• ISA subject-matter expert delivers cybersecurity presentation in Trinidad

    Steve Mustard discusses his recent presentation in Caribbean nation, provides key insights on the challenges and importance of industrial cybersecurity

    Steve Mustard

    Steve Mustard

    While in Trinidad last month meeting with a major oil and gas client on a cybersecurity assessment, Steve Mustard—an ISA99 Security Standards Committee member and an important contributor to the development of the ISA99/IEC 62443 industrial cybersecurity standards—took the time to deliver a cybersecurity presentation to members and guests of the ISA Section of Trinidad.

    An article, providing coverage of the presentation, appeared in Tech News T&T, a website that covers technology trends and news in Trinidad and Tobago. The twin island country, located off the northern edge of South America, is home to significant petroleum and petrochemical operations.

    Recently, Mustard, an ISA Certified Automation Professional® who works as an automation consultant, discussed the presentation and participated in a question-and-answer section with ISA Insights to lend his perspectives on the key issues and latest challenges relating to industrial cybersecurity.

    “I was in Trinidad visiting one of my client’s onshore and offshore facilities when Clint Khan—a Principal C&I Engineer with BG Group who serves as chair of the ISA Section in Trinidad—asked if I could deliver a talk, and I was happy to do it,” says Mustard, a UK registered Chartered Engineer and European registered Eur Ing with extensive development and management experience in real-time embedded equipment and automation systems.

    His hour-long presentation outlined the significant risks of cyberattack on industrial automation control systems (IACS) and supervisory control and data acquisition (SCADA) networks, which are greatly relied upon by oil and gas companies and other core critical infrastructure operators. 

    “It’s essential that we expand awareness for the need of industrial cybersecurity throughout all parts of the world,” Mustard says. “While the technical issues may be similar throughout the globe, there are often operational and cultural differences among producers in different countries that can influence risk levels.”

    He says that he came away from the visit and presentation with the impression that “there is reasonably good awareness of the ISA99/IEC62443 standards in Trinidad, but that greater emphasis needs to be placed on implementing the standards in day-to-day practice.”

    -----------------

    To help ISA members and other automation professionals improve their awareness of some of the pivotal issues relating to industrial cyberattack and cybersecurity, Mustard participated in the following Q&A exchange.

    ISA Insights Q.: What, in your opinion, are some of the key challenges out there that companies or owners/operators of critical infrastructure are not aware of/prepared for? Is it poorly configured/maintained firewalls, poorly trained or uninformed internal users and contractors, or something else?

    A. [Mustard]: I believe training and culture are the two biggest problems. Whereas safety is well understood in these environments, and no one would think of not following the correct safety procedures, they rarely consider security. This is partly because the facilities are usually so remote (i.e. 50 miles offshore) and/or appear to be secure (it is not possible to just walk into an offshore or onshore facility without having the appropriate clearance) and also because there is little or no experience of cybersecurity-related incidents (whereas there is usually some direct or anecdotal experience of safety-related incidents.). The next problem is the very significant reliance on third parties to install and support IACS equipment. This creates two issues: in-house staff often lack complete understanding of equipment needed to provide reliable on-site support and there is a continuous flow of third party staff in facilities. Although security is generally tight in these facilities, there is a lot of reliance on third parties to ensure their own staff are correctly vetted, and third parties may not be as thorough as owners and operators. Furthermore, third-party employees will have their own computers and removable media. The owner/operator may rely on the third party to scan their devices for malware before they are connected to the IACS equipment, but there is no guarantee that this is the case.

    -----------------

    ISA Insights Q.:  Is it still true that a USB flash drive or other USB device is one of the more common ways a virus can affect an industrial network? 

    A. [Mustard]: Yes, very much so. There are a number of factors at play. Many (or even most) IACS equipment runs without anti-virus software. Rarely is the equipment "security hardened” and very often default accounts/passwords are either hardcoded or not removed/changed before go-live. Finally the operating systems and applications are often not patched at all or if they are, they are not patched regularly. This creates a whole host of vulnerabilities that can be exploited by malware. While most standards recommend the elimination of USB removable media devices and that all ports be locked down, this is rarely the case. Since machines are usually not connected to the Internet, removable media is often the only way to transfer files. And while IT policies might enforce virus scanning of such devices before and after use, this often does not get enforced in IACS environments. I heard recently anecdotally that a major oil and gas company detected the Stuxnet virus on its networks, and was found to have originated from an infected USB drive. This company has relatively good cybersecurity controls in place so you can imagine how easily this can happen in other organizations that have not yet grasped the importance of cybersecurity.

    -----------------

    ISA Insights Q.:  It seems that we can’t prevent industrial cyberattack from occurring, but we can limit the damage through adequate standards and being prepared. In your opinion, what is the likelihood of a successful cyberattack occurring either in the US or somewhere else in the world that will cause MAJOR economic and possibly environmental damage sometime in the near future?

    A. [Mustard]: There have been many incidents in the past 10-15 years that can be traced back to insufficient cybersecurity measures.  The Olympic pipeline explosion in Washington State, USA that killed three and caused widespread environmental damage was not a deliberate attack, but it would likely have been avoided by application of the most basic cybersecurity controls. The Maroochyshire incident in Queensland, Australia resulted in widespread environmental damage. It was the result of a deliberate attack by a disgruntled former contractor exploiting a number of vulnerabilities in his former company, the end user organization and their SCADA system. Those two incidents happened a long time ago and yet we still see the same root causes in place today. Only two weeks ago the NSA (National Security Agency) reported that China is capable of shutting down the US power grid and there was widespread surprise that this was possible. This report is no surprise to anyone in the IACS security business. The Repository of Industrial Security Incidents (RISI) (http://www.securityincidents.org) keeps track of IACS cybersecurity incidents. There are many every year, most of which escape public notice and it is widely believed that there are many more which are never reported. The RISI analysis shows time and again that these incidents are generally the result of the same basic cybersecurity control failures.  It is often only the presence of external failsafe and protection mechanisms that these incidents do not lead to more catastrophic consequences. Many use these protection mechanisms to argue that the concern over the consequences of cybersecurity risks is exaggerated, and yet incidents such as Deepwater Horizon should teach us that these protection mechanisms can and do fail.

    -----------------

    ISA Insights Q.:  Do you have any other comments or points relating to industrial cybersecurity that you feel ISA members and other automation professionals should be aware of?

    A. [Mustard]: Everywhere I go I see the same issues, so this is not a company-by-company issue but an “industry culture” issue. So much work has been done in the IT world on security that many believe they have mitigated the risk. Most security experts at the NIST (National Institute of Standards and Technology) Cybersecurity Framework meetings could not understand why we were still discussing the most basic security controls, but yet a visit to almost any critical infrastructure facility will soon reveal that while there may be established policies and procedures in place, they are not properly embedded into the operational culture in the same way as safety. Too many owner/operators I meet believe that because they have not seen a cybersecurity-based incident themselves that it will never happen. This sort of complacency is why there will be a major incident.

    -----------------

    Editor’s Note: Earlier this year, NIST, an agency of the US Department of Commerce, released the “Framework for Improving Critical Infrastructure Cybersecurity,” a set of voluntary guidelines that provides industry with a risk-based approach for developing and improving cybersecurity programs.

    To gain a better understanding of the Framework and how it can strengthen IACS cyberdefenses, you’re encouraged to read the article Mustard wrote for the February 2014 issue of Power Magazine: “NIST Cybersecurity Framework Aims to Improve Critical Infrastructure.”