Thank you for listening to the Oil Sand Tech podcast. Subscribe on iTunes or Stitcher radio.

How protected are you against cyber attacks? Did you know your control system may be venerable to an external attack?

This episode provides an insightful introduction to cyber security threats in the oil and gas business. Tune in to hear how you can protect your company from external threats and take preventative action prior to down time caused by both viruses and targeted espionage.

Thank you for tuning in and enjoy!

Aaron: Welcome to episode 4. On today’s episode I sat down with Siv Houmb of SecureNOK and we had a detailed chat about security concerns within the oil and gas industry. It’s really interesting to me that there is a risk of PLCs and operating controllers actually being taken control of from an external perspective within a secure facility. We’ll start off with the quote of the week and give you a taste of what is to come.

Siv: What Stuxnet did it went on the controller, so what you would see on your screen is that everything is alright. Although what the controller is sending down to the centrifuge is completely different. So what the centrifuge would spin totally out of control in terms of what you would see on the screen. So this was a visualization for people was that it was possible to attack a controller in a secure facility without and you can manipulate it without anybody noticing until it’s too late.

Aaron: Welcome to the Oil Sand Tech Podcast. Today on the show we have Siv Houmb founder of SecureNOK a company focused on cyber security threats in the oil and gas industry. Siv is also an associate professor with the Norwegian centre for critical infrastructure and is an expert on security in the oil and gas industry, with a specific focus on offshore drilling. Siv welcome to the show.

Siv: Thank you for inviting me.

Aaron: Siv can you tell us about SecureNok; how did you come up with the idea to start the the company and what are you up to?

Siv: The idea for the company was actually born almost 15 years ago. It was after a massive attack called the “I love you” virus or the “Melissa” virus that caused the company I was working for at that time a lot of pain and money. So I basically stated looking into how would you penetrate systems and what ways would you take down systems. Back then I was in the telecommunications company I was working on 3G, fix network and protocols. Then I started looking into control systems as oil and gas is one of the most important industries in Norway. Oil and gas in Norway means offshore and deep water infrastructure. I also started getting interested in how and who might be capable of attacking a offshore asset. Then Stuxnet happened in 2010 and the market opened and I founded a company. Focusing on oil and gas and specifically how you would be able to detect attacks similar to Stuxnet which at the time was a paradigm shift into an advanced position trend. For a targeted attack that would attack a specific target, something that would relevant to offshore assets in Norway.

Aaron: What is Stuxnet and what was the effect of that attack on the oil and gas industry?

Siv: So Stuxnet actually didn’t attack the oil and gas industry. It was a targeted and very sophisticated attack on the Iranian nukular program. It was targeted at the the Natanz plant. It attacked Siemens PLCs that is the core of it. From an oil and gas perspective the core was it was a Siemens PLC or controller that is used in a lot of very advanced systems used in offshore drilling systems specifically for Norway. Stuxnet also migrated into the oil and gas industry without doing much harm because it was targeted to stop the Iranan nuclear program. So that’s the scare and what happened with Stuxnet is in a set of control systems you have a person like a driller, an HMI (a computer), a controller (another small computer) and the tool like a top drive or a mud system, anything related to the drilling process. What Stuxnet did it went on the controller, so what you would see on your screen is that everything is alright. Although what the controller is sending down to the centrifuge is completely different. So what the centrifuge would spin totally out of control in terms of what you would see on the screen. So this was a visualization for people was that it was possible to attack a controller in a secure facility without anybody noticing until it’s too late.

Aaron: So with this targeted attack it’s possible for a major pump to say OK on the control panel and be spinning out of control in the field?

Siv: Yes or your sitting there in an oil and gas context specially in the deep water. Your sitting in the a drilling cabinet and your giving input into the joystick and what you observe is the top drive smashes down onto the drilling floor. You did not authorize that movement. At that point you have no way of knowing if there is a bug or your under attack, because the consequence is more or less the same thing. There have been incidents like that where it’s taken a long time to find the malware, because you start looking in the wrong place. You start looking for an infinite leap, an error in the control loop or the commands, if there is any software bugs for example on the HMI or the interpretation between the components. That takes a long time rather than if you knew it was malware and you knew where it was and the reason for it you would be able to fix it. The scare part it just looks like anything else, like a software bug.

