This security policy document is prepared as a computer security consultant with a firm with an international base. This risks and threats in the field of gas utilities supplies are increasing as new operational concepts and digital technologies are evading the gas utility industry. According to the company, grown state of cyber-attacks and sophistication of cyber-attacks is making more difficulty in detecting and defending causing more sum of money to recover the original form. The vast network of energy infrastructure and its supply chain pose serious threats to the functionality and reliability of these energy systems (Young & Young 2016). For instances, related to weather outages in the US has cost between 18 billion to 33 billion dollars annually, in Nigeria, 1.5 billion of business comes from theft per month, Mexico faces disappear of millions of barrel every year (Hua & Bapna 2013). The threats can come to production, transportation and distribution.
CURRENT THREATS FOR GAS UTILITIES SUPPLIERS
Supply security is concerning principle as it is very interesting subject to find out how much the global supply is secure from production and transportation (McCrie & McCrie 2016). Some issues regarding energy supply are discussed in this section to list out the current threats. When some metrics for the supply of gas is concerned, the safest method is by rail transportation. It is assumed to be safer than another way of transportation, but it is costlier than pipelines which shale and tight oil boom continuously be constructing every year as it is one of a political tool to connect with Europe and Asia in relatively cheap rate, but it is a more vulnerable network of transportation.
Failed welding and corrosion of pipelines are more familiar threats, but the gas theft is at the peak which is estimated to cause loss of more than 37 billion dollars per year which is generally by illegal tapping of pipelines (Broder et al. 2012). It accounts for roughly 10 billion shares from the US followed by Nigeria, Mexico, and Iraq. The exact figure is hard to find but it is causing very big losses to global gas market is very hard to reduce its effect.
Physical and cyber security is a pressure point for gas suppliers. Till date, manpowered, automated and other security systems are limited which means that there should be the initiation of newer sufficient security rather than follow the trend.
Since the world is well supplied with oil and gas now as crude oil inventory is built through 2016 with the market can hold more unplanned supply disruptions. As looking to 2030 and beyond, many challenges will appear while money will be tight(McCrie & McCrie 2016). For oil and gas concern, all pressure falls after assuming balanced economic growth and OPEC crude is expected to rise from 25 to 39.7 mbpd by 2040 which is near to equal non- OPEC output. Moreover, we can see that Iraq and Venezuela have more than 30% reservation for crude, but they had not achieved in production term. The outlook for natural gas is less worried as the market continued to be more flexible and integrated each year.
The threats come to supply grid which is a victim of thousands of daily cyber-attacks. Cybersecurity is one of the top concerns for US electric utilities (Thomson & Thomson 2015). Many of suppliers and providers lack the proper monitoring system and protection mechanism for fighting with major assault as pressure lies each and every point. The electricity infrastructure is too old, and it weakens more regularly than developed regions. The crime and threats by cyber are growing and the current infrastructure is not prone to the events for any domestic or cross border hackers (Cavelty 2009). It is estimated by international energy agency that US power sector will require trillions of dollars to meet goals as well as the security of its infrastructure with its demand.
Beside these threats related to gas utilities suppliers, some other threats are listed and explained below:
IP SNOOFING AND EAVESDROPPING
Snooping is case where someone else is listening conversation between two people. Same case happen in network too where bunch of data and codes are flowing. Network analyzer is a tool which can analyze what is flowing over network. If no encryption technology is used, it can simply know what the username and password is it means spoofing of information. This arise problem of leaking information to network causing headache to company. If any external hacker get these information, may arise many sorts of problem and they can get into server system cause huge loss to company.
TEMPERING WITH SYSTEM REMOTELY BY ATTACKERS
This is similar as snooping where the code of server breaches by attackers to enter into server zone. Organization may have financial trouble when they lost their sensitive data and information. Data breach can cost to data gathering and recovery costs. Company may face unknown tasks for recreation of lost data after occurring of breaches. This also cause in reputation damage, customer belief hamper and many other problems. Attackers are always ready for soft and weak point breaching for any company. This is one of most popular attacks and threats for any organization and should be taken care very properly.
