DEFEATING THE CYBERSECURITY THREAT TO OIL & GAS With Security Analytics ABOUT THIS PAPER Organizations around the world are dealing with a dramatic increase in the volume of digital information, and Oil & Gas companies are no exception. The critical infrastructure, related data assets and applications that support the hydrocarbon value chain could be susceptible to Cyber Attacks. These attacks may not only impact the companies themselves, but also the delivery of the commodity and the stability of wider market economics, geopolitical relationships and even the natural environment. They are offensive acts employed by both individuals and whole organizations to target computer information systems, infrastructure, communications networks, and personal computer devices, usually originating from an anonymous source. The intent of the attack is to steal financial and operational data, Personally Identifiable Information (PII), Intellectual Property (IP), or to disrupt the physical processes managed by industrial control systems. This paper discusses how Security Analytics deployed in a holistic approach is key to meeting the cybersecurity threat in the Oil & Gas industry.
Executive Summary Why Cybersecurity should be Strategic, not Tactical Without doubt, every industry is in some way vulnerable to the threat of cyber hacking, but the Oil & Gas industry is particularly vulnerable because of the nature of its overall business operating model. We know it is driven by a Hydrocarbon Value Chain that relies on an ecosystem of very diverse but interdependent workstreams executed across a geo-dispersed environment through many highly specialized businesses. We see how current oil price economics is focusing the minds of CXOs on reducing costs whilst attempting to simultaneously increase operational efficiency. When you bring these two factors together the nature of the Hydrocarbon Value Chain and the current oil price economics there is universal agreement on how to reposition businesses to survive and hopefully thrive connect everyone, automate everything within reason: In its quest to reduce NPT (Non-Productive Time), the Oil & Gas industry continues to deploy sensor technology and data collection systems that drive predictive analytics to optimize machine maintenance We monitor our drilling installations in real-time to ensure safe operations and to keep bits moving towards the best possible entry point into reservoirs in order to maximize production and recovery Where possible, rail and road transport operations are being replaced by pipelines with sophisticated SCADA (Supervisory Control and Data Acquisition) systems to pump raw hydrocarbons from field to tank to refinery, complete with leak detection systems Executive and field management alike need to be confident that the data coming out of their information systems is consolidated, comprehensive, up-todate and can be trusted so they can make better decisions faster For all of this to deliver value, systems and people need to be constantly connected and this is leading to hyper connectivity, which unfortunately sets a stage with multiple access points from which cyber-attacks can be initiated. So what can Oil & Gas companies do? They could improve nothing and play the odds, gambling that no cyber hacks would be launched directly against their organization or at critical external businesses within their operating ecosystem. Or they could strengthen perimeter security with tighter systems access controls, stateof-the-art firewall technology coupled with improved video surveillance and intruder alert systems for physical assets, particularly those that are unmanned and remote. Neither of these is a credible strategy against today s cyber threat capabilities. Even if your business implements advanced access controls on systems, if the external businesses you are connected to within your ecosystem do not take similar precautions, they become a liability, since the access protocols they use to legitimately access your systems can be stolen by cyber hackers, who then have the ability to enter your systems with little or no suspicion. This is the reality of hyper connectivity as we work tirelessly to optimize our businesses, and since there is little chance we will go back to decoupling our businesses any time soon, we need an additional weapon in our security arsenal Security Analytics. 2
THE IMPORTANCE OF SECURITY ANALYTICS THE ATTACKER FREE TIME CHALLENGE Security Analytics is not new, but what makes the difference between mediocre and effective security analytics is the speed with which unusual behavior can be detected, classified, responded to and recovered from, if necessary. In essence, Security Analytics works best when it reduces Attacker Free Time - the time between an attacker breaching the environment and being detected. The schematic below shows the anatomy of an incident, starting at the point where an attacker carries out surveillance of a target through to attack, detection and finally the recovery of the attack target from the breach. Close scrutiny of these stages brings home just how exposed a system is if there is a disproportionately large focus on perimeter protection (firewalls etc.) Less robust monitoring and detection within the environment means that if an intruder gets past the perimeter, they have an enormous amount of freedom to move around, and depending on their intent, you may never know they were there - or worse yet, are still present in your systems. Advanced attackers are much stealthier, unlike those committing smash-and-grab password theft or website defacement activities. They seek to remain hidden, establishing multiple footholds in case their initial access is shut down. They keep suspicious activity that might alert security operations teams to a minimum as they seek their target, covering their tracks by erasing logs and other evidence of their breach. 3
