Securing Control Systems in the Oil and Gas Infrastructure

1
Securing Control Systems in the Oil and Gas
Infrastructure
2
What Is The I3P?The Institute for Information
Infrastructure Protection

• Funded by Congress, managed by Dartmouth College
  with oversight from DHS
• Established in 2001 to identify and address
  critical research problems facing our nations
  information infrastructure
• Consortium of 27 universities, non-profit
  research institutions, and federal labs

3
What Is This Research Project?

• Two-year applied research effort to improve cyber
  security for control systems/SCADA
• Specific focus on oil gas industry
• Help industry better manage risk by
• providing risk characterization
• developing and demonstrating new cyber security
  tools and technologies
• enhancing sustainable security practices for
  control systems

4
An Important Problem

• Oil and gas processing is controlled by computer
  systems
• Trend toward general-purpose platforms and
  universal connectivity
• These systems are vulnerable to cyber attack
• An attack could have severe consequences for
• Human lives
• The environment
• The economy

5
ExamplePipelines

• June 10, 1999
• In Bellingham, Washington, a gasoline pipeline
  operated by Olympic Pipeline Company ruptured
• 237,000 gallons of gasoline was released into
  Whatcom Creek
• The gasoline ignited, sending a fireball racing
  down the creek
• Two 10-year old boys and an 18-year old man were
  killed
• SCADA system problems partial cause

6
Why Is There A Problem?

• Control system side
• Top priority is reliability and availability, not
  security
• Traditionally relied on obscurity and isolation
• Trend using general hardware and OS
• Owner/operator companies are in the hands of
  vendors
• Vendors often have backdoor modem lines
• Default passwords

• IT side
• Traditional security tools may not work for
  control systems
• IT people do not know control systems
• Enterprise networks are being connected to
  control systems
• Control systems are overlooked because they are
  not managed by IT

7
Goals

• Demonstrated improved cyber security in the Oil
  Gas infrastructure sector
• New research findings
• New technologies
• Significantly increased awareness of
• Security challenges and solutions
• The capabilities of the I3P and its members

8
Approach

• Build upon ongoing cyber security research to
  apply to the process control arena
• Develop tools and technology which could enhance
  the robustness of critical infrastructure process
  control systems
• Focus on the oil and gas sector by partnering
  with industry
• Develop research collaborations with other
  institutions with cyber security domain expertise
• Communicate and demonstrate results of the
  research

9
Project Overview
Oil and Gas Industry
Requirements,
Technology
Transfer
Information
Workshops, Demonstrations
Research Team
Risk CharacterizationSNL
Topic 1
Inter- dependenciesUVa
MetricsPNNL
Security ToolsMIT/LL
InformationSharingMITRE
Tech TransferSRI
Topic 2
Topic 3
Topic 4
Topic 5
Topic 6
10
Topic 1 Risk Characterization

• Problem What is the risk to infrastructure
  caused by potential vulnerabilities of the
  process control systems?
• Approach
• Year 1 and 2 SCADA risk workshops focused on oil
  and gas sector to collect data for all tasks in
  the plan
• Aggregate information from owners, operators, and
  domain experts
• Analysis of the data to determine classes of
  SCADA systems to include vulnerabilities,
  threats, consequences, and risks for SCADA
  security
• Development of attack taxonomy and mitigation
  strategy analysis
• Profiles of security situations, generalized
  threats, classes of consequences
• Best Practices handbook information

11
Topic 1 First Year Workshop

• The workshop was held in Houston, Texas, on June
  2-3, 2005
• Sample highlights from industry breakout
  sessions
• On-site contractors present a major vulnerability
  to facility and IT/SCADA security
• Attackers can use easily accessible emergency
  response plans and identification of key
  personnel to amplify attacks
• Vendors are only able to provide the products
  (including security) demanded by their clients
• Cost and certification of security measures are a
  concern
• Systems in the oil gas industry represent wide
  range of maturation levels from beginner to
  advanced
• Need to include consideration of all systems
  legacy, modern, and heterogeneous
• Most control systems in use today are insecure by
  design

12
Topic 1 Results

• One page summary of workshop
• Workshop analysis report being prepared
• Industry perspectives
• Profiles of security situations
• Technological profiles
• Understanding the threat
• Consequences and measures
• Industry risk trends
• Future Work
• Attack taxonomy
• Interim and final risk characterization reports
• Risk characterization to quantify security impact
  and improve business case
• 2nd workshop focused on technical demonstrations
• June 8, 2006 in La Jolla, CA

13
Topic 2 Interdependencies

• Assess the degree of SCADA dependence and
  associated risk exhibited by interlinked critical
  infrastructures
• Understand the indirect risk to the U.S. Economy
  resulting from Oil Gas SCADA system
  vulnerability and cyber threat potential
• Develop risk management practices that reduce the
  risk of cascading effects resulting from system
  interdependencies and cyber attacks

14
Topic 2 General Response Model Overview

• Purpose
• 1) Map cyber intrusion events to macro-economic
  inoperability effects
• 2) Integrate System Dynamics model with the
  Inoperability Input-Output Model (IIM) for
  comprehensive and tractable impact analysis
• 3) Use scenarios of cyber attack, information
  security, infrastructure resilience and emergency
  management systems to derive supply- and
  demand-side perturbations for IIM economic and
  inoperability impact analysis
• 4) Understand the role of public response to
  industry events in shaping, amplifying and
  dampening economic impact
• 5) Develop means by which the efficacy of
  candidate risk management strategies can be
  quantitatively evaluated

15
Topic 2 General Response Model Framework
16
Topic 3 Security Metrics

• Problem How can the security of control systems
  be measured and related to business and
  functional requirements?
• Security metrics provide tools that enable
  decisions based on quantitative or qualitative
  assessments rather than hunches or best guesses.
• Lead Pacific Northwest National Laboratory
  Martin Stoddard (martin.stoddard_at_pnl.gov)
• Team Members Sandia National Laboratory,
  University of Virginia, The MITRE Corp.

