Secure and well protected SCADA systems are critical to E&P companies. Without this protection, cyberattacks have the potential to wreak terrible accidents and destruction to both facilities and the surrounding area.

A "defense-in-depth" approach to network security will provide the most comprehensive protection against mal-ware threats and other forms of cybercrime. Security architectures with multiple layers of protection from multiple vendors provide the best protection, especially when deployed at multiple levels in the network.

Likewise, a multilayer endpoint management strategy with antivirus, patch, remediation, and application and device controls will provide the most comprehensive protection at network end points.

Security professionals at E&P companies should continuously review their organization's security implementations to identify areas of vulnerability and implement defense-in-depth network strategies appropriately to ensure that the agency's network resources are adequately protected.

Evolution of SCADA for E&P

A wide range of energy companies use SCADA systems to control and manage oil and gas facilities and related infrastructure. The types of critical infrastructure that SCADA systems control include physical and IT assets; networks; and services that, if disrupted or destroyed, could have a serious impact on the health, security, and/or economic wellbeing of both people in the area of the facility and the country at large. SCADA systems have evolved significantly. E&P companies have recognized the lowered costs, simplified accessibility, and improved efficiency gained through connecting an IP-based network to the SCADA systems. Today's SCADA systems are integrated tightly with corporate networks and the Internet. Multiple factors have contributed to the increased exposure of SCADA control systems, and these include:

  • Technical information availability. Public information about infrastructure and control systems is available to potential hackers and intruders. Design and maintenance documents and technical standards for critical systems can be easily found on the Internet, threatening overall security.
  • Remote connections that are vulnerable. Unstable or unsafe connections such as VPNs and wireless networks are used for remote diagnostics, maintenance, and examination of system status.
  • Networking of control systems. Organizations have increased connectivity through the integration of control systems and enterprise networks. Any breach at any point in the network exposes all the information – SCADA-related data, emails, corporate information, etc., – to intruders. Ensuring cybersecurity in control systems can seem like a daunting task since it requires cooperation and commitment from the entire organization. Upper management must recognize the numerous benefits of a secure SCADA system.

These advantages include ensuring system uptime, reliability, availability, and safety to both the facility and surrounding area. A secure system protects the company, its vendors, systems integrators, customers, and others who interact with the SCADA system.

To provide maximum protection for critical SCADA data assets, IT teams at E&P companies should deploy a defense-in-depth security approach that includes multiple layers of protection to recognize and thwart cyberattacks.

illustration of a strategy to protect SCADA systems from cyberattacks

A well-devised defense-in-depth strategy is effective in protecting SCADA systems from cyberattacks. (Illustration courtesy of Norman)

Defense-in-depth in modern networks

The basic premise of defense in depth is to use a layered approach to network security by deploying one or more layers of protection at network boundaries (firewalls, antivirus/malware appliances, and intrusion prevention devices) and additional layers of protection at the individual computer workstations or end points. This defense strategy is most effective when using multiple unique defense mechanisms, such as multiple vendor solutions for anti-virus control. Any gaps in one vendor's security solution are addressed by the second vendor's solution.

Network-level security

The first level of security to consider when implementing a defense-in-depth strategy is at the network level. Proper attention to security at the network level will provide benefits including

  • Network perimeter. The network perimeter or edge is where Internet traffic enters and exits an organization's network. Various types of protection can be deployed, including malware protection, spam filtering, content filtering, network firewalls, and intrusion detection and prevention.
  • Segmented networks. Large internal networks often are organized into groups of smaller networks. This type of network topology reduces congestion and improves network performance by reducing the amount of traffic flowing through any one network segment.

Endpoint-level security

An effective security infrastructure must protect all network end points (servers, workstations, etc.) from cyberattack. The accepted way to protect these network resources is by installing antivirus software and enabling a firewall at each end point.

Antivirus software is used to prevent, detect, and remove malware (including computer viruses, computer worms, trojan horses, spyware, and adware). There are a number of strategies that can be employed by an antivirus solution:

Signature-based detection. This strategy involves searching for known patterns of data within executable code. These patterns are regularly updated by the antivirus company's research team. It is critical that all end points with antivirus software receive updated signature files regularly.

Heuristic detection. This form of detection is used to identify new malware for which no signature is known. The antivirus software identifies new viruses or variants of existing viruses by looking for patterns that are similar to those of known malicious code or slight variations of such code.

Sandbox detection and analysis. Sandbox solutions execute unknown files in a protected environment and analyze the results of that execution to see if the files trigger any malicious actions in the host environment. This strategy can identify new and undiscovered malicious code that can pass through signature-based and heuristic detection methods undetected. All antivirus solutions will provide some level of protection for the network end points, but the best antivirus solutions use a combination of all three techniques to protect end points from infection.

Antivirus endpoint protection is not enough

Antivirus software is a critical component of endpoint security, and IT teams must ensure that the software is installed on every server and workstation on their networks. End points with outdated virus definition files are a security risk, so procedures should be put in place to ensure that all end points are regularly updated with new virus definition files.

  • Patch and remediation software. More than 90% of cyberattacks exploit known security flaws for which remediation is available. For network end points to be completely secure, security personnel also must know what software is installed and operating on each end point.
  • Application and device-control software. One aspect of endpoint security that is often ignored is application usage. By implementing a "whitelist" approach to managing application usage, security personnel can define what devices and applications are permitted on the network through user and/or machine-specific policy rules. Solutions like the Norman SCADA Protection system protect against cyberattacks from malware such as trojans, worms, and viruses that can cause millions of dollars of damage and disruption to production and services delivery. These types of solutions are a critical component of a defense-in-depth strategy.