Aaron: So it’s time intensive to find the root cause of a problem you’ve never seen before?

Siv: If the attack is exploiting an aeroday venerability, some weakness or venerability in a system that nobody knows about. It’s going to take time to find that venerability, never the less the attack. The attackers are being more and more sophisticated so they stay hidden. You don’t see a process running or any activity, they are hidden in a memory and as soon as you turn your computer off you don’t have any evidence anything ever happened. In some of the cases you never figure out where the attack came from.

Aaron: Can you tell us about about the product offering that SecureNOK offers as a solution to these problems?

Siv: Part of the challenge on a drilling rig and specifically on drilling control systems is that these systems are meant to live for 15-20 years. Some of the systems out there are more than 25 years old, which means you have a lot of old equipment. IT and security protection products won’t work on older equipment. You don’t have anti-virus on older equipment like that. The upgrades on the windows platforms (in the oil and gas industry) they are still running windows XP. So you have a lot of old operating computers and a lot of old computers with very limited processing capabilities of these pieces of equipment. What we have done is developed a system of non-intrusive software agents that are integrated into each node. These are the monitoring part of the product, it doesn’t effect the controller very much, it doesn’t do any of the intelligence on the actual host. What it does is it senses the capacity of the network and when it’s network activity is within an operating range it will send a signal to a detector. Which is an industrial PC that does most of the processing or the analysis of the data. The analysis of the data is based on disruptive technology and also based on the way that people or security professionals like myself think. Part of my old job was as a “White Hat” where I get paid to hack systems and I’m trained to figure out step by step how I would break into a system. What’s the easiest path and what kind of damage can I do. We turned that around and we don’t look for code patterns but behavioural patterns. That analysis that is done locally is then transferred back onshore where we can gather information from multiple assets. If the company has drilling assets around the world, we can deduce if something similar is happening on other assets around the world or if this issue is a local problem. Which means if it’s local it may be politically motivated. The basic principle here is to be sure not to add any additional stress to the drilling system. Keep things segregated so that the monitoring is as simple as possible. We do a step by step analysis and do most of the intelligence analysis onshore if possible.

Aaron: What kind of threats does the oil and gas industry face right now from cyber security?

Siv: A recent report from a cyber security group shows that more than 50 percent of what we see are espionage. In the news we hear most of it is just Chinese, but it’s not just Chinese. A lot of is initiated somehow from China via a different other countries and channels. In addition you see a lot of virus that are not targeted. These are basically in most cases to be honest people who are bored and visiting sites they shouldn’t and making the system infected by non-targeted malware that makes the system unstable. The other thing we are seeing is spear fishing. We had a big spear fishing attack on the Norwegian oil industry earlier this year. The speculation now is what the attackers wanted to do with the information. Usually in this situation is that this is the first stage of a larger attack. You gather information first to know what the paths into a system would be, what is the weakest point and how would you target a specific rig for instance in the north sea. In most cases you wouldn’t go through the operator you would go through one of the vendors that has less sophisticated protection. So you’re mainly seeing espionage and non-targeted viruses. Your starting to also see more malicious spear fishing and indications of small denial of service attacks. Which means you take down part of the network. That is more or less what you are seeing today.

Aaron: I’m not familiar with spare fishing. So spare fishing is trying to find the weakest link within a security system? How would you define spare fishing?

Siv: So fishing is sending the bait out into a network to collect information. Or you send emails for instance looking like a legitimate site with a link that you click on and it’s trying to take you to a specific place to gather information. It’s looking for specific information. So you could actually get information in terms of network infrastructure, IP addresses, ports that are open and peoples passwords. Combine that with information you can find online such as job responsibilities, where they worked before. What I would do in this case I would add a social engineering attack. People are the easiest targets they are the easiest to target. If i know that someone is working for a vendor that has a so-so policy in terms of the computers they bring out on the rig. I would know that by sending different types of requests in using emails. Find a weak person, pardon me for saying so and giving them a USB stick with a game or video on for free. I would give it to them in a store that I would figure out that they go to by looking at their facebook account or a running social group that they are part of. So find a social place where you can earn trust and get the information this way. That is a lot easier than hacking your way out.

