Malware is targeting the petrochemical and oil & gas industries. What’s being done to combat the risk?
The headlines are worrisome and increasingly frequent. Time and again, the business community is successfully targeted by enterprising cyber profiteers who hack into corporate IT systems to steal and hold hostage sensitive proprietary information, usually for profit. And the list of targets is getting longer—Target, FedEx, Merck, to name a few—all falling victim due to inadequate or out-of-date safeguards.
Louisiana’s industrial corridor should be particularly concerned. Cyber experts recently issued a dire warning to petrochemical and oil and gas companies that their IT and OT (operational technology) systems are vulnerable to an attack, now more than ever. The inexorable digitization of the industrial community has left it susceptible to a variety of threats.
It’s not a question of whether an attack will come, but when. Since May, hackers have targeted nuclear power plants, energy facilities and manufacturing operations in the U.S., according to a joint report from the FBI and Homeland Security. The hackers also reportedly infiltrated a company that makes control systems for equipment used in the energy industry.
“In 2017, the likelihood of a breach [in the oil and gas and industrial marketplace] is unfortunately approaching 100%,” says Eitan Goldstein, senior manager of global cyber strategy and product development at Siemens in Washington, D.C. “There’s an increasing sophistication of bad actors. They’re better financed and have better tools at their disposal. Secondly, you’re seeing that with greater connectivity comes greater risk. The more you connect, the wider your ‘digital attack surface’ is, and that opens up new risks to our customers.”
And yet, the industrial market remains grossly unprepared. A survey of U.S. oil and gas cybersecurity risk managers indicates that the deployment of cybersecurity measures in the industry isn’t keeping pace with the growth of digitization in oil and gas operations. In a study from the Ponemon Institute called “The State of Cybersecurity in the Oil & Gas Industry: United States,” only 35% of respondents rated their organization’s OT cyber readiness as high. The Ponemon Institute conducts independent research on privacy, data protection and information security policy.
In its polling of 377 individuals responsible for securing or overseeing cyber risk in the OT environment—including upstream, midstream and downstream applications—the institute found that most respondents described their organization as being in the early to middle stage of maturity with respect to its cyber readiness.
“Petrochemical and oil and gas people need to be cognizant of the fact that the malware now being written can target OT systems in the energy sector,” says Jeff Moulton, director of the LSU Transformational Technology and Cyber Research Center in Baton Rouge. “These malware attacks are specifically targeting industrial control systems, and that could be catastrophic. That could cause regional catastrophes.”
OVERCOMING THE ROI MINDSET
Terrorism is not the biggest danger—it’s profiteering. Ransomware is the most prevalent form of hacking in the market, whereby hackers hold vital information or operational systems hostage for a specified “ransom.” Regrettably, companies are paying up.
“Coding-wise, ransomware is complex, but it’s basically an attachment that has been sent to you on what we call a phishing campaign,” Moulton says. “They send an email to you that entices you to open an attachment, and then when you open that attachment it puts an encryption software on your machine, searches different files and encrypts your system. It basically puts it under lock and key.
“For a business, that means you can’t get your accounts payable, accounts receivable, etc. … it’s catastrophic. So people tend to pay up because there’s not much the government or anyone can do about it. These are criminally motivated actors, and because there’s blood in the water, there’s money out there, it’s not going away.”
Industry’s ROI mindset is the main reason adequate funding is not funneled into cybersecurity initiatives, but Moulton sees that starting to change. “We hear all the time, ‘Corporate won’t let us do this, corporate won’t let us do that,’ because it comes down to a return on investment. Now, it’s getting noticed by the boards of directors. The return on investment pressure is still there, but [cyber risk is] beginning to get its due attention now.”
After getting past the financial hurdle, many companies turn to experts such as Siemens for help. One of Siemens’ services is assisting large energy companies to prepare their IT staffs for cyber threats that specifically target OT functions. The solutions are highly tailored, since every organization has a vastly different structure.
“They don’t have the in-house expertise to deal with these challenges, particularly on the OT security side where the risk is a little bit newer,” Goldstein says. “Everyone is in a different place trying to figure out how to do this OT security thing right. The basic idea is there are some foundational things you must do. Then there’s a series of technologies, services and processes that you layer on top of it.”
For starters, Siemens performs initial risk assessments and deploys next-generation technology—such as machine learning—to detect threats on a network. “It’s the concept of applied machine learning, or artificial intelligence. It helps you do things without someone necessarily needing to monitor a screen full time. We’re trying to help our customers automate their responses, because the faster you can detect a threat, the lower the impact is from a potential breach.”
One problem is that many organizations’ systems are entirely too slow to detect threats. In fact, the average threat remains on an organization’s network for up to six months—a period known as the “dwell time.” Meanwhile, the IT/OT infection can maneuver through a network, learn about the organization and steal data. Fortunately, recent headlines have raised the awareness level among many corporate CEOs and boards. “In 2017, our customers are very much aware of the risk to industrial control systems,” Goldstein adds. “It’s our view that to get all the benefits of digitalization, you need to get security right.”
