23 Apr Cyber Security Starts at the Edge
Cyber attacks are clearly a concern for consumer-oriented businesses, but what is the risk to oil and gas? Should we be concerned? Hell, yes.
Cyber threats on the rise
Hardly a week goes by without some ominous news story about yet another cyber attack. Yahoo, a search engine company (among other things) had some 3 billion names, email addresses and passwords stolen. Equifax had financial records from 150 million of their customers compromised. Even Uber, a modern digital company, has been attacked, with records of some 57 million customers lifted. Computer viruses like Wannacry (a piece of computer code that threatens to erase critical data unless a bitcoin ransom is paid to an untraceable account), have hit lots of companies around the world.
Most of these stories involve the theft of personal data (such as individual email addresses and their passwords). Hackers like to target large companies because it takes the same amount of work to steal one email address as it does 150 million. Hackers like personal data because that data is easy to sell and exploit. For example, in the case of the Equifax hack, enough personal data was lifted from the company’s databases that nefarious types could set up fake bank accounts, arrange false loans and authorise thefts from banks, all in the name of a real person.
Only downstream oil and gas companies, however, meet the media-interesting hacker target of having both scale AND a horde of personal data. In Canada, there is just a handful of petroleum retailers who are big enough to have millions of customers. In most cases that relationship would usually be through a third-party loyalty program (where you insert a card to identify yourself to the pump, which then tracks your purchase). The oil company might not even have your data.
I’m pretty sure the Boards at these big players have specifically challenged the VP of Downstream and the CIO to get across the typical threats posed by a committed hacker:
- break into the customer systems and walk off with all the customer data
- threaten to erase all data unless some ransom is paid (ie, the ransomware attack)
- bombard the system with fake activity and block real customers from gaining real access (ie, the denial of service attack)
load software onto the company systems to serve the purposes of the hacker (such as to house porn, mine for bitcoin, or attack other computers)
Downstream assets look secure. But is that where the real threat lies?
Cyber and infrastructure
In my view, the vastly greater threat from cyber activity in oil and gas is in the production infrastructure.
Almost every oil and gas well in production today has sensors and actuators connected to a SCADA system (Supervisory Control And Data Acquisition). These sensors collect data from the well in real time – that is, every millisecond or so, sensors collect a little data (like pressure or temperature or speed), and send it to the control system which decides what to do (like open or close a valve), and displays that data on a screen, maybe as a graph or as an indicator, in a control room somewhere. Since the wells are spread out across vast geography, so are the sensors and systems. A new term, edge computing, refers to these kinds of systems.
It matters how edge systems are connected to each other. Oil will flow from a well controlled by one SCADA system, into a gathering system for many wells that may be controlled by another separate SCADA system. The gathering systems may connect to batteries or tank farms or pipeline systems, each of which will have their own supervisory system. It’s not at all unusual that a large oil company may have hundreds of separate SCADA systems looking after thousands of wells, bought and sold over the years.
If a hacker could break into one of these sensors, they could send bad data to the SCADA system and trick it into opening and closing valves, raising temperatures, boosting pressures, cutting power and so forth. A cyber attack could even cascade through the systems if they were systematically compromised. Imagine the risks – potential damage to the environment, possible harm to employees and contractors, impacts on residents nearby, the possibility of damage to assets, and impacts on shareholder value.
Why not simply upgrade to one massive integrated SCADA system for all this equipment and sensors? Well, it costs a lot of money to retrofit a production asset to a new system with little operational benefit, so most operators leave whatever system came with the asset in place. Some wells produce so little oil that it would make no economic sense to upgrade at all. Other critical assets, like tank farms, run 24/7, and are part of a continuous flowing business, so taking them off line to replace systems that keep the critical business assets running is virtually impossible.
Security by obscurity
This production infrastructure at the edge is a very attractive target for hackers and for so many evil reasons:
- These sensors and SCADA systems are old – they may date back 30 years or more, well before the rise of widespread cyber activity, and lack the tools to identify and repel attacks.
- The systems were not designed to be patched like modern systems. There was no reason to include patching as a feature of their design because they were not exposed to the outside world and viruses hadn’t been invented yet.
- The passwords to gain access to these sensors and SCADA systems may be hard coded and can’t be changed. Get the password, which may be available in some online documentation, and voila, you’re in.
The obvious solution is to preserve the obscurity of these systems. Fortunately, many of these old systems still do not connect to the internet (a task for which they were never designed), and oil and gas companies and their suppliers don’t publish which systems control which assets. It would take a lot of work to identify meaningful targets (a job for robotic cyber software?).
But over time obscurity as a strategy is becoming questionable. Modern sensors added to old SCADA systems may be directly connected to the internet and create new vulnerabilities. New SCADA systems often connect to the internet themselves to enable new business models like single control rooms, direct supplier monitoring of key components like turbines and pumps, and access to all that data.
One researcher put a new fake SCADA system onto the internet (as if it was a new oil asset), with some software to monitor how long it took the SCADA system to be discovered by robotic software on the web looking for such things. No surprise – it took merely minutes for a bot to find the system and start to attack it. The same effect has been noted for devices added to the internet, such as toasters and fridges.
With the rise of the industrial internet of things (more sensors on more things, generating more data, and communicating that data to more computers), the attack surface is getting bigger. Researchers estimate that the number of sensors on the internet today are about 8 billion, rising to 20-50 billion in just a few years.
To start to fix this problem we have to first elevate attention to the risk. At a corporate level, the risk matrix (where oil and gas companies set out what they see as the most impactful risks and the probability that they might occur), needs to start to show cyber concerns much higher and to the right – more impact, more likely to happen. Until the matrix is updated, cyber gets limited attention.
Next we need to approach two fields of play – the brownfield assets and the greenfield assets.
For brownfield assets, the most worrying point of access are the edge devices – the sensors out in the field. There are many more of them, and they are already vulnerable. Industry needs to rethink the software on the sensors to encrypt the data that the device generates (which thwarts attempts to intercept the data and corrupt it), and enable the usual suite of capabilities for device management:
- Authentication – is this sensor authentic and not a fake? Is it recognised by the SCADA system? Has it been compromised in any way?
- Authorisation – is this sensor permitted to exchange data or perform the task at hand?
Unfortunately, back when many of the legacy sensors were first designed, cost constraints typically limited the amount of computer memory that came with the sensor. There usually isn’t room to add new software, particularly the industry-grade encryption software we use on our smart phones, tablets and desktops. The sensors usually have limited processing power (fit for their task), and not much power to run the processor to do encryption work (an overhead task). At least suppliers use the same chipsets for these systems that are in home computers.
One interesting solution comes from Agile PQ, who have approached the problem with a digital lens. Rather than replacing the sensor outright, a costly answer, their software solution solves many of the issues of memory constraint, power usage and processing limitations, while delivering robust encryption.
For greenfield sensors, industry should change its procurement standards so that sensors come with industry grade encryption capability, support for patching and upgrades, and the usual array of capabilities for authentications and authorisation. Market constraints should not be used as an excuse – suppliers are only too keen to include greater functionality in their solutions – they need to address these vulnerabilities anyway.
If cyber issues are not high on your radar, now is the time to tune that radar. You don’t want to be the next Yahoo/Equifax/Uber.