Cybersecurity Activities In The Oil And Gas Sector - CCICADA
Cybersecurity Activities in the Oil and Gas Sector 1
Agenda Software Integrity Complexity of Systems Industry Standards and Committee Initiatives Case Study ‐ Risk Assessment of an Ultra‐Deepwater Oil Drilling Rig 2
Software Integrity 3
The Future of Offshore Automation Source: Petrobras 4
Typical New Car Automation Source: John Blyler, http://www.chipestimate.com/blogs/IPInsider/?p 92 5
Complexity of Systems 6
Examples of software failures “I need assurance that I won’t have an event of high consequence caused by software.” (Operator) Earnings call, Q1 2014: we incurred a major downtime incident on the rig name due to a BOP control system problem. Resolution of this issue required more than 3 weeks of zero rate time and a loss of approximately 13 million in revenue and operating profit. Source: G-Captain.com, 2013; Mantelmann 2009, FastTimes 2013, Drilling Contractor Annual Report, 2014 7
Standards - Risk Management ISO/IEC 31000‐series: Risk Management. ISO/IEC 27005: Information Security Risk Management. NIST SP 800‐39: Managing Information Security Risk and its related standards (SP 800‐37 and SP 800‐30). ISACA Risk IT Framework. Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX 8
Standards - Information Security & Assurance Common Criteria/ISO 15408: Information Technology – Security Techniques – Evaluation Criteria for IT Security. ISO 27000‐series: IT‐ST – Information Security Management Systems. NIST SP 800‐12: An Introduction to Computer Security and security controls related standards (SP 800‐53 and SP 800‐53A). Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX 9
Standards - Industrial Automated Control Systems ISA 99 / IEC 62443: Industrial Automation and Control Systems Security. NIST SP 800‐82: Guide to Industrial Control Systems Security. WIB M 2784‐X‐10: Process Control Domain – Security Requirements for Vendors. ISO 27019: IT‐ST – Information Security Management Guidelines based on ISO 27002 for process control systems specific to the energy utility industry. DHS/CPNI State Agency ‐ Cyber Security Assessments of Industrial Control Systems. API 1164: Pipeline SCADA Security. Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX 10
Industry Standards and Committee Initiatives NIST SP 800-12 NIST SP 800-30 NIST SP 800-34 NIST SP 800-37 NIST SP 800-39 NIST SP 800-53 NIST SP 800-53A NIST SP 800-82 ISO 15408 ISO 27001,2 ISO 27005 ISO 27019 ISO 27031 ISO 27035 ISO 31000 ANSI/ASIS SPC.1 API 1164 Advanced Rig Technology, Drilling Control Systems, Cybersecurity sub-team International Association of Drilling Contractors ISA 99/IEC 62443 NIST Framework Oil Operator Requirements WIB M2784-X-10 11
Case Study - MODU Objectives: Tools: Work Effort: Start Contract Verify Network Compartmentalization Identify/eradicate unauthorized software (Anti‐virus) Evaluate Software Management of Change Evaluate Remote Access OEM Support Staff (where available) Wireshark Anti‐Virus scanner Profiscan (not used) “Toolkits” based on specific standard of compliance (IEC 62443) Certified control system cybersecurity experts with asset knowledge 2 days on shore 7days on Asset 2 Cybersecurity experts 12
Case Study - MODU Call to action: Operator / Drilling Contractor Concerns: o Drilling program integrity o Interconnectedness “System of systems” o Windows XP Vulnerabilities o USB o Remote Access o Software Change Management “Wash list” of threats o Limited testing of sw updates o 0day exploits (for sale) o Unidentified exploits o Limited scope of AntiVirus Out of scope o Disaster Recovery o Business Continuity 13
Case Study - MODU Methodology Tabletop exercise to: o Understand asset’s control network architecture o Review policies and procedures Operational technology (OT) vs. information technology (IT) Create toolkit, plan on-asset activities On-Asset Assessment (IEC62443, time boxed) o Cyber-physical Cabling, physical equipment settings (dip switches ) Enclosures (rooms, doors, cabinets, ports ) o Cyber SMoC Policy implementation Passive network scanning Remote access Unauthorized software, Anti-virus scan (where applicable!) 14
Observations Everyone is “authorized” o During production, and in-between wells Cyber-physical vulnerabilities not addressed o Access to Barge Control BOP controls unsecured Robust procedures for remediation of unauthorized software did not exist for the OEM systems o 1 OEM introduced malware onto a USB from a business network computer Obsolete/irrelevant routing protocol on network o Novell routing protocol enabled on control system router Software Management of Change processes not followed o SMOC software was in the middle of implementation – stacks of paperwork “ready for entry” 15
The Pace of Automation Million Lines of Code 1993 1994 1996 2000 2001 2006 2009 2012 0 10 20 30 40 50 60 Windows 8 Windows 7 Windows Vista Windows XP Windows 2000 F‐35 Fighter Jet Windows NT 4.0 Chevy Volt Windows NT 3.5 Boeing 787 Windows NT 3.1 1992 Windows 3.1 F‐22 Raptor Fighter Jet 1 Million Lines of Code Space Shuttle 16
Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX. 11 Industry Standards and Committee Initiatives WIB M2784-X-10 API 1164 ISA 99/IEC 62443 NIST SP 800-82 NIST SP 800-12 NIST SP 800-53 NIST SP 800-53A NIST SP 800-39 NIST SP 800-37 NIST SP 800-30 NIST SP 800-34 ISO 27001,2 ISO 27005 ISO 31000
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
1.Engine Oil SABA 13 1.Engine Oil 8000 14 1.Engine Oil 6000 15 1.Engine Oil 3000 16 1.Engine Oil Alvand 17 1.Engine Oil Motor Cycle Engine Oil M-150 18 1.Engine Oil M-100 19 1.Engine Oil Gas Engine Oil CNG-BUS 20 1.Engine Oil G.I.C.X.LA 21 1.Engine Oil G.I.C.X. 22 1.Engine Oil Diesel Engine Oil Power 23 1.Engine Oil Top Engine 24
Brownie Cybersecurity Explore cybersecurity by earning these three badges! Badge 1: Cybersecurity Basics Badge 2: Cybersecurity Safeguards Badge 3: Cybersecurity Investigator This Cybersecurity badge booklet for girls provides the badge requirements, background information, and fun facts about cybersecurity for all three Brownie