LOOKING FOR WEAK LINKS
The industrial community is vulnerable because of the interconnectedness of its various suppliers and contractors. Enterprising hackers are targeting these less “cyber savvy” smaller companies to infiltrate the larger corporate entity.
“When you talk about oil, gas and industry, there are two sides to the coin, IT and OT,” says Henry “Paco” Capello, director of information systems for LSU’s Stephenson Disaster Management Institute. An industrial facility is at risk when there are touchpoints between the two, he notes.
“There’s supposed to be segregation—what we call ‘air gapped,’ which means there’s no connection between IT and OT. Everybody thinks they’re air gapped, but when we dive down into it, there are touchpoints between IT and OT. If there are touchpoints, there are routes where someone can get to the OT.”
LSU’s Joint Cyber Training Lab, under the umbrella of the Cyber Research Institute, operates a simulated industrial control system to replicate operational processes in oil and gas, water treatment and energy environments, then simulates OT attacks. These are used to train IT staff, as well as other managers, of both private companies and public entities on potential threats and responses. “We can change their mixtures, we can turn off valves, we can turn on valves,” Capello says.
The JCTL can generate scaled internet traffic, mimicking client-server network communications, emulating production networks and simulating 36,000-plus known malicious exploits for penetration testing and cyber-incident response training.
In fact, the lab has been instrumental in training the Louisiana Army National Guard’s fledgling Cyber Network Defense Team, a newly formed unit responsible for defensive cyber operations in support of civil authorities—and ultimately, it hopes, for private industry. At just one year of age, the team is “operating at a crawl” but making important progress, says LANG Adjutant General Glenn Curtis at Jackson Barracks in New Orleans.
For one to two weekends a month, 30 to 50 guardsmen undergo cyber training to hone cyber tactic detection skills, techniques and protocols. “[JCTL] helps us train and earn certifications,” Curtis says. “We have now fully staffed our first 39-person cyber protection team.”
The guard has had little trouble finding applicants for such a unique mission, since it provides free training for one of the fastest growing job markets in the U.S.—a big draw for millennials.
“They get trained through the military, then they provide us with a service. And for them, once they go through that training they are very employable in the private sector or in government outside of the military.”
So what does a CND-T response to a cyber threat look like? In real terms, it’s defensive in nature. “It’s to protect,” Curtis says. “It’s to figure out who the bad guys are, figure out how they’re trying to get into a system, and keep them out. Everything that I’ve seen is postured around that.”
The CND-T also plans to work with private industry and public entities to share information, raise awareness and provide protection, by relying upon information accessible only to the military.
The Department of Defense is particularly vested in protecting private industry since Federal Acquisition Regulations require that small businesses get 25% of DOD procurements. Therefore, it must secure the supply chain at every level.
“We’re not here to take over,” Curtis says. “We’re here to help you. Our interests are to keep the utilities on and to keep commerce moving. To keep the river flowing so to speak. We’re not interested in what their business is and how they make money, and their business models. We want to keep what I call ‘normalcy’ in place. As such, we can help them protect their assets by pointing out a threat, its cause and the manner in which it infiltrated the system.”
HELP FROM THE STATE
As a state, Louisiana is ahead of the game in producing a comprehensive Information Security Policy. Its forward-leaning, collaborative approach to cybersecurity led it to being selected in 2016 as one of five states to participate in a policy academy by the National Governors Association, with the goal of creating a uniform cybersecurity plan.
In the last year, Dustin Glover, chief information officer for the State of Louisiana, has also worked with the Governor’s Office of Homeland Security & Emergency Preparedness to create a separately identifiable Emergency Support Function for cybersecurity, as part of the state’s Emergency Operations Plan.
“The plan has been to get everyone together and make sure that we are doing collectively what is needed to best suit the state’s needs holistically, and develop a plan for either escalations or information sharing to ensure that things are managed and responded to consistently,” Glover says.
He credits the state’s progressive cybersecurity approach to the existence of GOHSEP, LANG’s CND-T, and another state operation known as the Louisiana State Analytical and Fusion Exchange, or LA-SAFE. LA-SAFE operates as a “fusion center,” which is defined as a “collaborative effort of two or more agencies that provide resources, expertise, and information to the center with the goal of maximizing their ability to detect, prevent, investigate, and respond to criminal and terrorist activity.”
“Taking the recipe that they’ve developed for success over the years, whether that be responding to hurricanes, to hazmat or whatever, they just look at cyber as another box and [expect] that they have a way to make this work,” Glover says. He was appointed state CIO after the creation of the Office of Technology Services in 2014. In addition to streamlining IT efforts—including cybersecurity initiatives—the move saved the state some $70 million and instantly created an 850-person IT shop.
LSU’s Transformational Technology and Cyber Research Center and JCTL are vital contributors to the state’s cyber readiness plan. Since their creation, they’ve attracted nearly $5 million in strategic research projects to enhance security for the military, electric grid, homeland security and other applications, with state leaders anticipating a significant increase in future research investments from both federal and private sources.
