Refuting urban legends of the energy sector

It would be impolite not to express heartfelt thanks to the reporter who wrote the original article upon which this is based. Seldom can the energy sector respond to so many inaccuracies in one venue!

(Before you get too far in, make sure you read the first part of this story.)

The article provides some apparent intelligence information, “The Coast Guard has received several reports that foreign ships attempted to probe the wireless networks of industrial facilities along U.S. waterways, federal authorities say. Homeland Security, which oversees the Coast Guard, declined to confirm details of any operation and intelligence but acknowledged a growing effort to protect oil, gas and chemical systems from hacking.”

Wow. That sounds scary, right up to the point where you understand there’s no data backing up that statement. Could it be the Chinese looking for vulnerabilities in our ports. Sure! It might also be your cousin Eddie is coming home on a cruise ship and trying to get a free wi-fi signal. Is every external contact counted as an attempt to probe the network, or just those attributed to potential threats? No information. Even an actual scanning attempt using an ICS-finding engine like SHODAN is not an indication of evil intent.  

Technology is great at telling us how our networks are being scanned, but the technology will require integration with good, old-fashioned Human Intelligence (HUMINT) to determine why.

Antique road show

Kudos to the media for their next thought: “…many oil and gas facilities still use networks run by Windows XP, a 2003 system that Microsoft no longer updates, according to federal authorities and cyber security consultants. Others use even earlier versions of the Windows operating system from the 1990s; in rare cases, a few still use MS-DOS, the precursor to Windows.”

Guilty. And it’s completely upon us in the energy sector to fix this. But when you say “many,” is that a majority? More than two? What do these systems control? Perhaps door locks, payroll, or something critical, e.g., ICS? Context, like words matters.

“More often than not,” Edwards said, “we find that there have been corners cut or they haven’t taken a hard look at security when they designed those networks.” Who is to blame here? Even more likely is the failure of the software and hardware industry to use parallel security and software processing in the development of code and systems. Until very, very recently, security was an afterthought.

In an immediate reversal of that line of thinking, the article says, “Some companies have begun to install firewalls, anti-virus and anti-malware programs, and require stricter security measures from equipment manufacturers, among other improvements, cyber security consultants said.”

That’s right; industry can no longer accept software and hardware lacking security features. For some time now, compelled by the energy sector and supported by many government agencies, manufacturers are incorporating security from the earliest stages of concept. The energy sector is voting with their checkbooks, selecting vendors that have already considered and implemented security in new devices.

If you make 10,000 regulations…

“Strict cybersecurity regulations govern power, chemical and nuclear facilities, but no federal laws impose such standards in the oil and gas industry,” states the article. This is a split thought and misleading. The energy sector has strict cybersecurity regulations – oil and gas companies are free to develop those that work best for them. Do either of these approaches always succeed? No. Neither does the cybersecurity at the NSA (ask that traitorous little punk hiding in Russia).

The energy sector was early to realize that no one can legislate cybersecurity. Regulation often acts as a ceiling to cybersecurity innovation and deployment, whereas the process of security establishes a baseline without boundaries. Unless you can give me specifics on who, from where, will use exactly what code on exactly what device, and predict on what date it will happen – regulation and legislation won’t work. Did I say this already? You can’t legislate cybersecurity.

Not your business 

“When oil and gas companies have been infiltrated by a hacker, they aren’t required to report the incident. And if they turn to federal authorities for help, the specifics are typically kept secret because companies disclose information in exchange for anonymity and discretion.” That’s right in some respects; so I hope that statement was meant to be positive.

Anonymity and protection of proprietary and personal information is mandated by the Cybersecurity Information Sharing Act (CISA), 2015. Here’s the gist of the federal act:

“The Act promotes the goal of sharing while simultaneously providing privacy protections in two ways: first, by specifying the types of cyber threat information that can be shared under the Act between and among non-federal and federal entities; and, second, by limiting sharing under the Act only to those circumstances in which such information is necessary to describe or identify threats to information and information systems.”

