By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

BP – a company name that’s on the minds of most Americans today and probably not in a good way.  The crisis we face today with the major oil spill is catastrophic and a direct result of time and cost pressures brought about in response to our increasing demand for energy.

BP is in the news today, but if demand growth for oil continues at this rate and supplies continue to dwindle, the oil spill we face today may seem small in comparison to future accidents.

With the industry trying to keep up with demand, network operations have been centralized, requiring distant controls to be managed over a wide variety of networking technologies, with all the attendant gateways such a model implies. 

While this approach can reduce costs and improve efficiency, it can also open the door to attacks by hackers and cyber terrorists.  This is a very real threat faced by oil and gas companies today.  Researchers have directly warned oil companies across the globe that offshore rigs are highly vulnerable to attacks.  In fact just last year, a contractor in California was charged in federal court for hacking into a digital network in an attempt to disable an offshore rig, after allegedly being angry about not being hired as a full-time employee.  The attack – against a SCADA control system – was illustrative of the types of threats which, if successful, could have grave consequences.  Legacy thinking and a frequent lack of third-party testing and review all combine to create a classic system of unexpected complexity.  These are the most likely to suffer compromise, whether malicious or accidental, resulting in catastrophic outcomes.

A multi-layered approach is critical to securing SCADA networks.  Each of the following layers plays a role in securing mission-critical, real-time control systems:

• Perimeter Controls (Internet or Corporate Perimeter Defense)
• People, Policies, Procedures (Business Continuity, Disaster Recovery)
• Network Architecture (Firewalls, Routers, Switches)
• Network Operating Systems (Domain Security, Active Directory, etc.)
• Host Security (Operating systems of servers and workstations)
• Application Security (SCADA, EMS, Database, Web, and more)
• Unique Secure Requirements for what is being protected (Plant equipment, RTUs, PLCs, etc.)

Each layer requires ongoing testing and evaluation to determine the vulnerabilities that exist in these systems.  Oil and gas companies must consider a holistic approach to their security to avoid a potential cyber attack.  This approach includes:

• Building a road map for security and regulation compliance – what systems are in place and how are they integrated?
• Assessing vulnerabilities – identify and understand current vulnerabilities in  the security of physical, IT and SCADA controls
• Penetration testing – the only way to know if a hacker can get into your network or facility is to actually test the vulnerabilities found with an assessment
• Developing an emergency response and disaster recovery plan – as we have seen with BP, there is a need to have a plan for the unexpected.  Having a such a plan allows an organization to quickly recover and restore critical operational functions after an unexpected event
• Gathering evidence – when critical assets come under attack, quick action is required to gather digital evidence and then use the evidence to prosecute

While this “to do” list for full SCADA security may seem overwhelming, engaging with a professional services organization that can assist in the execution and delivery of these steps — particularly penetration testing and BCDR plan development — can radically simplify the task list.  Learn more about how BT helps companies secure their critical infrastructure.