Comprehensive Visibility: RSA s portfolio enables unparalleled visibility into ongoing activity within the environment: Infrastructure to support collection without limitations: the ability to collect many types of security data at scale from a variety of data source types, providing a single lens through which data about advanced threats and user activity can be viewed Agile Analytics: RSA provides tools that make detailed information available to investigators in an easily consumable manner: Platform for performing rapid investigations: intuitive tools for rapid analysis, with detailed drill-down, incorporating business context to facilitate a better informed decisionmaking process INTRODUCING RSA A LEADER IN SECURITY ANALYTICS RSA, the Security Division of Dell EMC, is the premier provider of intelligencedriven security solutions. RSA helps the world s leading organizations solve their most complex and sensitive security challenges: managing organizational risk, safeguarding mobile access and collaboration, preventing online fraud, and defending against advanced threats. RSA delivers agile controls for identity assurance, fraud detection, and data protection, as well as robust Security Analytics and industry-leading GRC capabilities. 1. A Big Data Approach to Security Management: RSA s distributed data architecture enables customers to collect and analyze security data at an unprecedented scale and rate of change. 2. A Unified Approach to Security Analytics: RSA provides a common set of services and tools for analyzing security data to support the major analytic activities, from alerting and reporting to malware analytics. 3. A Governance Layer that binds Security Analytics to the business: RSA s unique portfolio streamlines the process of gathering information about critical business processes and systems, together with the business context and requirements for securing them. 4. Threat Intelligence that empowers customers with up-to-date knowledge: Through RSA technology and services, the security solution makes actionable intelligence about the threat environment available for analysis in real-time, enabling organizations to relate the intelligence specifically to their environments. Actionable Intelligence: Threat feeds used with data collected from the environment helps security analysts by highlighting known threats in real-time, enabling prioritization of suspicious log and network activity in need of investigation: Current threat intelligence correlated with collected data: proprietary intelligence from a community of security experts built into RSA tools and leveraged through rules, reports, and watch lists to gain insight into threats from data collected from the enterprise Optimized process management: RSA products help security teams streamline the diverse set of activities related to preparedness and response: Incident Management: a workflow system to define and activate response processes, plus tools to track current open issues, trends and lessons learned Defending against advanced threats requires an adaptive approach, oversight of processes and reporting of key metrics. Unlike traditional signature-based perimeter security solutions, RSA provides an integrated set of tools and services that can easily fit into existing environments, enabling you to identify, protect and respond to zero-day threats not stopped by traditional signature-based controls. Zero-day threats are extremely serious, as they are vulnerabilities in systems that have never been made public and for which there are no known fixes. The RSA Security Practice of Dell EMC Consulting approaches security from a business context that prioritizes security investments. Services from the Practice specialize in both security policy and compliance areas such as PCI DSS and HIPAA/HITECH, and will define solutions in line with regional and global Oil & Gas security recommendations. The Practice brings domain expertize that spans areas such as data classification, information risk management, GRC and policy management, fraud mitigation, identity assurance, virtualization, and security operations. 4
HOW RSA HELPS PROTECT CONTROL SYSTEMS LIKE SCADA As discussed previously, threats against control systems are growing in significance as a result of long system lifecycles (often 10-15 years, partly due to complexity, expense and the 24x7 nature of the systems), the move to open standards and the use of clear-text protocols and default usernames and passwords. This is intensified by limited resources for control systems and a lack of enterprise visibility, providing attractive targets for attackers. In order to take control of that scenario, it makes sense to record all of an organization s network traffic, and the RSA Security Analytics platform enables you to do this and then applies multiple analytic functions to that single source of data for freshness and consistency. However unlike other packet-capture tools, the RSA Security Analytics platform provides capabilities beyond simply acquiring and storing packets and flows, and providing network statistics. It simultaneously records, indexes and models network and application layer traffic in real-time, retaining full packet payload and rich metadata for deep analysis across a secure and flexible enterprise infrastructure to provide: Enterprise-wide visibility from the business network through to the control network and on to external connections Parsing and reconstruction of numerous application layer protocols, enabling detection of anomalous and malicious activity New protocol detection and parsing for control system protocols such as Modbus, Distributed Network Protocol version 3 (DNP3), Inter-Control Centre Communications Protocol (ICCP) and OLE for Process Control (OPC) The ability to easily write FlexParse custom protocol parsers for proprietary control system protocols Monitoring of clear-text protocols for default usernames and passwords via built-in parsers and custom alerts Identification of devices with multiple Ethernet addresses or IP addresses, which may suggest man-in-the-middle attacks: Detection of advanced threats and malware such as malicious file attachments, C2 (command and control) IP addresses, domain names, exploit kits, botnets, spam, phishing, zero-day and compromise indicators A full-context history of all network traffic, filling a forensics gap left by resource-starved control system components With detailed insight into all activity in the control system and enterprise networks, asset owners and operators are equipped to detect complex IT risks that are invisible to other technologies and are empowered to take precise action against cyber threats. It is important to protect specific systems integral to operations being executed in: Exploration and Production Platforms Pipeline Infrastructure Tank Farms Refineries Power Supply and Telecommunications infrastructure 5