The article makes a most insightful comment when it states: “Most companies are loath to talk publicly about the security of computer systems and industrial controls for fear of providing information that could be used to exploit their operations.” Yes. They are loath to talk publicly. Why? The energy sector is smart enough not to publish our game plan and make the adversary’s job easier. If only the media would take the hint… “Stop outing our protective measures.”

Loose lips sink ships

So do we, in the sector, disclose any information at all? “More than 20 of the nation’s largest oil companies, including Exxon Mobil Corp. and ConocoPhillips, refiners Phillips 66 and Valero, service companies Halliburton and Baker Hughes, and pipeline operators Kinder Morgan and Enterprise Products Partners, declined to comment or did not respond to multiple requests for comment. The American Petroleum Institute, the national trade association of oil and gas, declined comment as well.”

Sounds pretty tight-lipped, huh? Good. Our specific protections, defenses, and practices may be somebody else’s concern, but it’s not their business.

The gas sector won’t play with us

“The Department of Energy has developed a model of best practices while trade groups such as the American Petroleum Institute have adopted industry standards, but none is mandatory.” While not mandatory, the gas sub-sector has voluntarily complied with the Transportation Safety Administration’s gas pipeline standard for years, and regularly coordinates through government-private sector security councils and meetings.  

Overall, the energy sector complies with the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2). C2M2 has a generalized version as well as two separate versions for both Electric and Oil&Natural Gas. All three support, as well as measure, adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The gas sub-sector doesn’t need to be hit over the head with regulation, we voluntarily comply as well as constantly develop greater capability hand-in-hand with the U.S. government.

A global problem

Captioning a photo was, “With a refinery that could be vulnerable to hackers behind it, a ship navigates through Buffalo Bayou heading to the Houston Ship Channel earlier this year.” Ironically, it’s the most important (of the systems) but the least secure,” said Joe Weiss, managing director of the international cybersecurity standards body ISA99.

Could.  A refinery that “could” be vulnerable. A ship that could be vulnerable. Lights across town, connected to a smart grid that “could” be vulnerable. And the reporter’s smartphone “could” be vulnerable. It’s all vulnerable. It’s not because of or in spite of anything being done by the energy sector. Why tie it to us?

In the same vein, “Cyber criminals have tried to steal money by sending employees fake invoices,” reports the article. “Other hackers lured workers to download malicious software designed to lock people out of computers or other devices until they pay a ransom.” None of this is unique to energy. Ask hospitals, homeowners, municipalities, police departments, schools…

Who’s the baddest kid on the cyber block?

Phillip Quade, the former chief of the NSA’s cyber task force, said the threat is more than theoretical, pointing to two viruses launched at energy operations: Stuxnet, which damaged thousands of centrifuges at an Iranian nuclear facility in 2010, and Shamoon, which wiped out computer files in Saudi Arabian oil and gas facilities two years later.  

True, and chilling. Of course, the Stuxnet virus generally is attributed to the United States and was used as a weapon against Iran, while Shamoon is thought by many to be retaliation by the Iranians. The major player — capable of doing the most damage to an energy sector target — is us, the United States.

Train like you fight

The energy sector continues to conduct international, interagency, week-long exercises to practice defending the U.S. energy grid. A quick web search will reveal endless conferences, training sessions, and collaboration efforts with multiple government agencies. Internal safeguards like anti-phishing training programs, cybersecurity operations centers, and sharing through the ISACS create strong, credible, and flexible defenses for the energy sector.

Myth. Busted.

It is unfair and completely incorrect to paint our sector with every cyber threat known to man and call us “vulnerable.” Electricity, oil, and natural gas work together with our government partners and with each other 24/7. If you’re reading this article by artificial light, in the comfort of your air conditioned or heated home, then we’re doing our job. You’re welcome, media.