Oil and gas cybersecurityPenetration testing techniques

Cybersecurity means muchmore than protecting data.Threats to Operational Technology (OT) systems,can cause production stoppages, a decreasein product quality or even destruction ofinfrastructure. What do oil and gas executivesneed to understand about protecting theiroperational assets from cyber attacks?

Oil and gas company executivestoday recognize thatcybersecurity — the protectionof data and intellectual propertyfrom organized attacks orindividual hackers — is acritical component of riskmanagement. Most oil and gasdollars to manage security ontheir information networks.But who is responsible for ensuring thatthe company’s control systems are safefrom cyber attack? Industrial automationand control systems such as SCADA(supervisory control and data acquisition)or DCS (Distributed Control System) — oftenreferred to as Operational Technology(OT) — are used to monitor and controlphysical processes in the oil and gasindustry. Their role is the acquisition ofdata coming from processes (temperatures,pressures, valve positions, tank levels,human operators and the direct control ofelectric, mechanical, hydraulic or pneumaticactuators. Is your company making certainthat these mission-critical systems areprotected properly?In the past, most OT networks wereisolated (air-gaped) from the internetindependently, using proprietary hardware,software and communications protocols.But in recent years, demand for businessinsight, requirements for remote networkaccess and the spread of hardware andsoftware from traditional IT (e.g., TCP/IP networking, Windows based platforms)caused many oil and gas companiesto integrate control systems and theirenterprise IT systems. That greaterserious risk — it introduces IT vulnerabilitiesto the world of OT and provides possiblenetwork and gain control of OT systems.Oil and gas cybersecurity Penetration testing techniques |1

Today, there are sophisticated networksof highly skilled “hacktivists” who arenot interested in stealing data; they wantto create highly visible incidents thatembarrass or harm companies involved inthe oil and gas industry.2 | Oil and gas cybersecurity Penetration testing techniques

Cyber crime itself has changed in recent years. Today, there aresophisticated networks of highly skilled “hacktivists” who arenot interested in stealing data; they want to create highly visibleincidents that embarrass or harm companies involved in the oiland gas industry. Taking control of a company’s OT and disruptingoperations is one way to do that.OT security than many oil and gas companies are currently taking.Operational technology systems — once the purview of a separatetechnical department — now demand in-depth, ongoing attentionincludes regular reviews of the OT environment and supportingtechniques, and analysis of remote access management tools.In addition, the security of each component of the networkarchitecture must be tested regularly, from the applications used torespond to controls.This type of testing — called “penetration testing” — is doneregularly on the information technology side of most companies’networks. It is designed to mimic the techniques and methodologyused by sophisticated attackers who are intent on gainingaccess to the network. Penetration testing on OT networks isless common, but it works the same way — by identifying andvalidating gaps in security processes and tools that enable networksecurity professionals to understand how attackers can use thosevulnerabilities to alter or disrupt operations. Armed with thatknowledge, companies can then take appropriate steps to preventan attack, just as they currently do in the IT arena.Ongoing threats and attacks challenge a company’s business assetsand the availability of their critical systems and data. EY’s attackand probable.and penetration methodology provides a “real life” test ofand systems vulnerabilities. Our testing methodology emphasizesmanual testing techniques and vulnerability linkage, makingEY different from other security vendors and providing morevalue to you.IdentifyriskRemediationand changeInfrastructurePeopleApplicationsWhy the hesitancy to test?AssessriskFindings andrecommendationsGiven the importance of penetration testing to OT security, whydoesn’t it happen more often? Unlike IT systems, which can be shutdown at certain times for testing without major consequences,OT is necessary around the clock, every single day. One reason islosses in revenue. More importantly, however, disruptions atcreate major safety and environmental issues. The fear of sucha disruption during testing is a major factor in many companies’hesitancy to test.Additionally, as OT networks were not networked with business ITnetworks and, in turn, with the internet, there was little need to testuntil recently. Thus, many companies have no standard protocol orpolicy for testing and are reluctant to implement a new program —or unaware that it is necessary.Oil and gas cybersecurity Penetration testing techniques |3

