Even as the region spends billions of dollars on infrastructure, it needs to safeguard these assets from multiple threats
In August 2012, oil giant Saudi Aramco, which accounts for 10% of the oil consumed daily in the world, was the victim of a malicious attack intended to halt the company’s crude oil and gas supplies. Although the virus — given the nickname ‘Shamoon’ by investigators — failed in its primary objective, it nevertheless destroyed the hard drives of more than 30,000 desktop computers and 2,000 servers, forcing IT systems to be disconnected from the Internet for two weeks.
But the question on everybody’s minds was: what if the attackers had succeeded?
According to Standard & Poor’s Ratings Services, on average, hydrocarbon revenues constitute 46% of nominal GDP and three-quarters of total exports of the six GCC countries. The region also accounts for nearly one-fifth of global crude supplies. Therefore, any unplanned stoppage of production could become a nightmare, not only for the producers but also for the countries that depend on them.
Critical infrastructure, in the Gulf region’s context, comprises of sectors that constitute the backbone of its social and economic security. These include oil & gas, utilities, telecommunications, transportation and industrial manufacturing sectors. Any attack on these sectors could result in equipment impairment and production loss at the most basic to crippling financial losses, environmental damage and loss of human life at the worst.
As their operations increasingly move online, critical infrastructure installations are also at risk from cyber attacks. According to the Marsh Risk Management Research paper, Advanced Cyber Attacks on Global Energy Facilities, energy firms are being disproportionately targeted by increasingly sophisticated hacker networks that are motivated by commercial and political gain. Open industrial control systems (ICS) have integrated controls that are linked with other information technology networks, giving hackers the opportunity to gain access through back doors and exploit system weaknesses to their advantage.
Computer controlled systems, such as the Supervisory Control and Data Acquisition (SCADA) and Distributed Control System (DCS), are now mainstays in various sectors, monitoring and controlling highly critical infrastructure across oil & gas, power, distribution and aluminium. From checking temperatures and water levels to managing physical infrastructure, these automated systems and communications technologies have helped the industry to run more efficiently.
Don Codling, former Cyber Security Chief and 23-year veteran of the Federal Bureau of Investigation (FBI), says: “All the systems we use now were originally developed and designed largely without security in mind. The people who came up with the Internet protocols could never have never anticipated that a tool to connect research laboratories would become so ubiquitous in daily life.
They couldn’t have forseen that someone with malicious intent would use that tool to bring down power plants or refineries. If I had to develop and design something today, I will always use encryption instead of open protocol.”
Codling was one of the keynote speakers at IQPC’s Cyber Security for Energy and Utilities Summit in Abu Dhabi a few months ago.
He continues: “In any conflict, you will see that the enemy always targets infrastructure. In the past, you had weapons of destruction; today, you have the Internet.”
Codling believes that officials responsible for critical infrastructure protection in the region understand the nature of the problem because societal and economic progress of a nation is underpinned by solid infrastructure.
“It usually takes a disaster to remind us how important infrastructure is to our society and our way of life,” he says. “The most important thing is to have the leadership of the individual sectors understand this is a concern.”
For example, in the US, following a presidential directive, critical infrastructure owners and operators established sector-specific Information Sharing and Analysis Centres (ISACS) that share information about threats and vulnerabilities pertaining to their respective sectors. Most ISACs have 24/7 threat warning and incident reporting capabilities which are critical to the success of protecting critical infrastructure.
The US Department of Homeland Security has established the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to reduce risks within and across all critical infrastructure sectors.
“ISACS and ICS-CERT have been successful because they are backed by legislation, presidential directives and a national consensus,” says Codling. “They provide a platform for subject matter experts from the public and private sectors to come together and talk to each other. ”
Such best practices are making their way into the region as well. For example, the UAE is working on legislation that will require operators of critical infrastructure to implement security systems. In June, Kuwait Petroleum Corporation (KPC) organised Kuwait’s first ever industrial automation and control systems cyber security conference, focussing on cyber security threats to ICS in oil & gas, petrochemical and power plants.
Senior IT Engineer at Kuwait Gulf Oil Company Abdullah Al-Akhawand cautions that cyber risks cannot be mitigated through technology alone. He elaborates: “It is not only the technology; it is also about behaviour, processes, practices, right certifications and putting in place governance and security policies that not only look at the enterprise side but also the control side.”
He also adds that cyber risk is a key topic at board level discussions and is considered as part of the IT risk landscape.
From a risk mitigation standpoint, insurance companies like Marsh are coming out with specialised cyber insurance products to help energy companies develop and implement more comprehensive risk mitigation and risk planning strategies.
Exclusion clauses in standard commercial insurance policies stipulate that cover will not be provided for bodily injury, property damage and business interruption arising from a hacking event. Marsh’s Cyber Gap Insurance closes this gap by indemnifying the insured in the event that indemnification under the normal property, business interruption or package policies is denied, solely due to the existence of any of these cyber risk exclusions.
Andrew Herring, Leader of Marsh’s Energy Practice in Europe, the Middle East and Africa (EMEA), says: “The disproportionate rate at which the (energy) sector is targeted means it may only be a matter of time before we experience catastrophic physical damage to facilities or disruption to supply as a result of a cyber-related event. Marsh’s Cyber Gap Insurance closes the gaps in existing coverage that have existed for over a decade.”
The nature of the threats and significance of critical infrastructure to economic and social well-being means governments, more than anybody else, will have to take the lead, preferably through legislation, to persuade infrastructure operators to adopt rigorous risk management practices commensurate to the threat at hand.
Equally important, critical infrastructure security solutions that are adopted by these operators should integrate both modern cyber security and traditional physical security to present a combined front.
