InfoEdge Logo
Offering Select IT And Business Management Research
research@infoedge.com
800.544.7337 | 617.969.9080
Home Page About Us Contact | Questions Shopping Cart
Recent Reports Information Centers Free Research IT Business News and Articles CIO Strategy Center Browse Categories
Related Reports
Security Audit Program
The audit program is one that either an external auditor or an internal auditor can use to validate the compliance of the Information Technology organization and the enterprise to ISO 17799, Sarbanes-Oxley, HIPAA, and PCI-DSS.
IT Spending, Staffing and Technology Trends
The study tracks spending in ten industry and government sectors and provides objective and comprehensive data designed to assist IT and business executives in the financial and strategic management of information technology.
Options in Enterprise Backup
This report reviews the intricacies of backup practices and procedures, including security, business continuity, archiving and compliance.
The State of the Mainframe
Mainframe MIPS growth is averaging around 20% per year. This new report looks at the current state of this "legacy" system.
IP Telephony Solutions: Product Comparison Report
This report includes an overview of the enterprise IPT market, a comparison of nine leading IPT solutions, and a summary of the relative strengths and weaknesses of each product.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Sectors

Securing SCADA and DCS Systems Inside Refineries and Pipelines

By Tom Schmidt

While oil and gas companies have made strides to protect the physical security of their plants and infrastructure, two factors have lately moved control system security higher up on the agenda:

  • Supervisory control and data acquisition (SCADA) systems and Distributed Control Systems (DCSs) used within refineries and to control pipelines are vulnerable to cyber threats.
  • The explosive nature of these commodities makes this industry's infrastructure an attractive target.

But while progress has been made to enhance cyber security, oil and gas companies still face some steep challenges, including the need to connect once isolated SCADA and DCSs with business systems and networks; clashing organizational priorities; and the lack of a mandate to comply with cyber security-related standards.

This article examines today's principal SCADA and DCS vulnerabilities before proposing some effective practices that oil and gas companies can adopt to improve the security of these critical systems.

SCADA and DCS vulnerabilities

The oil and gas sector depends upon a vast and highly decentralized infrastructure, consisting of an extensive network of roughly 150 refineries, 200,000 miles of oil pipelines, and 2,000,000 miles of gas pipelines. SCADA and DCS systems used within refineries and to control pipelines form the backbone of most oil and gas industry operations in the United States and worldwide today. To supply corporate decision makers with crucial data, these organizations are increasingly integrating their SCADA and DCS systems with corporate business systems.

It is this development that has raised concerns among security professionals. These systems were originally built for efficiency and reliability -- and often deployed with security features not being implemented because they were intended to be isolated from the outside world. Integrating SCADA and DCS systems with corporate business systems exposes these control systems to cyber threats introduced through the corporate network.

Likewise, many of these control systems use the Modbus protocol to support communications with electronic flow measurement (EFM) devices and remote terminal units (RTUs) scattered throughout the thousands of miles of pipelines. While this interconnectedness provides corporate decision makers with access to critical data, it also leads to widespread availability of information about these control systems and their vulnerabilities.
 
At the same time, partner data sharing (a result of industry mergers and partnership formation) has fostered real-time data-sharing between DCS systems and corporate networks between separate corporate entities. These interconnections must be secured against cyber threats.
 
And some of those threats have been successful. For example, according to FBI director Robert Mueller, hackers in Russia were able to gain control of a gas pipeline for 24 hours by penetrating electronic control systems.

Finally, the nonstop operational requirement of SCADA and DCS systems complicates security implementation and testing because systems can never be taken offline. Many organizations maintain 24x7 operations via remote system access, which introduces additional vulnerability points.

Practices for securing SCADA and DCS systems

Oil and gas companies can benefit from proven practices to safeguard their SCADA and DCS systems within refineries and pipelines. Moreover, the following four-step cyber security process aligns with the recommendations put forth in the Security Guidelines for the Petroleum Industry, published by the American Petroleum Institute in April 2005.

  • Step 1: Security Assessment This includes assessing a company's awareness of electronic threats before they reach the organization, identifying possible regulatory compliance issues, assessing the effectiveness of security and administration tools, and manually validating these security concerns using penetration testing methods.
  • Step 2: Security Policy Creation and Enforcement Here companies establish who is authorized to gain access to what information, as well as who is authorized to perform what functions. To ensure an effective policy, organizations must continually measure compliance with its policies and procedures.
  • Step 3: Security Measure Deployment To combat ever-evolving cyber threats, organizations must utilize proven security technologies and procedures, and that means recognizing that perimeter firewalls alone offer insufficient protection. An Intrusion Detection System (IDS) featuring both protocol anomaly and signature-based detection techniques is a vital element of modern network security. Oil and gas companies must also address inadequately protected networked, mobile, and remote users, protecting them with antivirus, IDS, and personal firewalls. This step also involves implementing recovery procedures and tools to be used in the event that an attack eludes other security measures.
  • Step 4: Security Monitoring and Management This involves real-time, 24/7 monitoring and management of security information resources to prevent disruptions and minimize downtime. And that poses a real challenge. Pipeline and refinery control center personnel must focus on their system operation duties and aren't typically trained in the nuances of effective security monitoring and management. As a result, many organizations are using third parties that have experience providing management and monitoring of security devices. Also, early warning services can provide customized alerts of worldwide cyber attacks -- as well as countermeasures to prevent attacks before they occur.

Conclusion

The increasingly interconnected nature of SCADA, DCS, corporate networks, remote workers, and other networks means the industry must move to enhance security of this critical infrastructure -- in spite of a current lack of industry-mandated cyber security regulations.
 
The good news is that a growing number of technologies and services are available to help companies secure not only their SCADA and DCS networks but also the networks to which they are connected. For oil and gas companies looking to protect their refineries and pipelines from constantly evolving cyber threats, that can mean the difference between a costly disruption and business continuity.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

To combat ever-evolving cyber threats, organizations must utilize proven security technologies and procedures, and that means recognizing that perimeter firewalls alone offer insufficient protection.

-- American Petroleum Institute
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.
Geography Specific | Advanced Technologies | Industry Verticals | Executive Management | Information Technology | Human Resources | Telecommunications | Sales And Marketing | Finance | Hardware | Software | Web | Outsourcing | Top IT Priorities
home   |     site map   |     about us   |     privacy statement   |     research providers   |     contact us   |     categories

Entire contents ©2008 InfoEdge. All Rights Reserved.
Email: research@infoedge.com