Oil and gas case studyThe client is a major oil company, with upstream, midstream anddownstream operations across North America, with sites in CanadaTechnology and Process Control devices.ObjectiveThe client asked EY to advise on adjusting their OT systems,network architecture and OT security management processes andbased sites. The client wanted to ensure their systems compliedwith internally developed formal standards.Methodology• EY leveraged its global resources and constructed a teamconsisting of OT Architects from EY’s Global OT Advisory Centerpenetration testers from the US.How EY helped• We provided the client with an in-depth view of site compliancewith internal OT standards through comprehensive currentstate assessments.• noncompliance within the client’s OT environment and provided atogether with their potential consequences.• relevant to the client and their board.• client could proceed toward getting the site’s OT environmentfrom the current state, to the desired state according to thestandards used.• A wide range of systems were in scope, including pipelinemonitoring and control systems, DCS systems, Safety InformationSystems, SCADA systems, RTU systems, PLCs, HVAC systems andUPS systems.• The compliance project was conducted in two streams:• On-site reviews and interviews with technical personnel• Penetration testing4| Oil and gas cybersecurity: penetration testing techniques

Meaningful testing is possibleDespite the issues involved, it is possible to conduct meaningfulpenetration testing on OT networks, delivering results that canbe used to design and implement necessary remediation, withoutcreating operational problems.To ensure you get value from penetration testing of OT, properplanning is key. We will work closely with your technical personnelto actual physical processes.essential between the control system support engineers and theindividuals conducting the actual test.A multidisciplinary test planning team that includes operationsThese planning sessions provide opportunities for supportengineers to ask questions concerning the testing process, such asthe methodology to be used and planned precautions to maintainthe operational integrity of production systems. They also allowpenetration testers to gain a clear understanding of the implicationsof testing within an OT environment.A major focus of pre-test planning should be identifying testingactivities that could disrupt critical servers. These activities musttesting process must take precedence over any testing objective.Penetration testing: high-level approach• Enumerate network• Interrogate DNS• Identify hostsDiscovery(begin the test)Vulnerability• Scan servers• Retrieve information• Assess vulnerabilities• Validate issues• Link vulnerabilities• Perform attacks• Escalate vulnerabilitiesExploitationReporting• • Prioritize vulnerabilities• Highlight suggestedactions to be takenDespite the issues involved, it is possible to conductmeaningful penetration testing on OT networkswithout creating operational problems, providedthat the test itself is properly planned and tightlycontrolled.Oil and gas cybersecurity Penetration testing techniques |5

Exploiting vulnerabilities safelyconsidered when determining the actual risk to the organization.denial of service activities — the team should carefully considerthe appropriateness of performing the test. The gains from betterunderstanding the vulnerability may not outweigh the potentialadverse reaction that may result. Whenever possible, these types ofUnderstanding social engineeringIT and some OT attacks often involve non-technical methods,into divulging information, performing actions or unintentionallyproviding unauthorized access through the use of deception,coercion, fear or intimidation.Social engineering methods include:• Phishing — the use of bait such as fake emails, phone callsor websites, to trick employees into violating an organization’ssecurity policy• Physical access — gaining entrance into the facility itself and• Portable media — the use of thumb drives and other tools toobtain unauthorized physical access to the network or introducemalicious code through authorized usersIncluding a social engineering element into a penetration test canhelp uncover gaps in security policies and procedures and identifyweaknesses in personnel awareness training against such attacks.Social engineering also helps to enhance or complement technicalactivities during a penetration test and more closely resembles thearray of activities and methods that would be used by an attacker.6 | Oil and gas cybersecurity Penetration testing techniques

