Sorting
From A to Z
Deployments found: 2
Forward
The oil and gas industry has long been in the crosshairs of ICS\SCADA cyber security threats. These advanced automation networks, collectively known as operational technology, or OT networks, are used throughout the entire upstream and downstream operations lifecycle. The extensive use of these automation systems significantly increases productivity, but at the same time it provides an additional attack surface that threat actors can leverage to inflict material harm. Claroty was conceived to secure and optimize operational networks running critical processes like the multiple integrated OT systems that offshore drilling vessels rely upon. Therefore, Claroty was the ideal partner for a rig contractor that sought not only to comply with E&P contractual requirements, but to take a leading role in transforming the cyber security posture of its vessels.Offshore Rigs Overview
Mobile Offshore Drilling units (MODUs), used in the exploration and development of wells, are divided into Jack-ups that reside in shallow water sea beds and floaters (drilling ships and semisubmersibles) for mid and deep water drilling. Standard drilling ship and semisubmersibles typically include four major independent OT networks that are each managed by an external contractor and differ from each other in automation equipment and communication protocols utilized.Security and Operational Challenges
The fragmentation and management of the floaters’ OT networks causes the following structural security vulnerabilities:Remote access required by the network contractors for maintenance activities introduces a new attack surface. Compromising a privileged third-party account to gain an initial foothold on the network is a common attack vector that has been utilized numerous times in targeted attacks.Further, the drilling ships’ OT networks are not air-gapped. They are connected directly with the rig contractor’s main IT network which is connected to the Internet It is clear that these structural vulnerabilities pose a significant risk. However, this risk cannot be soundly managed by the rig contractor for two reasons:Each network is separately managed by its respective contractor in a complete silo. Therefore, there is no unified view of all assets across the entire OT network environment. From the technology perspective, traditional IT security monitoring products do not provide visibility into the entire scope of proprietary OT protocols that are utilized by the assets throughout the floater’s networks.Acknowledging these challenges, the rig contractor sought a solution that enabled it to attain visibility and regain control over its OT networks, and better address the safety and operational risks it is accountable for.
Deployment Process -Network Infrastructure Assessment
The Claroty platform can be deployed on top of any networking infrastructure. However, Claroty’s recommended best practice is to connect to managed switches capable of relaying replicated traffic over a SPAN port. In this case, the DCN and BOP networks had managed switches prior to our arrival. Unmanaged switches in the power network were replaced based on the OEM’s recommendation.Passive monitoring is executed by connecting to SPAN ports on managed switches. This configuration replicates all the traffic these switches relay. When assessing the network to determine which switches to tap, the following considerations are made: Top priority: Coverage of all traffic that directly involves level one assets (PLCs), including all connections of PLCs with level two (engineering workstations, HMIs) and above (various network servers). It is paramount that all traffic that directly impacts physical process is replicated and monitored. Secondary priority: Following the completion of level-one communication coverage, the assessment team searches for level-two and-above, which includes strategic switches such as intersection points between network segments and working zones. The final deployment step is to extend the successful on-site installation to a central site management interface, where the customer can gain full view of the security posture across multiple vessels. The various vessels on the rig contractor ’s fleet communicate with the onshore HQ via satellite connection. To provide a consolidated multi-site view, Claroty runs on top of the existing satcom network. Claroty utilizes a proprietary approach to overcome two important satcom constraints – relatively low-bandwidth and frequently dropped connections.The data Claroty generates on site is continuously replicated and sent over SSH through the existing satellite connection to the Claroty Enterprise Manager residing in the rig contractor’s onshore SOC.Claroty Enterprise Manager is a central management console deployed in the SOC that provides a single aggregation and management interface across multiple remote sites.Chemical Cyber Threat Landscape – Overview
The cyber threat landscape for OT networks is changing rapidly. The classic nation state threat actors, targeting critical infrastructure, are now joined by multiple groups that are leveraging newly disclosed attack tools (such as the ones leaked from the NSA trove by the ShadowBrokers group). New threats include both cyber criminals executing impactful ransomware campaigns as well as the rising potential for jihadists or other terrorists to leverage widely available, and very sophisticated tools and techniques to cause harm. Unmonitored remote connections, combined with the production sites internal connectivity create additional security blind spots that often go unnoticed and unattended due to lack of a working culture between the process control and the IT networking teams, and the lack of technology providing visibility into OT network conguration and trac. The resulting lack of coordination and visibility exposes chemical plants to an expanded attack surface area and makes plants increasingly vulnerable to attack.Cyber Threat
The plant’s security team expressed the following concerns:- Non-targeted attack
- Targeted attack
Deployment Plan
Claroty provides a fully integrated cybersecurity platform purpose-built for OT:- Continuous Threat Detection: passive monitoring\DPI product for real-time detection of malicious presence\activitySecure
- Remote Access: access policy enforcement and control product to safeguard networks from the threats introduced by unmonitored 3rd party and employees’ network access.
- Enterprise Management Console: centralized management interface that aggregates the data from Claroty products from multiple sites, and displays a unified view of their assets, activities, alerts and access control.
- Proactively – through granular user and asset policies governing which assets authorized users can see and access, when they can log into each asset and the authentication-level required for access.
- In real time – by using manual access permissions and “over-the-shoulder” real-time video visibility into all the user’s activity–including a “red button” ability to terminate an ongoing session.
- Retroactively – by generating activity reports filtered by user, asset or session and providing video recordings of all remote sessions. Secure Remote Access