You are Home   »   News   »   View Article

Are we doing cybersecurity wrong?

Wednesday, June 26, 2019

Most conference talks and articles about cybersecurity in the oil and gas industry focus on two issues, challenges educating 'users', and technological solutions. Perhaps we've got it all wrong.

Let's make a comparison with the physical security and policing world. Human mistakes and technology play a role here, but you hardly ever hear police officers and physical security people complain about their 'users' or ask for more technology.

The general attitude is, there's a job to do, there will always be vulnerable people, sophisticated criminals and stupidity on both sides. And technology hinders as much as it helps. My job is to manage this situation as best I can, and use my common sense to make the right judgement.

Maybe cybersecurity people should take a similar approach.

The problem is not going away. The oil and gas industry had another major cybersecurity hit in December 2018, when drilling services company Saipem was a victim of a version of the Shamoon virus, taking out between 300 and 400 servers, and up to 100 personal computers, out of a total of 4,000 machines, according to a Reuters report.

Shamoon is famous for the 2012 attack on Saudi Aramco, reportedly installed after an employee in the IT department clicked on a phishing e-mail. It can spread from one machine to another on the network. It e-mails your files to the attacker, erases the file and finally overwrites the master boot record of the infected computer making it unusable. Over 30,000 Windows systems were overwritten, and the company had to get new hard drives flown in on its private planes, reports say.

Both attacks have been considered to be made on behalf of Iran - Saudi Aramco is reported to be Saipem's biggest customer.

Saipem is not as big as Saudi Aramco but it does operate a fleet of 22 drilling rigs, platforms, FPSOs, pipeline vessels, crane vessels and field development ships. Taking down all the Windows computers on its network could cause a lot of havoc.

With this knowledge, how would someone from a physical security background tackle the risk in their company?

They probably would not blame users or look for high-tech solutions - phishing e-mails seem to be getting more and more sophisticated. High technology might come in the form of better virus scanners or network analytics systems, but would only work if they were pre-programmed to detect this kind of threat, and had authority and capability to stop a system spreading in milliseconds.

Probably a low-tech response would be more appropriate.

Just as a stranger cannot just walk into a highly secure facility, or land their aeroplane into a busy airport, it should not be possible for an e-mail from outside to go to an employee's desktop with a link which enables them to install software on a secure computer linked to a secure network. Whitelisting software applications and disconnecting computers accepting external e-mails from computers with access to internal networks is a hassle but surely worth it here.

How about more human watchkeeping in the cybersecurity world? The physical security world makes ample use of people.

The security guard makes manual, physical checks and keeps a mental record of the regular comings and goings in a facility, making it much easier to spot a rogue. In the cyber world, if you need to quickly identify a legitimate Windows update from a fake one, a task not needing enormous cybersecurity skills, you may be better with many junior staff rather than fewer more qualified ones, and may be better trying to do such work with people rather than machines.

And the physical security world has a layer of experienced and well paid experts, who maintain a view of the bigger security picture, and can advise you on where your weaknesses are and best practise to reduce them, drawing on experiences advising other companies. Cybersecurity should do this too.

And the physical security world places a premium on simplicity. An airport has a single, large secure area which you only enter once you have been checked. Computer systems by comparison are so complicated they are really easy for a hacker to hide in. But they could be made simple.
Do you need to use Windows when a simple logic controller would do the task?

Associated Companies
» Digital Energy Journal
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition May-June 2021
May 2021

Download latest and back issues


Learn more about supporting Digital Energy Journal