17
Topic 3 A Few Sample Metrics

• Adversary work factor
• Capability Maturity Model (CMM)
• Security Scorecard
• Assurance Levels/Categories
• Risk Analysis/Security Vulnerability Assessments
• Readiness Levels

18
Topic 3 Approach

• Phase I Survey existing security metrics and
  provide a high-level view of metrics tools and
  their application to PCS.
• Phase II Develop detailed requirements for
  process control metrics. Apply existing
  technologies where applicable and identify gaps
  requiring further development.
• Phase III Prioritize the gaps from Phase II and
  apply research to develop the highest-priority
  metrics tools.

19
Topic 4 Inherently Secure SCADA Systems

• Problem How do you design, verify, install and
  monitor secure process control systems?
• Deliverables Tools and techniques to
• Support Secure Operations
• Risk management for configuration and deployment
• Assess architectural security vulnerabilities
• Model and monitor correct behavior
• Enable Secure Components
• Application software
• Protocols and protocol stacks
• Operating systems

20
Topic 4 Team Members

• Topic Lead MIT/LL Rob Cunningham
• Support Secure Operations
• Risk management for configuration and deployment
  - MITRE
• Assess architectural security vulnerabilities -
  University of Illinois
• Model and monitor correct behavior - SRI
• Enable Secure Components
• Application software - MIT/LL
• Protocols and protocol stacks - University of
  Tulsa
• Operating systems - PNNL

21
Topic 4 Research Strategy

• Pull Expand operator awareness of approaches to
  improved security
• Develop prototype tools to suggest, verify
  implementation, monitor systems
• Push Enable more secure vendor solutions
• Develop prototypes to improve application
  software, protocols, underlying operating system

Research to support market conditions for more
secure components and systems
22
Topic 4 Reference Refinery Network Architecture
23
Topic 4 Architecture With I3P Security
Components
The Traffic Assessment Tool (TAT) analyzes how
well the system of firewall rules adheres to
global traffic policy. The JSST is a SCADA
protocol policy-aware network monitor. The HSMTU
(High Security MTU) is an architecture that
hardens the master control functions from. The
HIDS (host intrusion detection system) and NIDS
(network intrusion detection system) look for
misbehavior, reported to the SIM (security
incident manager).
24
Topic 4 Risk Management
25
Topic 4 Architectural Vulnerabilities
26
Topic 4 Modeling and Monitoring
27
Topic 4 Application Software
28
Topic 4 Protocols
29
Topic 4 Operating Systems
30
Topic 5 Cross Domain Information Sharing (CDIS)

• Domain A collection of individuals, resources,
  and information owned by one organization that
  requires protection from other domains
• Cross Domain Information Sharing Exchange of
  information between two or more domains

31
Topic 5 Research Plan

• Prioritize the information sharing needs within
  the Gas Oil sector
• What information sharing is taking place, but at
  a risk?
• What necessary information sharing is not taking
  place, and why not?
• What information sharing will be necessary to
  support new business processes?
• What information sharing would be beneficial, if
  properly constrained? (e.g., non-attribution)
• Identify where existing solutions do not meet
  critical needs
• Research, develop, and demonstrate CDIS solutions
  to address high priority needs
• Feed Technology Transfer

32
Topic 5 Use Cases

• Business LAN - Control Center LAN
• Database queries against financial databases that
  reside on the Business LAN
• Email containing product orders or inventory
  levels
• Fixed formatted messages containing product
  nominations or sampling results
• Asset Owner - Asset Owner
• Use collaborative environment to share IDS scan
  results, raw log data, reconnaissance activities,
  attack techniques (including social engineering),
  forensic information, system vulnerabilities,
  system status information
• Asset Owner - Government Agencies
• Submit formal reports of incidents to appropriate
  government agencies
• Coordinate with first responders and law
  enforcement in the event of a crisis as well as
  to share after action reports
• Asset Owner - Vendor
• Push/pull product updates and security patches
• Discuss product features and their operational use

33
Topic 5 One Solution

• Industry site is accessible by authenticated
  members
• Owners report problems to vendors
• Vendors and owners report problems and solutions
  anonymously to industry site
• Industry site analyzes anonymous data
• Industry site reports analysis to government site

34
Topic 6 Technology and Knowledge Transfer

• We are not doing blue sky basic research
• Transition of our results into the infrastructure
  is essential for success
• If what we are doing is not relevant to industry
  cyber security needs, then we shouldnt be doing
  it
• In this project, we are actively working to
  organize and speed up the transfer process

35
Topic 6 Technology Transfer Mechanisms

• Technology Transition Taskforce
• Partnerships
• Evaluations and Experiments
• Technology demonstration programs
• Structured Process for Value Creation

36
Topic 6 Knowledge Transfer

• Knowledge transfer is bidirectional
• Researchers ? Industry
• Workshops
• Site visits
• Technical papers
• Project books will be published by ISA
• Training class offered to industry
• Working with industry groups API, NPRA

37
Related Efforts
38
Summary

• This is the only large government-funded research
  effort for control system security for the oil
  and gas infrastructure
• Focused on industry needs
• 6 topic areas, 11 institutions, hundreds of
  stakeholders, thousands of lives at risk in a
  major cyber attack on oil gas systems