Additionally, the JCTL incorporates state and federal cyber response frameworks and programs with a focus on critical infrastructure industries and private sector training. “The power of that lab is not trivial,” says the TTCRC’s Moulton. “We can emulate any environment, any configuration of a network that you can imagine. So, when you’re training your IT staff or you want to do something from a configuration perspective, you can bring them into the lab and do it without taking down your operational network.”
The lab can also replicate daily cyber traffic with actual known threats (such as Stuxnet, which recently took down an Iranian centrifuge) to teach participants to recognize certain cyber signatures.
“If I’m at ExxonMobil, for example, that’s a pretty big deal,” Moulton says. “We can work collectively or we can work individually. We have five different tables there and each table is a separate network, or it can be one network. It’s very configurable.”
THINK GLOBALLY, ACT LOCALLY
Moulton is pushing for more locally managed cyber planning and response, and hopes that one day there will be regionalized cyber warnings to specific zip codes or area codes. “Cybersecurity is an individual thing,” he adds. “It affects individuals personally and in their business relationships. While we’re trying to solve this on a global or national scale, in reality we should be there to support the local people. One day, we’re going to be able to provide attack sensing and warning for small businesses here, and say, ‘Hey, your network or your point of sale system has just been hacked or is about to be hacked.’ Small businesses don’t have an IT staff, they call the Geek Squad. This is too complex. So, that’s what we’re doing for Louisiana.”
LANG’s Curtis hopes the newly formed CND-T will one day play a more collaborative role in detecting and preventing attacks for private industry. While significant progress has been made, the overall response apparatus lags far behind the threat. “In the military, we describe things as a crawl, walk and run. We’re still very much in the crawl phase,” Curtis says. “Our protection team is stood up, but it’s less than a year old. All of us, collectively, are far behind the threat. Our adversaries are way out in front of us.”
He says critical changes and improvements have been made that should enable public entities and private business to eventually get in front of the problem. “Through GOHSEP, the Fusion center and everybody sharing their stories about what’s going on and what they see, that will help. Information sharing is the only way we’re going to catch up.”
LANG’s Deputy Chief Information Officer Stephen Dorrell sees CND-T progressing to a point where it proactively monitors networks to see attacks as they’re coming in. “There are some other states that are starting to do this, which we hope to try to model one day here in Louisiana,” Dorrell says. “They have their own Fusion centers, if you will, where the military guys look very deep into threats from across the world. They then sanitize the information so it can be communicated to municipalities or the private sector.”
In Kansas, utility companies have partnered with the military for help in detecting and preventing attacks. “We’re crawling toward that,” Dorrell says. “You’ve got to build a trust; you’ve got to build the interest. You’ve got to get partners willing to help you do that.”
While substantial progress is being made, LANG’s Curtis admits that the war against cyber threats will likely never end. “The military structure knows it needs more of these teams. It needs more capability.”
WHAT YOU SHOULD DO
Jonathan Shi, director of LSU’s Industrial Assessment Center, attended a June meeting of IAC leaders in New Orleans, in part to discuss a new addition to his team’s assessment toolbox: cybersecurity. The LSU IAC is one of 28 in the U.S., providing free industrial assessments on cybersecurity, energy efficiency, productivity, sustainability and competitiveness to small and medium-sized manufacturers across Louisiana.
At the meeting, Patricia Toth, cybersecurity program manager at the National Institute of Standards and Technology, provided some basic guidelines for companies to follow to prevent cybersecurity attacks. Below is an outline of her advice.
Train your employees: “That’s your first line of defense. If your employee is suspicious of that email that comes in that doesn’t look right and turns out to be a phishing attack, they could have saved your company. We really need to train our employees and have them understand the risks and vulnerabilities.”
Implement good policies and procedures: “That way, employees know what they can and cannot do on their systems. Social media is a big issue for a lot of small businesses because their employees are on social media all day long. They click on something and what happens? Malware is introduced into your system.”
Identify your assets: “Create an inventory of everything you have within the company, all of your IT assets, hardware, software, servers, laptops, cell phones, etc.”
Establish a detection system: “You should have anti-virus software, anti-malware, anti-spyware installed, installed properly and kept up to date.”
Protect your information: “Now that you’ve identified where it is and what it is, you should protect it. Only certain folks within the company should look at certain types of information. That should be based upon their role within the company. That also means having good surge protectors and an uninterruptible power system, so when the power goes down you don’t lose all your data. Also, perform automatic backups.”
Secure wireless access points: “This is a big vulnerability for a lot of businesses. They really don’t understand how easy it is for someone to get into their internal information through their WiFi. We’re suggesting that they encrypt information and don’t broadcast things in the clear.”
Set up email and web filters: “You can block certain types of websites you don’t want your employees to access during the day. We encourage folks to set up these types of things, use these tools that are available. They can go a long way to helping build their cybersecurity program.”
Keep good logs: “That way, you know who’s logging into the system, what time they came in, and what they accessed. When you have an incident occur you can go back and do the forensics and figure out what happened, who had access, and try to recover from there.”
This article was originally published in the third quarter 2017 edition of 10/12 Industry Report. Read more from this issue at 1012industryreport.com.