Page 138: of Offshore Engineer Magazine (May/Jun 2015)

137 139

the time necessary to formulate a solution. “The incident response plan has to refect the capabilities of the people on the platform,” Luallen said. “What if the incident is beyond their abil- ity to respond? What is the response time to get a physical response in the environment, which means bringing somebody to the platform? Even an unsophisticated attacker is going to be aware that you’re using this remote satellite linkage to maintain your connection, so he knows if he’s discovered, it could take hours, days, maybe even weeks to send somebody to the platform. In a crisis situation, the limited bandwidth is going to hurt.”

Cornelius stressed the importance of planning and practicing. “The security guy comes to the platform a few times each year and works on training the operators, works on implementing the systems that we’re going to rely on for incident detection and mitigation, gets them all confgured, and

Those may be the nation state kinds of hackers, then when he leaves, he tells the operators, ‘If but we’re seeing more of that happening.” you see this, call this guy. If it escalates further, call this other guy. This type of problem war-

THREAT GOALS rants the IT guy coming out. This other type of

Typically attackers with a purpose are trying to problem warrants more severe action.’ You need accomplish one of three basic things: to have all those scenarios thought out, have the • Disrupt production approaches you’re going to take for each scenario • Cause some sort of disaster pre-defned, and then exercise those approaches • Steal information with your personnel so that when something does

Each of these requires specifc skills and gen- happen, it’s a practiced routine and not a hair-on- erally they escalate in necessary sophistication. fre emergency,” he said.

A hacker might try to get business Disrupting production by caus- intelligence about how a platform is ing a controller to crash or lose its performing for a variety of reasons. program is probably the easiest

That kind of effort might require task. Matt Luallen, co-founder of getting into the networks on the Cybati said there are many ways for platform, but it might be easier to get that kind of hacker to get critical it from the onshore networks after it information. has been forwarded. Such invaders “I decided to do some OSINT like to come in quietly, gather infor- (open-source intelligence) on drill- mation and get out unnoticed. With ing operations,” he said. “I searched the limited bandwidth of platform to for proceedings from vendor confer- shore communication, trying to move ences and found that some operat-

Matt Luallen large amounts of data is easy to spot ing company was excited about so that kind of information will likely end up using some kind of product, or how they had extracted from onshore networks. moved from wired devices to wireless. As part of the presentation, they had photos of open equip-

RESPONDING TO AN INCIDENT ment cabinets, which showed a SCADA pack that

So what happens when network monitoring was controlling all the logic on this platform. I shows abnormal traffc and there is no approved was able to identify what was in the rack, and cause to account for it? That’s when an incident one of the six recognizable devices was in the response plan comes into play. The plan needs Digital Bond Basecamp project. It didn’t even to be specifc and clear. Network profling tools get to be tested because it got ‘bricked’ within should be able to give operators a detailed indi- minutes when the security engineer started do- cation of what is happening. If it is possible for ing the assessment. Now I have this photo in the operators to call for onshore assistance, they can vendor proceedings, showing what hardware is describe exactly what the problem is to shorten in use, the photo was never meta-data fltered, oedigital.com

OE | May 2015REVIEW 140 137_OE0515_REVIEW_Safety&Security.indd 140 4/20/15 10:36 PM