In the wake of the terrorist attacks in France on 13 November, 2015, much attention has been given to how terrorist networks communicate securely over Internet connections. This online activity has led many to look deeper at online behavior. Likewise, illegal activity has led many to look deeper vulnerable networks of industrial systems. In Oklahoma, the energy industry touches nearly every facet of life. This post, we consider some of the vulnerabilities that can be corrected and make everyone safer. We review some of the details that emerged from the Blackhat Europe Conference in Amsterdam.
The energy industry is typically divided into four areas of concentration: Upstream, Midstream, Downstream, and Services. The shale oil producers in the US have driven the rapid development of production monitoring and control software used across all four segments. The Upstream segment of the industry begins with exploration and drilling activities. Newer techniques, like horizontal drilling, make use of sophisticated heavy equipment that is controlled by software systems designed to improve accuracy and reduce the risk of missing the raw crude in the earth.
While the big energy companies like Chevron and Exxon Mobil are integrated across the different segments, there are plenty of operators that are focused on the Midstream segment. The Midstream part of energy production covers the collection, storage, transportation, and marketing of raw crude and natural gas products. Many of the downstream activities, which include refining and distribution to retail sales locations, are tightly integrated with midstream operations. Pipeline operations, which transport crude and natural gas all over the US, effect many Oklahomans both directly and indirectly thanks in large part to the importance of the Cushing storage hub. This is the largest facility of its kind in North America, and one of the largest in the world.
In 2015, the Cushing facility recorded historic inventories on hand due to market conditions. This of course reflects the impact of falling oil prices worldwide. The systems needed to monitor and manage storage inventory make heavy use of SAP software. This software was the focus of discussions in Amsterdam at the BlackHat Europe 2015 Conference. Of specific interest was the threat of malware being introduced to the monitoring and management software in use at facilities like Cushing. It is not unreasonable to assume terrorist hackers have an active motivation to try to disrupt inventory management and try to create an environmental accident that could be exploited for their nefarious goals.
The nature of inventory management in the energy industry practically necessitates complex software monitoring systems to help accurately track how much is where,and how much is going downstream. Environmental conditions effect both weight and volume. A complex system that both monitors and adjusts for temperature, pressure, and other weather related changes, helps insure that inventory records remain accurate, storage tanks are properly filled, and purchasing contracts are satisfactorily delivered. Malware introduced along the myriad of points in the midstream system could potentially lead to fraud, market losses, environmental disaster, and damaging legal settlements.
The more complex an enterprise level system, the more difficult it becomes to ensure system security. The more interconnected a critical facility becomes with corporate offices, the more challenging security becomes. Intrusion into a corporate network from a remote access terminal is increasingly threatening to introduce the types of malicious actors seen in the news. Many of the same solutions IT departments must implement for non-energy systems can be applied to energy systems. Introduction of multi-factor authentication, encrypted end-to-end connections, tightly managed strong password policies, all fit exceptionally well for enterprise level SAP systems. Hardening servers and network components also serve to better protect critical energy infrastructure.
Protecting against SQL injection attacks into back-end database systems is yet another solution available. Use of stored procedures also offers to better protect back-end data connections. Again, many of these are not new, but many of these were considered to be immune to outside interference just a few years ago. The industrialization of botnet operations, and the steadily improving knowledge of hackers has changed the threat landscape. Today, every system that has an Internet connection needs to be secured. Security through anonymous obscurity is no longer a defense. Nothing is obscure to automated malware looking for points of weakness. Automated routines can run series of network addresses faster than it took to type this last sentence.
Christoper Watson is an Information Technology professional with success in both public and private sector businesses. Technical and business experience is complimented with operational and strategic planning, international contracting work, leadership development and team building competency in challenging physical and political environments. Experience leverages strengths with technology services and providing timely and relevant information to senior executive leadership. Christopher is based out of the Oklahoma City office.