SOCIAL ENGINEERING ATTACKS
Social engineering is type of attacks relies on interaction by human and involves tricky procedures in breaking security. There exists many type of this attacks which could hamper business process by extent. It is type of attacks due to user willingness for some helpful content from web. Some of popular type of social engineering attacks are baiting, phishing, spear phishing, pretexting, scareware etc. baiting is such type where attacker leaves physical device to get anyone. When a user insert to their device, it cause introduction of malware to system causing problem. Phishing is malicious email often claiming to be from trusted source, clicking on link may insert malware and cause to copy personal as well as financial information. These scams are unknown to many people so they may get stuck in this threat. This is one of emerging threat which should be controlled for better work environment and using a digital device.
USE OF STORAGE DEVICES AND SMARTPHONES
Data vulnerability become high with use of personal mobile devices for sharing information, company database and forget to change phone password. It is estimated that only due to security breach from mobile devices has caused more than two third security incidents in last 12 months. These devices are much exposed for the risk as these are connected to company network behind the firewall via VPN and even one app install can introduce Trojan or malware to network which may affect corporate processes.
POOR PHYSICAL SECURITY OF DATA
This may be biggest threats to company or organization if not proper security of data room is concerned. Data room has all kind of storage devices and backup application which need very secure environment. If any personal come to data and copy any document or files, it may be vulnerable to company prestige and sensitive information may get spread or may be huge compensation for the same. This requires proper security for data room. CCTV surveillance, security guards for 24/7, tracking application and security alarms are some tools that can manage security but above to this it should be at secure and hidden place.
A company is not prone to insider attacking factors. A collection of employee work for a corporate business or supply businesses so what if any one among then betray organization and leak information or just open port for hackers or attackers for breaching security and copying sensitive information. This is unavoidable because this problem is related to employee nature and it can alter any time of work. Not proper negotiation is one problem or employee is not satisfied with company policies, if any such cases are seen must be taken case of properly.
THE PRIORITIZED THREATS
The gas and oil industry is becoming a portal and attractive target for cyber criminals. There are many weak points via which attacks can be intervened to the company to utter disaster. If a normal retailer shop is breached by hackers, they leak personal details which can be compromised for a shake, but when the system of oil and gas is breached, the consequences is very severe to handle (Moreira et al. 2016). The attacks on energy industry are rising to 77% of respondents had seen an increase of cyber-attacks in last 12 years (Kim 2016). This line of attack in comparison to other industry type is not horizontally, and it is more promising fact this industry faces in the protection of control systems and assets. Not only numbers but also the erudition has increased from the first attack where bid-lease data, seismic markups and properties were stolen from very reputed and large companies (Flowerday & Tuyikeze 2016).
The insider threat is also one danger loomed over the gas industry as the system is being digitized by the use of technology and most recent data mining and analytical application used by machines. This is helped in rising efficiency but cause to rise attacks. The security threats on prioritized version are listed and briefed below.
INFORMATION SECURITY THREATS
Information is most sensitive part of an industry which has the valuable data and information storage to some unidentified location or within infrastructure building with proper security management (Kim 2016). What if the security policies of information are breached? The industry has a wide variety of information which in generates, process, collects and stores, the personal data of employee and other commercial information, national security information any many other forms of information. Once the information is leaked, the reputation of industry along with its assets value dropped abruptly causing to collapse the company within days (Tipton & Nozaki 2016). The technology is storing these secure valuable data by some technique, so this technique and authentication must have the power to stop or hold any cyber-attacks. This threat is kept at the top of priority table of threats.
PHYSICAL SECURITY THREATS
Beside the information and technology security, the most promising is physical security threats which mean the infrastructure is to be kept secure from direct and indirect attacks. Since this industry has a diverse set of infrastructure from main working building to its sites. Every site must be protected from any type of harm and threats (Griffor 2016). The physical control varies on depending on circumstances and requirement of business with the type of threats (natural hazards, disruptive challenges, fire, crime, terrorism, etc.). The multi layering security as guarding, perimeter controls, proper fitting of furniture, design features of the building, controlling access and use of the separate area for sensitive tasks. The threats related to physical security should be determined and mitigated with some control measures to ensure secure working environment (ZHANG et al. 2013).
