Focus:

Securing Energy and Maritime ASSETS from cyber Threats
Oil & Gas, Maritime Transportation
In 2017, the shipping giant Maersk Line became victim of the NotPetya malware. Like ransomware, this malware propagated through networks, encrypting data rendering 4,000 servers, 45,000 PCs and 2,500 apps useless. Except NotPetya was not really ransomware. It was not designed to decrypt upon reception of payment only to spread damage. The target was Ukrainian organizations, but due to the efficient spreading mechanisms, Maersk’s reported $300M loss became part of vast collateral damage.
NotPetya never made its way into the operational systems, often referred to as Operational Technology (OT) systems, of the many Maersk assets such as ships and drilling rigs. That was however the case for other owners of industrial assets. As an example, the automated radiation sensor measuring and alert systems at the Chernobyl nuclear plant had to be switched to older technology as NotPetya continued its journey from machine to machine – demonstrating how nothing is immune to cyberattacks in the digital age.

The energy and maritime industries represent a target rich environment for cyber-attacks by criminals, terrorists, and hacktivists. While their respective goals may differ, the risks and potential consequences of a successfully executed cyber-attack may be severe—even if the attacker did not intend to cause such major consequences.

 

Many energy workers have experienced how quickly and easily malware and viruses can be accidentally transferred to OT systems. For example, through e-mail or unsecure websites, via infected devices brought in from the outside. Along with increasing levels of digitalization and automation, the potential for damaging consequences increase equally. Even more disturbing is the fact that many cyber-attackers today are extremely well financed and organized, capable of launching highly sophisticated attacks. Hacker tools are available for sale on the black market, providing perpetrators with a comprehensive toolbox to build from.

 

Back in 2013, researchers at University of Texas, Austin demonstrated how they by building a GPS spoofer could manipulate ship navigation. 4 years later, around the same time Maersk was fighting the effect of NotPetya, an incident affecting GPS signals caused about 20 ships in the Black Sea to head towards a specific airport, far out of their positions. It has not been determined if this was a targeted spoofing attack or an unintentional incident. It did however demonstrate the effect of geolocation interference that today can be achieved using commercial hardware and software – compared to years of significant effort the researchers had to spend only a few years ago.

Like ships, assets in the Oil & Gas industry used in exploration, drilling, transportation and production, depends on a myriad of inter-connected industrial automation and control systems. Today, this industry is undergoing a massive digitalization process offering new insight, efficiency, optimization and the ability to keep people away from harmful tasks. Taking advantage of digitalization and increased connectivity however also means opening up OT systems to cyber threats.

Better security practices and solutions are required

At the same time as personnel in most professions today are increasingly impacted by digitalization, they are also equally impacted by the risk of cyber-attacks. Protecting both the IT and OT systems controlling industrial assets  requires a new way of thinking amongst all categories of personnel, not only those responsible for IT security.

International and national standardization and regulatory activities to protect OT systems in the Oil, Gas and Maritime industry are starting to take form. Examples are voluntary guidelines issued by or referred to by regulators. The goal of these guidelines is to ensure a common adequate level of security in all parts of the supply chain affecting Oil, Gas or Maritime assets. Often they refer to, or reference industry generic internationally recognized standards.

Below are e few examples relevant for Oil, Gas and Maritime asset owners:
NOG 104 – Norwegian Oil and Gas recommended guidelines on information security baseline requirements for process control, safety and support ICT systems, (Norway).
The NIST Cybersecurity Framework (NIST CSF) originally a U.S. standard aimed at operators of critical infrastructure. Now internationally recognized and widely used in various industries.
U.S. Coast Guard Maritime specific cybersecurity framework profiles – Maritime Bulk Liquids Transfer, Offshore Operations, and Passenger Vessel Cybersecurity Framework Profiles (USA).
International Maritime Organization (IMO) are using NIST CSFs five core functions in its Guidelines on Maritime Cyber Risk Management.

In addition to NIST CFS, IMO refer to other relevant best practices:  BIMCOs Guidelines on Cybersecurity Onboard Ships and ISO/IEC 27001.

International Association of Drilling Contractors 

Several industry groups are working to help asset owners and operators manage the threat of cyber-attacks and meet current and future regulatory demands. As an example, the International Association of Drilling Contractors (IADC) are developing guidelines for drilling assets based on the five core functions of NIST CSF. This work is performed in close cooperation with other industry groups, like the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), the American Petroleum Institute (API) and the International Association of Oil & Gas Producers (IOGP) as well as regulators like the U.S. Coast Guard. The IADC guidelines provide asset owners and operators with building blocks to develop their own Cybersecurity Programs taking relevant industry and international guidelines into account.

Secure-NOK has chaired the IADC Cybersecurity Committee since its beginning as a Work Group in 2014. We and others have contributed our expertise in developing policies, processes and technology to ensure security. In close cooperation with the industry, it is made sure everything we propose is practical and can be realistically utilized in a driller’s environment and mode of operation. The result of this effort is a series of user-friendly guidelines designed to help drillers becoming more secure:

Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets.
Guidelines for Minimum Cybersecurity Requirements for Drilling Assets.
Ongoing work: Guidelines for Network Segmentation.
Ongoing work: Guidelines for Cybersecurity Training.
Ongoing work: Guidelines for Hardening of Control Systems Focusing on Existing Drilling Assets.
Ongoing work: Guidelines for security Monitoring and Audit.
We help implementing tailored cybersecurity programs Specific to your needs
 

Need help getting started?

Secure-NOK share our deep knowledge of threats and vulnerabilities in oil, gas and maritime infrastructure. We know which cyber security measures that are practical and which will not work in OT environments.

We have excellent overview of the standardization and regulatory situation, have developed a generic Security Policy that we adapt to fit each customer’s specific needs. Our technology is specifically made for industry needs and supports compliance with relevant standards.

 

Key to a Cybersecurity Program

What are the key elements of a cybersecurity program? The first step is to understand the scope of a successful program. Protecting oil & gas infrastructure from cybersecurity attacks requires the right processes, the right technology and sufficient awareness among key personnel. All these elements must play together in order to develop and maintain a secure environment capable of handling all types of events – from targeted attack like GPS spoofing of ships, or attacks where critical OT infrastructure is a random victim of carefully designed damaging malware like NotPetya.
Many asset owners and operators are looking for one or a few technical solutions to secure their assets and fail to sufficiently embrace the need for having the right competencies and processes. To stay secure, it is important to continually maintain an overview of the situation, periodically revisit all security measures and improve as required to stay ahead of the attackers.

Once the required organizational support and scope of the Cybersecurity Program is in place, the strategy and requirements for the program must be established. This usually include selecting a relevant and recognized standard to be used as inspiration and guidance.             

Second, a Security Policy must be established. The policy defines the goals specific to your organization or asset to implement the strategy in compliance with the relevant requirements. When defining a Security Policy, ownership and responsibilities of the various elements required should be determined.
Cybersecurity standards typically contains requirements to assess and manage cyber-risk. When planning the actual implementation of the cybersecurity program, it is a good idea to start with a Risk Assessment. The results from this assessment will guide later efforts to where they have the most impact.
Once risk Assessment results are ready, it is time to focus on planning and implementing actual security improvements. Examples are technical e.g. network segmentation, perimeter defense and access control, system hardening and monitoring of blind spots, training of personnel and process improvements.