Forward

The oil and gas industry has long been in the crosshairs of ICS\SCADA cyber security threats. These advanced automation networks, collectively known as operational technology, or OT networks, are used throughout the entire upstream and downstream operations lifecycle. The extensive use of these automation systems significantly increases productivity, but at the same time it provides an additional attack surface that threat actors can leverage to inflict material harm. Claroty was conceived to secure and optimize operational networks running critical processes like the multiple integrated OT systems that offshore drilling vessels rely upon. Therefore, Claroty was the ideal partner for a rig contractor that sought not only to comply with E&P contractual requirements, but to take a leading role in transforming the cyber security posture of its vessels.

Offshore Rigs Overview

Mobile Offshore Drilling units (MODUs), used in the exploration and development of wells, are divided into Jack-ups that reside in shallow water sea beds and floaters (drilling ships and semisubmersibles) for mid and deep water drilling. Standard drilling ship and semisubmersibles typically include four major independent OT networks that are each managed by an external contractor and differ from each other in automation equipment and communication protocols utilized.

Security and Operational Challenges

The fragmentation and management of the floaters’ OT networks causes the following structural security vulnerabilities:Remote access required by the network contractors for maintenance activities introduces a new attack surface. Compromising a privileged third-party account to gain an initial foothold on the network is a common attack vector that has been utilized numerous times in targeted attacks.Further, the drilling ships’ OT networks are not air-gapped. They are connected directly with the rig contractor’s main IT network which is connected to the Internet It is clear that these structural vulnerabilities pose a significant risk. However, this risk cannot be soundly managed by the rig contractor for two reasons:Each network is separately managed by its respective contractor in a complete silo. Therefore, there is no unified view of all assets across the entire OT network environment. From the technology perspective, traditional IT security monitoring products do not provide visibility into the entire scope of proprietary OT protocols that are utilized by the assets throughout the floater’s networks.
Acknowledging these challenges, the rig contractor sought a solution that enabled it to attain visibility and regain control over its OT networks, and better address the safety and operational risks it is accountable for.

Deployment Process -Network Infrastructure Assessment

The Claroty platform can be deployed on top of any networking infrastructure. However, Claroty’s  recommended  best  practice  is  to  connect  to  managed  switches  capable  of  relaying replicated traffic over a SPAN port. In this case, the DCN and BOP networks had managed switches prior to our arrival. Unmanaged switches in the power network were replaced based on the OEM’s recommendation.Passive monitoring is executed by connecting to SPAN ports on managed switches. This configuration replicates all the traffic these switches relay. When assessing the network to determine which switches to tap, the following considerations are made: Top priority: Coverage of all traffic that directly involves level one assets (PLCs), including all connections of PLCs with level two (engineering workstations, HMIs) and above (various network servers). It is paramount that all traffic that directly impacts physical process is replicated and monitored. Secondary priority: Following the completion of level-one communication coverage, the assessment team searches for level-two and-above, which includes strategic switches such as intersection points between network segments and working zones. The final deployment step is to extend the successful on-site installation to a central site management interface, where the customer can gain full view of the security posture across multiple vessels. The various vessels on the rig contractor ’s fleet communicate with the onshore HQ via satellite connection. To provide a consolidated multi-site view, Claroty runs on top of the existing satcom network. Claroty utilizes a proprietary approach to overcome two important satcom constraints – relatively low-bandwidth and frequently dropped connections.The data Claroty generates on site is continuously replicated and sent over SSH through the existing satellite connection to the Claroty Enterprise Manager residing in the rig contractor’s onshore SOC.Claroty Enterprise Manager is a central management console deployed in the SOC that provides a single aggregation and management interface across multiple remote sites.

Chemical Cyber Threat Landscape – Overview

The cyber threat landscape for OT networks is changing rapidly. The classic nation state threat actors, targeting critical infrastructure, are now joined by multiple groups that are leveraging newly disclosed attack tools (such as the ones leaked from the NSA trove by the ShadowBrokers group). New threats include both cyber criminals executing impactful ransomware campaigns as well as the rising potential for jihadists or other terrorists to leverage widely available, and very sophisticated tools and techniques to cause harm. Unmonitored remote connections, combined with the production sites internal connectivity create additional security blind spots that often go unnoticed and unattended due to lack of a working culture between the process control and the IT networking teams, and the lack of technology providing visibility into OT network conguration and trac. The resulting lack of coordination and visibility exposes chemical plants to an expanded attack surface area and makes plants increasingly vulnerable to attack.