PERSONAL SECURITY THREATS
Personal security confirms the identity of employee and contractors and it ensures the level of security to their trust, integrity and reliability (Tipton & Nozaki 2016). Personnel are the workforce of industry who help in each and every part of the design to shipment of product to the doorstep. There should be some defined policies to protect them and their identity from any threats. The threats of incidents, any harmful radiation exposure and the security level should be taken care off very loyally.
An international survey from almost 1100 business professional conducted by DNV GL found that just over half, almost 58%, has adopted ad hoc strategy of management although these companies are actively and regularly managing information security while only 27% has succeeded in setting goals (Thomson & Thomson 2015). Cyber security cases don’t come as headlines, but many of attacks go unreported or undetected by these organization as they failed to keep their system safe from vulnerabilities. The first attacks are generally the office environment working via production and process control process of Gas Company. The top vulnerabilities faced by these companies are listed as:
- Lack of any type of cyber security awareness among the employee and even they are far from any such training
- The working by remote technology for operation and maintenance of sites.
- Use of standard IT devices with some common vulnerabilities within the production environment
- The limitation in cyber security culture between suppliers, vendors, contractors
- Not proper separation in data networks
- Using mobile devices and storage units locally even including smartphones
- The network of data between on-shore and off-shore facilities
- Not installation of security policies for cabinets and data rooms
- Use of vulnerable hardware and software within company environment
- Use of outdated and aging facilities as system control
It is believed that the cyber vulnerabilities can be mitigated using risk based approach, most popular are bow-tie model from safety barrier management (Tipton & Nozaki 2016). This approach allows the company to identify the threats and vulnerabilities of operations and assets and plan some barriers to avoid any incidents, and eventually it mitigates the consequences of cyber-attacks (Griffor 2016). The procedure is documented in performance standards to maintain the quality of barriers.
Breaching security is not a normal incident as it cost dollars for compromising the record. In gas and oil industry, it is quite higher than other industry as it causes to rise risks in its operation and normal working facilities (Cavelty 2009). A proper study of these risks and threats introduction can help in reducing the compromising cost by a huge margin. It is found by a study that a prepared industry has more than 38 dollars less compromise in the record from the unprepared company. In another word, adopting policies and planning for cyber security is not only reducing the cost of data breaching but it also helps to reduce any such type of incident within the industry (Young & Young 2016). One most effective way of mitigating risks and adopting security policies is cyber security maturity model.
This model is a framework which allows its firms to assess the consistency of its security practices and processes based on best practices which help to create best and robust model of security footing over duration by reducing the successful cyber-attacks and helps to return quickly to normal operation after attacks (Jang-Jaccard & Nepal 2014). The maturity can be gained from basic to comprehensive, probably for large firms it is gained from a different stage of maturity. Maturity is not same as security, but a higher level of maturity ensure best security policies and practices tools for enabling better security (Hua & Bapna 2013). A maturity model can map the security extent within the organization and helps to detect the improvements required in the area of business. For large business and firms, it is very significant undertaking by just one step in maturity model. Each organization must have its own level of a maturity model for securing its environment from external attacks and threats (Cavelty 2009). The policies for security regarding government standard and cybersecurity and health and environment standards are presented below.
GOVERNMENT STANDARD POLICIES
The department of energy has deployed a maturity model for an industry which enables to improve security in energy sector both in information technology and operational technology and gives a proper mechanism to help in evaluating, prioritizing and improving the cyber security abilities(Park 2016). The field where is intend to help are:
- Reinforce cybersecurity proficiencies in the gas subsector.
- Permit gas industry to effectively and steadily evaluate and yardstick cybersecurity capabilities.
- Share information, best performs, and applicable references inside the subsector as means to progress cybersecurity capabilities.
