Being the type of person that is always looking to learn about the world and everything in it, I recently had the opportunity to spend a few days in Houston, Texas, at the Oil & Gas Cyber Security Conference. Boy, was it an eye opening experience!
When we hear the term “cyber security,” we often think of protecting computers and networks against cyber threats such as malware, which includes computer viruses, worms, trojan horses, key loggers, spyware and several other security vulnerabilities. This was indeed part of the discussion at the conference, but this was far from the key issues discussed. Attacks against computer systems are an everyday occurrence in the oil and gas industries, so there was a lot of ground to cover.
Now, so you can understand the depth of the issue, I’m going to have to get a little technical…
Every aspect of our day-to-day lives encompasses some form of automation, whether we're dealing with industrial processes such as manufacturing, power generation, fabrication, and refining; or infrastructure processes such as water treatment and distribution, oil and gas pipelines, electrical power transmission and distribution, and large communication systems. Then there are facility-related processes that occur both in public facilities and private ones, including buildings, airports and ships. They monitor and control heating, ventilation, and air conditioning systems (HVAC).
These systems are all run by Programmable Logic Controllers (PLCs), which are digital computers used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, lighting fixtures and so on. These industrial control systems (ICS) utilize SCADA (supervisory control and data acquisition) devices that monitor and control industrial processes that exist in the physical world.
PLC programs are typically written in a special application on a personal computer and then downloaded by a direct-connection cable or over a network to the PLC. It is this special application code that is the biggest security risk to the enterprise.
It seems that most all PLCs have some bugs in their code at the time of installation, which can be exploited either internally or externally by inserting malicious code. What I found to be most disconcerting was that, unlike the major computer operating systems (Windows, Mac and the like) that are regularly updated, the manufacturers of these PLCs seem very slow to respond to fix the bugs even after the bugs have been brought to their attention. Also, there’s no testing of the integrity of the programming by an agency like Underwriters Laboratories that provide safety-related certification, validation, testing, inspection, auditing, advising and training services to manufacturers, retailers, policymakers, regulators, service companies, and consumers.
Companies have created Security Operations Centers to ride herd over their IT departments to implement the latest and greatest firewalls and antivirus softwareto battle the ongoing threats, but they often fail to address threats to their physical world devices that are all connected via copper cables. Copper cabling is inherently an unsecure means of transporting control signals and data.
It has been known since 2008 that the ability to access these protected networks remotely, through the air, by reading activity via electromagnetic field distortions and inserting code via radio frequencies is possible. Accessing these networks that don’t have wireless routers and are not connected to the Internet has been dubbed “jumping the gap.” In fact, in government circles it’s referred to as “Tactical Electromagnetic Cyber Warfare.”
It would seem to me after examining all the data that we must take at minimum two steps to protect our nation's infrastructure on both sides of the firewall. We need to establish a nationally recognized testing laboratory for computer programming bugs, and replace copper cabling with fiber optic cabling in all operations concerned with the nation's safety and our economy.