Key questionsto maximize testingAs the boundaries between OT and IT networks continue to blur, and increased convergence leads to higherrisk of outside attacks, new security policies and systems must be implemented to ensure the safety ofnetworks that control the oil and gas industry’s facility processes. Penetration testing should be used toidentify control gaps and assist with quantifying risks to the OT environment in order to prioritize availablesecurity risks and improve the effectiveness of a well-rounded security program.When preparing for a penetration test within an OT environment,consider the following:1. What are the goals or expected outcome of the penetrationtest? to an organization, such as meeting regulatory compliance,obtaining upper management support for known issues,identifying gaps in state-of-the-art implementations anddetermining the effectiveness of intrusion detection capabilities.Identifying the goals of the penetration test in advance will helpfocus the test and provide the best value to your organization.2. What are the top threats to the system? Understanding themotivation for an attack against your control systems will help toidentify the most likely attack vectors and assist in discussions3. How are your control systems accessible? Understandinghow your control systems are connected (i.e., internet-facingapplications, mobile applications, modem or VPN connectivityappropriate scope for the penetration test.4. Who are the key players that should be involved in the test?Personnel within the organization that should be involved withthe test should be carefully considered. Adequate supportshould be provided to ensure safety and to make sure theinvolvement from multiple departments may cause confusionwith roles for the test or jeopardize the results of testingdetection capabilities.5. How should testing activities be communicated?roles during the test so that all parties know their individualresponsibilities before each phase within the test and actionsthat should be taken for any contingencies that are determinedbefore testing begins.6. Should the testing take place against test or productionsystems? Penetration testing on production systems can limitthe attack vectors and techniques employed during the test,which may produce results that do not adequately representthe security posture of the systems being tested. Wheneverpossible, penetration testing should be conducted against testor development systems so that potentially intrusive techniquescan be used without jeopardizing safety.7. Do test or development systems mirror production?a penetration test against test or development systems willprovide a more thorough test; however, the results of the testingmay not be valid if the systems being tested do not mirror thesystems being used in production.8. What information or access should be provided to the tester?testing have different advantages and disadvantages dependingshould be used to identify the access an outside attacker couldknowledge at certain phases during the test to make sure testobjectives are met within the time allocated for the test.Oil and gas cybersecurity: penetration testing techniques |7

Conclusioncritical operational assets is recognizing and understanding thevery real threat that OT networks face from cyber criminals. Theseattacks are part of an ongoing attempt by individuals and groupsaround the world — in some cases funded by other governments orgovernment entities and nation-states — to disrupt the oil and gasNo company is immune from cyber attacks. Outside groups areconstantly probing oil and gas company networks, looking foroperations control networks and applications as it does for IT.EY can assist oil and gas companies in protecting their OT networksand related operations assets through a systematic, well-structuredand implement appropriate hardware/software tools so that yourOT network is secure — and remains that way.Oil and gas cybersecurity Penetration testing techniques |9

ContactsFor more information contact:Ken Allan+44 20 795 15769kallan@uk.ey.com+1 403 206 5100Randall J Miller+1 312 879 3536randall.miller@ey.comMatthew Morgan+1 713 750 5206|matthew.morgan@ey.comConnect with usVisit us on LinkedInFollow us on Twitter @EY_OilGasSee us on YouTubeJames Phillippe+1 713 750 8610james.phillippe@ey.comArnout Ratelband+31 88 40 71010|arnout.ratelband@nl.ey.comMiroslaw Ryba+48225578721miroslaw.ryba@pl.ey.comPaul van Kessel+31 88 407 1271paul.van.kessel@nl.ey.comEY About EYThe insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We developoutstanding leaders who team to deliver on our promises to all of ourstakeholders. In so doing, we play a critical role in building a better workingworld for our people, for our clients and for our communities.EY refers to the global organization, and may refer to one or more, of themember firms of Ernst & Young Global Limited, each of which is a separatelegal entity. Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients. For more information aboutour organization, please visit ey.com.How EY’s Global Oil & Gas Center can help your businessThe oil and gas sector is constantly changing. Increasingly uncertain energyall present significant challenges. EY’s Global Oil & Gas Center supports aacross the upstream, midstream, downstream and oilfield service sub-of our global resources and articulate points of view on relevant key sectorissues. With our deep sector focus, we can help your organization drivedown costs and compete more effectively.© 2014 EYGM Limited.All Rights Reserved.SCORE No. DW0307WR No. 1405-1259913ED NoneThis material has been prepared for general informational purposes only and is not intended tospecific advice.ey.com/oilandgas

More magazines by this user
Similar magazines