disrupt the plant’s control systems, and from where these disruptions might come. Again, remember that most ICS or Process Control Networks (PCN) are no longer ‘air-gapped’ from their IT counterparts. Therefore, the cyber security perimeter is not at the outer edge of the OT network, but at the edge of the broader enterprise. If OT and IT are interconnected, can malicious software or unauthorized users pivot from the business network to the plant?
This is a high-level, if simplified, description of threat modeling, but it should help frame the process in the reader’s mind and provide a starting point for discussion.
Protecting information assets is an iterative process that requires ongoing efforts. If an operator invests the time required to develop an asset management program and study its systems architecture and threat model, then it is better prepared to prevent, detect and respond to information security-related incidents. Look at it this way: The cost of routine maintenance on physical assets within a refinery is far lower than the cost of replacing them. Investing in your information security program is also cheaper than recovering from a hacker’s attack.
1 https://www.eia.gov/dnav/pet/hist/LeafHandler.ashx?n=PET&s=WPULEUS3&f=W, accessed December 9, 2019
2 The author’s employer, NCC Group, is a founding member of the OTCSA. https://otcsalliance.org/members/
3 OTCSA, “Vulnerability Management for Operational Technology,” (October 2019), page 4, https://otcsalliance.org/vulnerability-management/
4 ibid., pages 5-6
Damon J. Small, MSc.IA, CISSP, is Technical Director at NCC Group North America, a security consultancy with 35 global offices, 2,000 employees and 15,000 clients, where he consults with global leaders in critical infrastructure defense with specialty in oil and gas, aerospace and healthcare. You can reach him at nccgroup@cdc.agency.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.