You are on page 1of 3

Cyber security in the oil sector | Hydrocarbon Processing | January 2013

Page 1 of 3

COPYING AND DISTRIBUTING ARE PROHIBITED WITHOUT PERMISSION OF THE PUBLISHER

Cyber security in the oil sector


01.01.2013 | Thinnes, Billy, Hydrocarbon Processing Staff, Houston, TX
Keywords:
The American Petroleum Institute (API) held its 7th annual cyber security conference over two November days in
Houston, Texas. Since cyber attacks on industrial targets have grown in frequency and intensity over the last few
years (two recent examples include Saudi Aramcos victimization and the Night Dragon attack that exposed
vulnerabilities at multiple energy companies), the conference was well-attended and filled with relevant discussion.
Whitelisting
One of the standout sessions from the gathering offered instruction on how to secure industrial control systems with
application whitelisting and change detection. As aptly described by the US National Security Agency, application
whitelisting is a proactive security technique where only a limited set of approved programs are allowed to run,
while all other programs (including most malware) are blocked from running by default. In contrast, the standard
policy enforced by most operating systems allows all users to download and run any program they choose.
Application whitelisting enables only the administrators, not the users, to decide which programs are allowed to
run.
Gib Sorebo, a vice president at SAIC, spoke about implementing this philosophy within an oil and gas industry
sector context.
The first step is using best practices, he said. For instance, if I am going to review a PDF, a certain computer
should be specified; avoiding overlap is key. This can help avoid some of the problems that exist with and without
whitelisting. Acrobat and Flash are problematic programs and you should never have Flash running on control
system computers.
Mr. Sorebos concern about Adobe Acrobat and Adobe Flash is drawn from substantial data showing that those two
programs are particularly susceptible to tampering and are often gateways that hackers use for eventual deployment
of their viruses. Other common software that application whitelisting has identified as being vulnerable includes
Microsoft Office documents (especially VBScript and Macros), Windows PowerShell,
DLL injection and JavaScript.
More and more whitelisting products are emerging, Mr. Sorebo said, but the onus is no longer on individual
companies to go into the marketplace and make la carte selections. Control vendors are now including such
products in their program suites. Mr. Sorebo simply advises management to check with their respective control
vendors to make sure it is included.
Whitelisting offers highly granular controls that restrict not only installation, but also the execution of
[unauthorized] software, he said. It also enforces more secure updating methods to protect against supply chain
threats and further guards against many improper uses of applications, like spawning a shell.

http://www.hydrocarbonprocessing.com/Article/3137769/Cyber-security-in-the-oil-sector....

1/27/2013

Cyber security in the oil sector | Hydrocarbon Processing | January 2013

Page 2 of 3

Mr. Sorebo readily admitted that there are inherent risks in control systems that create unique security challenges.
Thats why he was advocating for application whitelisting, as it is an avenue to overcome vulnerabilities and
effectively lock down control systems.
When deployed correctly, application whitelisting can operate seamlessly in critical infrastructure with little
administrative overhead or help-desk support required, he said.
Cloud security
During another presentation at the event, two representatives from Orbis Technologies discussed how cloud-based
technologies can improve cyber security. As many petrochemical companies move to massive, shared cloud-based
networks, a new security approach is necessary. Orbis Eric Little suggested three approaches to make a companys
cloud more secure: infrastructure enhanced security, enhanced threat modeling and semantic security.
The ability to use semantics to model actual threats, like people stealing IP addresses, allows you to capture the
type of subject matter expertise that analysts wish to model, he said. You can also build security in by creating a
lexicon of important terms, with data elements categorized into appropriate classes. This advanced logic allows for
reasoning over data sets that can detect new patterns, allowing information to be gained.
Mr. Little also went into detail about the formal ontology of a threat. He said that all threats have three components:
intent, capability and opportunity.
Understanding the structure of threat components can allow for improved computational approaches, he said.
During his presentation, Mr. Little also itemized elements that should be included in core technologies for scalable
cloud-based semantics. These included:

Information extraction
Natural language processing
Entity extraction
Semantic resolution. HP

APIs Cyber Security


Conference took place
in November.

http://www.hydrocarbonprocessing.com/Article/3137769/Cyber-security-in-the-oil-sector....

1/27/2013

Cyber security in the oil sector | Hydrocarbon Processing | January 2013

Page 3 of 3

Eric Little and Steve Hamby


represented Orbis
Technologies at the event.

http://www.hydrocarbonprocessing.com/Article/3137769/Cyber-security-in-the-oil-sector....

1/27/2013

You might also like