Damon Small, oil and gas cybersecurity expert, Technical Director and Security Consultant at NCC Group – one of the largest security consulting firms in the world. He’s long advised corporations and spoken at industry events about potential vulnerabilities in critical installations, and how they offer openings to cybercriminal gangs. He’s a founding member of the Operational Technology Cyber Security Alliance with deep expertise in how to secure operational technologies, such as those that run oil and gas refineries.
On the latest energy cybersecurity developments – the new DHS/TSA cybersecurity requirements for critical pipeline owners; and the FBI and DHS security advisory about an attack on 23 US natural gas pipeline operators by Chinese state-sponsored hackers, Damon notes that:
- “In general the TSA and the DHS consider any infrastructure as 'critical' when it can impact the health and safety of large numbers of American Citizens.
- “The new directive signifies that that the federal government recognises self-regulation can only provide so much protection to these infrastructures and that it can vary wildly.
- “There are many existing standards and regulation set forth that include financial sanctions and I have no doubt that the directive from the TSA will be no different.
- “Keep in mind that defence is harder than offence. When any company tries to protect information assets, they have to defend against ALL attacks and vulnerabilities; the adversary must successfully exploit but one.
- “It's not surprising that the attack on 23 US natural gas pipeline operators happened, nor is it surprising that this is the first we're hearing of the incidents. If an organisation is not compelled to disclose an incident, then they will choose not to.
- “Spear phishing and social engineering remain successful techniques on oil and gas as well as every other sector because they prey on the most vulnerable part of the technology stack – we humans that use that technology – or the “chair-keyboard interface,” as I like to call it. The best firewalls, anti-virus, patch management, and vulnerability assessment programs in the world won’t stop a bad guy if you invite them in.
- “The tactics, techniques and procedures (TTPs) used in these incidents were sophisticated because some of them involved malicious software that would have been advanced at the time, and infrastructures to support the phishing campaigns and command and control (C2) systems that allowed for unauthorised access once the victim had been compromised. Even back then, technical controls already existed to prevent phishing emails from having been received and to have prevented malicious software from executing properly. The widely success of the attacks suggests those controls were not implemented at all, not implemented properly, or were defeated by criminals.
- “What's missing from the Joint Cybersecurity Advisory released by the FBI and the DHS, and likely out-of-scope for such a publication, is HOW companies should implement the mitigations.
- “Asset management is another mitigation that the advisory misses. Asset inventory is mentioned several times in the mitigations section, but it's a bit buried. Let’s be clear – before an organisation does ANYTHING, they should take on asset management/inventory first. You cannot protect what you cannot see, and none of the recommendations will begin to approach 100% efficacy if there are blind spots within the network.”
Read the annual Extreme issue of World Pipelines magazine for insight into cutting edge pipeline technology and projects.
The Extreme issue of World Pipelines, published in May 2021, focuses on extreme pipeline design, construction and operation. This year’s edition includes a keynote article on global pipeline risks from AKE International; technical articles on winter work, pipeline monitoring and remote sensing; plus lots of interesting commentary on the digitalisation of the pipeline sector, and how this will improve safety, efficiency and security
Read the article online at: https://www.worldpipelines.com/equipment-and-safety/26072021/damon-small-ncc-group-reacts-to-us-cybersecurity-developments/