Cybersecurity in the Oil and Gas Industry Whats Here and Whats - - PowerPoint PPT Presentation

DYNAMIC POSITIONING CONFERENCE

OCTOBER 9‐11, 2017

TESTING/RISK

Cybersecurity in the Oil and Gas Industry – What’s Here and What’s Coming

Aarushi Goel GoDaddy

 Why is security of

O&G a concern?

 List of Top 16

Critical Infrastructures

Critic ical l Infra rastru ructure res

Chem emica ical Sector Communications Sect ector Critical Manuf ufactur uring Commercial facilit ilities es Dams Sector

• r

Defens nse Emergency services

En Ener ergy

Financia cial l Services ces Food d and d Agricu icult lture Healt lthca care IT s IT sect ector Gover ernmen ent Facilities Nuclea clear react ctors Transpor portation

• n

system Water managem emen ent

 Ability to use Big Data and Other leading data analytics

techniques for

• Predictive analysis and Data modelling
• Achieving business goals
• Real time data analysis and data mining

 Remote access to Offshore

Rigs and Ships

• Reduced downtimes in case
• f technical failures
• Reduced Human risk
• Reduced Cost and Time

 Plant shutdown  Equipment damage  Utilities interruption  Production cycle shutdown  Inappropriate product quality  Undetected spills  Safety measures violation resulting in injuries and even death

* Drillin illing and producti tion * Tradeof

• ffs in Effici

ciency cy vs Secu curi rity * Technic ical l set t up of I f ICS

UPSTR TREA EAM

* Disruption of suppl ply * * Undet etec ected ed spills * Illegal l pip ipelin ine tapping * Attack cks on m marit ritime t transport

• rt

MIDSTREA EAM

* Unaut utho horized access s to refiner eries es * Accessibility ity of refin inery data ta * Viola lati tion of industr try regula latio tions

DOWNSTREA EAM

IDE DENTIFY FY(ID) D) PROTECT( CT(PR) R) DE DETECT(DE) RESPOND(RS) RS) RECOVE VER( R(RC) RC)

Five Main Stages Of NIST Framework

• Physical devices
• Software & Applications
• Roles & Responsibilities

ASSE SSET MANAGE AGEMENT

• Organizational mission

and objectives

• Role in Supply Chain
• Dependencies and

Critical functions

• Info security policy
• Security roles &

responsibilities

• Legal & Regulatory

requirements

• Asset vulnerabilities
• Threats are identified
• Business impacts and

likelihood

• Risk Responses
• Risk Management

strategy determines

• Organizational Risk

Tolerance BUSINE NESS S ENVIR IRONME MENT GOVERN RNANCE NCE RI RISK SK ASSESSM SSMENT RI RISK SK MANAGE AGEMENT

Ac Access ess Contr trol

• l
• Identities &

Credentials

• Physical and

Remote access

Awareness and Training

• Security training
• Training

corresponding to each security level

Data S Securit rity y

• Software

applications to protect data

• Development

around Confidentiality, Integrity and Availability is focused

Inf nfor

• rmati

tion Prote tection

• n

Pro rocesses a and d Proced edures es

• Backups
• Data destroy

policy

• Data transfer

policy

Mainte tena nanc nce

• Maintenance of

hardware and software assets

• Logging

Prot

• tecti

tive Technol nolog

• gy
• Peri

riod

• dic

auditin iting

• Communications

& Control Systems protected

Anomalies and Events

• Baseline of N/W
• perations
• Detected events

analyzed

• Event data are

aggregated and correlated from multiple sources

• Impact of events is

determined Security Continuous Monitoring

• Network continuously

monitored to detect attacks

• Monitoring for

unauthorized personnel, connections, devices, and software is performed

• Vulnerability scans

Detection Processes

• Roles and

responsibilities for detection

• Detection processes

are tested

• Event detection

information is communicated to appropriate parties

Respons

• nse

Plann nning ng

Response plan is executed during or after an event

Comm

• mmuni

nication

• ns

Events are reported, personnel know their roles, coordination with stakeholders

An Analysis s

Incident anomalies are investigated, forensics are performed, Incidents categorized for responses

Mitigation

Incidents are mitigated, incidents are documented for future

Improvements

Response plans incorporate lessons learned, Response strategies are updated

Recovery P y Planni nning ng

• Recovery plan is executed during or

after an event

Improv

• vemen

ents

• Recovery plans incorporate lessons

learned

• Recovery strategies are updated

Communi unications ns

• Reputation after an event is repaired
• Public relations are managed
• Recovery activities are communicated

to internal stakeholders

Baseline measurement Target Measurement Identify and Prioritize

• pportunities for

improvement) Assess progress towards the target state Communicate to stakeholders

Risk Assessment Matrix (RAM)

 Adopt Cybersecurity measures to achieve

business objectives

 Tighten the security of any O&G

• rganization using NIST Security

framework

 Not a technical framework, can be

embedded into the current architecture of any organization

Prote tect y t your r Facil ilit ity f from rom the N e New ew Wav ave e

• f
• f Se

Securi rity Th Threat eats



https://www.northstudio.com/sites/default/files/inline-images/security-lock.jpg



http://www.dts-solution.com/category/oil-and-gas-sector/



https://farm2.staticflickr.com/1505/25865370540_6bc7d43309_b.jpg



https://simplecore.intel.com/insight-tech/wp-content/uploads/sites/45/2017/07/LannerFig1.png



https://energyhq.com/app/uploads/2017/04/17OER10973_EHQ_Up-Mid-Downstream_Infographics_Progression_- 1.jpg



http://img.thedailybeast.com/image/upload/v1492111436/articles/2016/07/09/the-terrifying-u-s-israeli-computer- worm-that-could-cause-world-war-iii/160707-stern-zero-days-embed-1_kbcwgo.jpg