- Enable gas administrations to arrange actions and funds to improve cybersecurity
This model of maturity in governing safety policies includes core elements as well as added materials, especially for gas sector. It comprises a set of industry vetted practices and policies for cyber security with a maturity model as well as some evaluation tools. Companies can evaluate their cyber security practices against the appropriate practices and assign a score for each domain (Löbbe & Jochum 2016). This given score can be compared with the target score basing on the risk tolerance factor of the company. The department of energy is not regulatory where the model is descriptive rather than prescriptive which allows companies to set their goal by own and establish a proper control and policies which can meet them. Evaluating and tracking capabilities of cybersecurity need plotting of key performance indicator as these are success metrics which align with goals of industry (Flowerday & Tuyikeze 2016). Some common indicators are cyber resiliency capabilities which enable the company to return normal operating after any incident.
CYBERSECURITY AND HEALTH SAFETY POLICIES
Implementation of effective cyber security across information and operational domain is a collective effort by the involvement of all stakeholders (Park 2016). The conversation should be in information technology and operation technology as both the technology is integrated with tight control from both the directional flow of data and also access from a remote location using IT technique but the objectives of each domain must remain different. This distinctness becomes a base for the establishment of policies and procedures for each. For this, there should be a better understanding of management about its integration and relationships about how the operation technology is changing so that there could be better alignment (Fowler et al. 2016). The HSE (health, safety and environment) standards are set of processes for tracking and using some mitigation technique to lower dangers and risk faced by employees in their day to day activities that could help in improving the safety of the industry. This document is not only to adopt the physical environment but also help to keep in track human behavior. The tracking by this standards are:
- The number of safety incident which is likely to occur
- The number of minor safety incidents
- The number of safety incident which leads to loss of time during working hours
- The number of fatal incidents
Safety management has contributed a drop in fatalities developed in three sub phases. The first aims to try in removing the risk from workplaces by concentrating on safety design and construction of plants. This is very smart, and positive result since it help in reduction of incidents when flattened out. The second phase focused on procedure. In the awaken of the Piper Alpha tragedy of 1988, in which 167 oil rig labors lost their lives, safety measures attentive mainly on work management. The current phase emphases on behavioral safety, which purposes to eliminate unsafe conduct, such as wounding corners and disregarding proper process to save time and energy. The lesson in the evolution of standards which develops parallel in cybersecurity must be addressed through the proper solution to encompass people, process and technology in improvement (McCrie & McCrie 2016).
STANDARDS FOR CYBERSECURITY
There exists little direct regulation of cybersecurity in this sector but the standards and practices of government and industry to support companies ensuring their policies to meet the need for securing the own building and data (Dor & Elovici 2016). There is also surety of companies that able to meet need and expectation of customers and their partners. While these guidelines company that leaves the cybersecurity policies and procedures as a best practice that could find itself at high risks to cyber-attacks and also for the environment to which it works (Tipton & Nozaki 2016). The industry does not hesitate in adopting best security policies in the area of their operation. As a best practice in production can gain higher efficiency to 30 percent but cyber security in the operational domain by use of process control system as it has no same level of attention from environmental safety and productivity. Although these industry faces many challenges as it shares other enterprises in both IT and OT. Hence, basic cyber security applies their plenty of guidelines on implementation of basics. Some of the critical security controls are listed below:
- Authorized and unauthorized devices and software inventory
- Secure configurations for software and hardware on smartphones, laptops, and servers
- Vulnerability assessment and remediation
- Defenses on malware security
- Wireless access control
- Capability of data recovering
- Secure configuration of network devices as firewalls, switches, routers and controlling network ports and protocols
- Controlling accessed based on need to know
- Account controlling and monitor
It is concluded from above document that security management is an essential part of the energy industry as this industry is large and has several sites and maintenance phases. The security policy adopted by this industry must have a unique and can solve all threats associated with this industry. This document lists all security threats related to gas industry and provides priorities in risks so that equal policies can be formulated and adopted according to the law of government and industry standards.
...(download the rest of the essay above)