Aaron: From that perspective there so the attacks or threats in the oil and gas industry are very sophisticated by the sounds of it? If your going to go to that level of detail, it’s going to take quite a bit of planning and some time.

Siv: You know in most cases the reason we haven’t seen anything like that right now that nobody has the motivation to do it. The reason we saw Stuxnet is depending on what kind of rumour you believe it’s probably either a collaboration between the US and Israel or a US initiated attack. That is a nation sponsored attack which is completely different from an innocent virus. While some of the attack is sophisticated it is less sophisticated that a nation sponsored attack. A lot of the Chinese based espionage, they don’t have the same experience in hiding their tracks as a lot of western people have because we are trained different in an open western society with different privacy laws. We are seeing more sophistication but we’re not at the level of a targeted attack that the industry is afraid of. I don’t think we’re going to see it in the next 5 years to be honest. What we will see is somebody less likely hackavisit which a lot of people are afraid of, but groups that are becoming stronger that could launch a denial of service attack. Today that is very easy, you don’t need any sophistication for that. To gather information that’s a whole different ballgame.

Aaron: I hope we don’t see any major attacks in the near or distance future. What kind of tactics would you recommend a company use to protect themselves from one of these threats?

Siv: Basically you need to have a procedure, a structure and a culture in place. That’s the easiest and the best protection. It might sound naive and as not sophisticated advice, people are still the biggest asset here. By having good control over any of the equipment brought out onto the rig. All of the private laptops or company laptops of the suppliers have the latest anti-virus, have been scanned. All of the usbs devices that are used to be scanned and have some sort of a monitoring system on the older assets. Which basically you don’t have the ability on the older assets to install the anti-virus. Then you basically don’t know anything unless you have some sort of monitoring. For newer control systems you are seeing vendors that are putting up white systems that defines what can happen on a network. Even if it’s only for forensics even if you don’t do anything active. For newer control systems you’re seeing vendors putting up white systems that defines all of the connections that are allowd on that. Follow industry standard of strict segregation of duties which are strict segregation of duties. Which means you separate any of the IT part from the controls part. You do not mix the SCADA system with the controls part, so you make sure you have a segregated system. That in addition to security awareness, the people who are working on the rig should understand your not suppose to use USBs on the controller or the HMI. The risk of not following those rules should also be know what it can lead to. Image your computer brought a virus on board, the virus brought a virus on board and the virus brought down the rig. Nobody figured out what was happening and it took down the rig for 11 days. That has actually happened on a rig in the south sea. That’s 11 days lost of drilling. In this case it was a small drill ship. However in the case where it’s a large rig ship, that could be 2 million dollars per day which results in a huge loss.

Aaron: We have a similar situation in the oilsands associated with downtime and the cost of that downtime. I know you briefly talked about the separation between IT and the operating system. Are there viruses out there that can take control of an operating system?

Siv: Traditionally we have a lot of viruses that go onto the windows platform. The last couple years we have seen more on the Linux platform and also on the mac platform. You don’t see any mac platforms out on the rig and you haven’t seen a virus as such for a Siemen’s PLC, it is more an actual attack that is targeted and specific for that operating system. Therefore you can’t really call it a virus. All in all your still taking about windows and linux. The scary part in the oil and gas industry is that the simpler control systems running on an older systems based on some type of linux platform running on an SBC. Which means you wouldn’t have anti-virus for it and it would be fairly easy to write a virus for it.

Aaron: Interesting, Thank you so much for joining me on the podcast today. Before we finish is there a way our listeners can reach out and contact you?

Yes sure, they can read more about us on our website www.securenok.com or by email at secure@securenok.com. We would be happy to follow-up with anyone who has more questions. You can also reach me at my university if your interested in what Norway is doing on critical infrastructure.

Aaron: Thank you for what has been an insightful discussion and our listeners will enjoy looking at this problem from a different perspective. I’ve worked in the oilsands with Siemens PLCs and I never imagined that they could be taken control remotely and just run away. It’s really helpful to identify these threats and thank you for joining me on the podcast.

Siv: Thank you for having me.

The post OST – E4: Siv Houmb Founder and CTO of SecureNOK appeared first on Oil Sand Tech Podcast.