MATURITY THREAT INTELLIGENCE RESEARCH AND DELIVERY SYSTEM THROUGH RSA LIVE RSA has partnered with trusted and reliable providers of intelligence in the security community, including RSA s own research team FirstWatch. The partnerships are employed to deliver, correlate and illuminate pertinent information relevant to your organization, and fuses it with network data in real-time. Unlike other services that focus on single source intelligence, RSA Live provides the mechanism to aggregate and consolidate data from multiple sources, offering you a unique, dynamic and comprehensive threat intelligence service. RSA FirstWatch is a research and analysis organization focused on emerging sophisticated threats around the globe. Tracking over 5 million IPs and domains and dozens of unique threat sources, RSA FirstWatch delivers situational awareness and threat intelligence from across RSA s research and incident response community to help business, including Oil & Gas companies, to prepare for, respond to and mitigate advanced cyber threats. The team is, highly trained in threat research and intelligence experts with backgrounds in government, military, financial services and information technology. When the analysis of evolving threats is combined with the Advanced Security Solution, we are able to introduce a Security Maturity Model that drives continuous improvement of security operations, shifting from tactical coverage to an integrated strategic implementation. THREAT DEFENSE DEFENSE IN DEPTH USING SECURITY CONTROLS, CONVERGENCE AND MONITORING CORE SECURITY SERVICES, PERIMETER SECURITY, POINT SOLUTIONS BUSINESS ORIENTED - INTEGRATED SECURITY ACROSS BUSINESS PROCESS AND ARCHITECTURE RISK BASED SECURITY DATA COLLECTION, ANALYSIS AND DETECT ADVANCED THREATS TACTICAL THREAT DEFENSE SYSTEMS ENHANCED WITH SECURITY CONTROLS SECURITY ANALYTICS, PATTERN ANALYSIS, RISK& THREAT INTELLIGENCE SECURITY PROCESSES INTEGRATED WITH BUSINESS PROCESSES AND TOOLS TACTICAL In summary, RSA Live is a key component in the fight to increase the speed of detection of security breaches by feeding live threat intelligence into the security analytics solution. Ultimately this reduces the amount of time an attacker is able to remain active within infrastructure the so called Attacker Free Time. 6 STRATEGIC
CURRENT STATE Analysis & Assessment FUTURE STATE Design & Planning SOLUTION Implement, Protect, Monitor SUMMARY REDUCE ATTACKER FREE TIME, CONTAIN CYBERTHREAT ACTIVITY Against fundamentally different attacks in a hyper connected world, we need a fundamentally different response. Whilst it is prudent to continue to focus on keeping attacks out at the perimeter, by far the most effective investment should be on accelerating the ability to detect and respond to intrusions especially with the complex business operating model needed to support the hydrocarbon value chain. Advanced threats require enterprise-wide visibility into network traffic and log event data, but this data alone does not provide enough information to enable effective detection and investigation of these types of threats. The RSA Security Analytics Solution addresses this challenge effectively by: 1. Collecting everything happening in the Infrastructure Previous approaches have depended on using information about known threats in order to make decisions about which data to collect within the infrastructure. Whilst this may appear to be an efficient way of controlling IT costs (only recording within the threat scope of what you know), it leaves Oil & Gas companies exposed to the barrage of constantly evolving and new sophisticated threats. This means that when you are attacked by a new threat, security teams will not have all of the information needed to respond effectively. 2. Identifying Key Targets and Threats It is necessary for security teams to interface not only with IT, Facilities and Plant Management teams, but also Business Unit teams to identify the most critical information, business processes and supporting assets. The solution from RSA provides assessment services that inject a Business Context dimension into the process of determining the correct level of protection required, including remediation and clean-up steps in clearly documented (and where possible automated) workflows. 3. Investigating and Prioritizing Incidents By applying the Business Context dimension to threat preparation, security teams are in a stronger position to confidently allocate resources in a controlled manner in line with impact values placed on assets that may be simultaneously under attack by multiple often unrelated threats. 4. Managing Incidents When an incident is in progress, the response to it is more than simply terminating its progress. Damage has to be assessed, which may be physical damage to assets or loss of critical data. But damage can also occur even if critical data is not lost, but has in fact been viewed, copied, and distributed by unauthorized sources. The situation workflows defined during the identification of key targets and threats are executed to effectively and efficiently coordinate resources from Business Units, IT, Facilities and Plant Management teams to minimize the impact of each threat, and to rapidly return operations to a nominal state. In essence, Security Analytics redefines SIEM (Security Information and Event Management) by combining network monitoring, traditional log-centric SIEM, forensics, compliance, big data management and analytics. 7
About Dell EMC in Oil & Gas Dell EMC is a global leader in enabling businesses and service providers to transform and deliver enterprise information technology as a service (ITaaS). Dell EMC s dedicated Oil & Gas Practice offers petrotechnical IT Innovation focused on data management, application optimization, big data & analytics, and cloud technologies to exploration & Production businesses, enabling them to: - Make better decisions faster - Reduce costs through efficient operations - Maximize Production & Recovery The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind w ith respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC 2, EMC, the EMC logo, RSA are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. Copyright 2016 EMC Corporation. All rights reserved. Published in the USA. 11/2015 White Paper H14713 EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice. EMC is now part of the Dell group of companies. 8