Andrea Sorri, Director Business Development, Government, City Surveillance and Critical Infrastructure, Axis Communications on using IP surveillance to protect infrastructure
The protection of critical infrastructure from theft, break down and hostile activity is a challenging task. More and more organisations are looking to IP surveillance to protect their installations and guarantee safe, secure and uninterrupted operation.
Network video offers excellent possibilities for the operator of a plant to integrate security, safety and production control in one system. A central system combines the supervision of all processes, video surveillance, intrusion protection and access control, allowing security staff to reliably detect, verify and identify alarms – both from remote sites as well as from a centrally located control room.
When planning and designing a system for the surveillance and protection of critical infrastructure, choosing the right network cameras and where they should be placed is a good starting point, regardless of what other technologies are being used. For example, low light sensitive cameras and thermal cameras can be combined for better detection and verification of intruders.
Protecting long perimeters, monitoring entrances and exits and safeguarding potentially hazardous areas are some of the main concerns of the security manager. The protective measures need to be defined based on a risk and hazard analysis that also takes into account accuracy, affordability, maintenance, ease of customisation and integration of the security solution with other systems.
Breaking it down
For perimeter protection there are many different technologies available to detect an intruder like microwave, fibre-fence sensors, seismic sensors and radar alerts. Network cameras can be combined with these technologies to protect infrastructure.
In a typical set up, detection would be provided by network thermal cameras equipped with intelligent video analytics. A thermal camera works just as well in complete darkness as in daylight, and environmental disturbances, like rain, fog, sun, foliage or small animals are kept to a minimum thus influencing the intelligent algorithm as little as possible. In the case of an event being detected, the thermal cameras automatically trigger images from a PTZ dome camera that, thanks to HDTV image quality, permit the security manager to capture details of the situation. Was it an animal or leaves or was it a human being trying to sabotage the system? This information is crucial when deciding what action to take and who to send out.
To ensure as much functionality as possible, each camera is independent and is able to provide information as long as it is connected to the IP infrastructure. In case of communication failure, the camera can record on an embedded SD-card for future analysis.
Pipelines and critical areas
Distribution systems are perhaps the most vulnerable parts of the supply chain and the costliest to protect. For example, pipelines transporting gas from remotely located exploration sites over vast unpopulated areas are very difficult to protect. Hence, remote supervision is a must. Information from the thermal camera, enhanced by images from a PTZ dome camera, provides enough detail for the operator to make the appropriate decisions.
Along with perimeter access, it is also important to control access and flow within critical areas. Being able to monitor exits during evacuation is important to ensure that nobody is left inside and potentially in danger. Network video linked to access control systems offers faster and more accurate access management facilitated by instant access to live or recorded video, sound and data.
Cameras with image enhancing technology allow security managers to see what is happening even in low light; for example emergency exit lights can be sufficient to provide details of the scene. Advanced capabilities include video and audio information connected to an access control system for an intercom, virtual gates, virtual fences, audio detection and counting people going in and out of the facility. In case of obstruction by environmental factors such as fog or smoke, thermal cameras can be used.
Apart from safety and security, integrating the camera system into the production system can help in monitoring production efficiency, visually inspecting and verifying functions and processes, and providing remote assistance with planned maintenance. It also helps ensure safety rules and processes are being followed, and tools and equipment are being managed properly.
It is important to work with open standards and protocols in order to facilitate the integration of systems, enabling manufacturers to integrate the various production components into one management system. For example, SCADA systems can integrate network video to provide information on temperature, pressure and speed meters. Or, if you have a control room in a facility where you control the pumping station, live images of sensors can provide visual confirmation in addition to data.
A network video system is especially useful to critical infrastructure
operators since it allows them to be present virtually anywhere. Whenever there is the need to involve third parties such as the police, fire services or government bodies, a network video system not only helps with the fast detection and evaluation of the situation, it also allows two-way communication for security managers, encouraging cooperation among different entities and agencies.
Shadi Bakhour, General Manager, Canon Emirates on securing critical infrastructure through document security
Increased threats and security breach incidents are fuelling investments in IT security solutions, with organisations now adopting predictive rather than reactive strategies when it comes to protecting business infrastructure.
Printers have become very advanced due to their operating systems, internal hard disks, CPUs and network capabilities, yet many companies still do not consider them as a main security threat.
Common security threats for printers include document theft, unauthorised access, saved copies on internal storage, hacking and network sniffing. Then there are the risks associated with unsecured printers and multi-functional printers (MFP).
In addition, a complexity of mixed printer fleets can introduce a greater risk and companies should conduct a security assessment of the print environment to uncover any weaknesses. Ideally, a print security strategy should be integrated with an overall information security approach. Solutions like Canon’s Managed Print Solutions (MPS) would drive the adoption of print security and ensure seamless interactions between machines without compromising on quality or efficiency.
THE RIGHT Questions
In order to understand how best to go about adopting an MPS and how to maximise its effectiveness, buyers should ask the following:
• Who do I need to speak to from the senior management to implement MPS and how do I communicate the benefits to my colleagues?
• What are my ‘day one’ costs and how do I ensure MPS providers use my cost model?
• How do I create an output strategy that meets my organisation’s needs?
• What deliverables should I include in my service level agreement with my MPS provider?
• How do I incorporate security and compliance in a workplace where people share devices and occasionally travel with them for business purposes?
Today, with the increase of personal devices inside the enterprise, it has become impossible to continue with only device specific security functions. It is now possible for data to be shared beyond an organisation’s secure cloud or company network. Organisations need to consider integrated hardware and software solutions that create an information centric approach to ensuring document security.
Document control and rights management is crucial when dealing with sensitive content. I am sure that it will be on par with cybersecurity soon as the solutions for the two issues often complement each other.