Operational Visibility Boosts Cyber Security for Midstream Operators

Operational Visibility Boosts Cyber Security for Midstream Operators

This article was updated on August 5, 2019.

Companies operating in the midstream oil and gas market face significant challenges in securing their infrastructure.

Pipelines, for example, cover huge distances over rural landscapes and can have a thousand producers utilizing each one. Plus, custody transfer points use equipment owned by different companies with different security practices.

Until recently, a pipeline operator had to trust that their customers had robust security policies for the equipment connected to their line.

The first step to taking charge of industrial cyber security risk is to know what technology, devices and networks are running on your pipeline system. Once that information is available, operators then need to be able to see and understand what is happening, especially any changes, in real-time.

Let’s look at some real-world scenarios that demonstrate how a real-time visibility and cyber security solution makes sense of pipeline infrastructure, and monitors it for cyber threats.

An Undetected Cyberattack Impacts Flow Values and Stock Prices

To understand the challenges of securing midstream oil and gas operations, consider a scenario that occurred just over ten years ago. A multi-use pipeline that transported oil and gas through North America was having allocation issues related to the volume of production reaching a refinery.

Staff at the refinery would say to producers “whatever you’re reporting was not what we metered, and we are not going to pay for that.” As the companies involved were public, the discrepancies had to be reported. The news had a negative impact on their stock prices.

The allocation problems triggered a deep investigation that showed while each allocation issue was relatively small, over time they added up, and had a significant impact on production volume. Furthermore, interesting patterns were revealed that were not random.

Eventually, the cause of the problem was identified as planned manipulation of the real production values by a foreign entity. They were able to access the pipeline system because a vendor that installed flow computers did not change the default passwords, and the machines were accessible on the Internet.

The pipeline organization didn’t know they had devices connected to the Internet, or that flow values were being manipulated.  

The lack of operational visibility led to a significant cyberattack going undetected for a long time, and lowered share prices for multiple organizations. Meanwhile, the threat actor made significant financial gains by shorting stock.

New Solutions That Provide Real-time Visibility Are Key to Cyber Security

Today there are easy-to-deploy OT security solutions that dramatically improve pipeline operational visibility, reliability and cyber security.

They function in a completely passive way, copying and analyzing network traffic without injecting any packets into the network. Most commonly deployed as network appliances, the solutions are attached to a SPAN or mirror port of a switch or router on the pipeline.

The application on the appliance observes network traffic and builds a model of the pipeline’s network and operational behavior, employing machine learning and artificial intelligence (AI) to deal with today’s complex systems.

There are two phases to the implementation of the network monitoring application, the learning phase, and then an operational protect mode. After installation, the application quickly learns the system, and then starts detecting changes that could indicate an operational or cyber security problem.

Benefits are immediately realized as operators start interacting with a real-time visualization of their network that shows assets, traffic throughput, TCP connections, the protocols used between nodes and zones, and much more.

Network Visualization Graph
Network Visualization GraphWithin minutes of deployment, an AI-powered real-time visibility solution displays the nodes of the industrial network in a live, interactive visualization. This interface improves situational awareness and speeds incident response and troubleshooting.

Real-World Scenario: Detecting Malware Present on the Industrial Network  

Let’s consider one of the top threat concerns of industrial organizations – malware that could steal information or possibly disrupt operations. Would your organization know if such malware is present on your industrial networks?

Many companies wouldn’t know. This was the case with a pipeline operator that ran a Proof of Concept (PoC) to test Nozomi Networks’ ICS visibility solution. Within minutes of connecting the appliance to its network, a malware alert was generated.

Alert Dashboard Showing Malware Detected
Alert Dashboard Showing Malware Detected - Within minutes of installation of a real-time visibility and cyber security solution, a malware alert was generated.

Within minutes of installation of the Nozomi Networks Guardian appliance, a malware alert for the Dragonfly 2.0 malware was generated.

The first thing the operator asked was “Is this a false positive?” But several factors indicated the finding was true:

  • The automation system in question had a history of being vulnerable.
  • The computer identified as having the malware was public facing to the Internet.
  • The computer in question was connected to the corporate network and the control system network.

All things considered, it seemed that the malware discovery was valid, but how could the operator be sure?

Drawing on guidance from our system engineer, the organization started to dig deeper. Fortunately, our monitoring solution had the data and tools to support further analysis. Further verification included:

Checking the quality of rules that generated the result. The rule that identified the Dragonfly malware was provided by the US-CERT Code Analysis Team, leading to confidence in the rule and the malware detection.

Look at the URLs captured by the rule. With the help of a powerful query tool, the operator saw that the captured URLs were suspect, adding to the proof that the malware discovery was valid.

With all signs pointing to a true detection of malware on the system, the immediate outcome of the PoC test was to trigger an incident response effort. The ICS visibility and cyber security solution not only identified the presence of malware, but provided forensic tools and data to speed analysis and response.

For more details on this scenario, see the White Paper available below.

Improving Pipeline Operational Visibility Improves Cyber Security Too

You need to see and know what you have before you can defend it.

Accurately documenting the network and asset infrastructure of a SCADA system like a long-distance pipeline used to be time-consuming and difficult, especially in terms of keeping it up-to-date. Now, thanks to technology advances, it’s easy to implement passive industrial network monitoring that automatically provides real-time network visualization and asset discovery.

And, the great thing is that the same solution can be used to provide early detection of both operational problems as well as cyber security incidents.

If you’re a midstream operator, you can benefit greatly from investigating network visibility, monitoring and cyber security solutions. Read the White Paper below to learn how easy they are to deploy and how quickly they boost visibility, operational reliability and oil and gas cyber security.