Cyber Threat

The plant’s security team expressed the following concerns:

• Non-targeted attack

Description: non-OT malware shutting down or slowing performance of OT Windows machines (HMI, batch server, Historian etc.) Vector: internal\3rd party using an infected computer to perform maintenance activities. Impact: Dysfunctional HMI: loss of view would probably lead to initiated shutdown until HMI becomes functional again, through either malware removal or machine reimaging. Dysfunctional batch server: Compromise of data and system integrity. Various regulations require detailed documentation of all process stages. Failing to comply with these requirements could result in disqualifying the entire batch. Here also production would be halted until the batch server is restored to operational routine. Compromise of data and system integrity

• Targeted attack

Description: purpose-built attack on the plant’s OT network, leveraging its built-in security weaknesses. Threat actors would aim at causing high-profile physical damage to equipment, environment or in extreme cases, even human lives . Vector:  physical - the site’s large size, enables attackers (insider or external) to approach the controllers in stealth and perform a logic change through a USB drive. Network: the OT network architecture introduces various attack surfaces for both initial compromise and prolonged stay. As explained before, the standard routine in the plant is that configuration downloads are carried through the EWS in central control room, while minor parameter adjustments are owned by each site’s control team which use Online Edits from a single Windows machine that contains both HMI and EWS software. An attacker that successfully compromises one of these local site machined could easily leverage its EWS software to download a rouge configuration code, changing the process values. Impact: Release of toxic materials in the plant: endangering of human lives. Site shutdown until all the plant is cleaned. Release of toxic materials to the environment: considerable environmental damage. Heavy costs of cleaning and restoration activities, as well as exposure to legal claims. Presumably, this is much less likely.

Deployment Plan

Claroty provides a fully integrated cybersecurity platform purpose-built for OT:

1. Continuous Threat Detection: passive monitoring\DPI product for real-time detection of malicious presence\activitySecure
2. Remote Access: access policy enforcement and control product to safeguard networks from the threats introduced by unmonitored 3rd party and employees’ network access.
3. Enterprise Management Console: centralized management interface that aggregates the data from Claroty products from multiple sites, and displays a unified view of their assets, activities, alerts and access control.

1. Continuous Threat Detection gathers and analyzes network data–basically listening to all the communications to discover control and other assets (e.g., controller, HMI, remote I\O, engineering stations and networking gear) and to build a detailed “baseline” model of the normal network operations. Different assets generate network traffic in varying time intervals, depending on the specific function of the asset and the environment. The common timeframe required for the entire set of OT assets to generate their routine traffic is approximately 2-3 weeks. Once training mode is complete, Continuous Threat Detection shifts to operational mode, where the system provides real-time monitoring and raises an alert upon detection of deviations from the baseline. The entire OT network is now visible and monitored through a single console, enabling the customer to track changes and to rapidly detect, investigate and respond to security incidents and potential operational issues. 2. Claroty Secure Remote.Access is software designed to minimize the risk remote users, including employees and contractors, introduce to industrial networks. The system provides a single, manageable interface through which all remote users connect and authenticate, prior to performing software upgrades, periodic maintenance, and other system support activities.Network administrators employ the system to control which users are granted access to industrial control assets and for what purpose. The system enforces password management and access control policies, governs remote connections, and monitors and records remote access sessions:

• Proactively – through granular user and asset policies governing which assets authorized users can see and access, when they can log into each asset and the authentication-level required for access.
• In real time – by using manual access permissions and “over-the-shoulder” real-time video visibility into all the user’s activity–including a “red button” ability to terminate an ongoing session.
• Retroactively – by generating activity reports filtered by user, asset or session and providing video recordings of all remote sessions. Secure Remote Access

3. Enterprise Management Console is a centralized management interface that aggregates the data from Claroty products from multiple sites, and displays a unified view of their assets, activities, alerts and access control.SRA\CTD integration.