Refining security

How do security vendors targeting the Oil & Gas sector help end-users maintain security standards and face future threats?

Tags: CA IncorporationConfickerData Leakage PreventionFirewallGulf Business MachinesHewlett-Packard CompanySonicWALL IncorporatedSymantec CorporationUnited Arab Emirates
  • E-Mail
Refining security The oil and gas sector actually feel that it is the best time to innovate and best time to deploy. - Ganesan Lakshmanan, principal consultant, security management, CA.
More pics ›
By  Julian Pletts Published  August 10, 2009 Network Middle East Logo

Although the energy market is multi-trillion dollar industry it has nonetheless, still been hit hard by the financial crisis and falling oil prices. This has meant that the once strong and highly liquid firms that populate this sector have had to think carefully about investments they put into information technology, among other services.

It has also meant that the sector, like most other substantial verticals has seen a series of high profile mergers and acquisitions which, for the involved CIOs, will have created a colossal task to consolidate the resulting networks.

When it comes to IT security in the oil and gas sector, it is common sense that spending has not actually halted as a result of the downturn, after all, threats will not cease and the complexity of networks will only increase. Security has remained an important aspect of IT spend, whilst other networking concerns have been shelved for now.

"We don't see that the financial crisis has impacted them in terms of acquiring new and innovative solutions, rather we see more focus and an increased pick up of solutions than ever before," said Ganesan Lakshmanan, principal consultant, security management at Computer Associates. "The oil and gas sector actually feel that it is the best time to innovate and the best time to deploy."

Omar Dijani, director of systems engineering for MEA, CIS, Russia and Southern Mediterranean at Symantec feels security budgets are now viewed as separate to the overall IT budget: "What we were seeing, going back a couple of years, IT security in oil and gas has been locked into a larger IT project," explained Dijani.

"But what we have seen over the last 12 months is a dedicated security budget has been carved out and generally about 20% of the IT budget has been apportioned to security because they see that it is an area that you cannot afford not to invest in," added Dijani.

Gulf Business Machines, a large UAE-based systems integrator which works in a representative agent fashion for infrastructure giant IBM in the Middle East region, says that the financial crisis has had a short term impact on the oil and gas industry but it is an industry that will regain its importance in years to come, a resurgence that will lead to greater security outlay.

"Over the last few years the price of oil has gone down and it has had an impact on the oil and gas industry, but on the other hand, it has been said that in the next 25 years energy consumption is going to increase by 50%, so it doesn't really matter what is happening with the financial crisis from the oil production perspective," emphasized Ali Hosseini, director of professional services at GBM. "Security is something that they have to spend money on because it has to be in place either way."

From an IT security angle, the oil and gas industry is one of, if not the most, demanding end-user domains. Not only do oil and gas companies make use of incredibly sophisticated computing power in an effort to assess where best to drill for oil - an assessment that can cost millions of dollars if not accurately made - and the mass of data that such calculations produce is so immense, but they also have large scale and complex distributed networks.

The data centres in the main headquarters will house a great deal of the information and infrastructure but that information has to be widely available at remote locations as well. And as Dijani from Symantec puts it, working with oil and gas end-users is often akin to working with military clientele, such is the sensitive nature of the information in the network and the vetting and proof of concept process vendors will be required to go through.

Secure SCADAs?

An assessment of oil and gas IT security would not be complete without mentioning Supervisory Control and Data Acquisition, or SCADA, networks. These information gathering and control networks are traditionally kept as offline as possible.

But recently there have been some common misconceptions about how secure SCADA networks are, and this has lead to some serious breaches in these supposedly internal networks. There has been a wealth of research on the vulnerability of SCADAs and some experts have even suggested that in contemporary society they are in danger of terrorist cyberattacks.

"We have seen specific instances in the region where SCADA networks have been compromised," revealed Symantec's Dijani. "We found that from the end-user's perspective, they really want to keep it separate but at some point you have got to integrate it at points with the main network. This is why, last year, we saw one of the big outbreaks - the Conficker, in the SCADA network.

What happens in the oil and gas sector is they tend to install stuff, fix it and then forget about it. So there are still a few systems that are running on the SCADA network, unpatched and vulnerable that can be exploited."

It is clear then that any oil and gas IT security provisions must also include and tie-down the SCADA networks. It is also clear that IT security spending may still be at the top of IT professionals' lists in the energies industry. But how is that spending being apportioned? And what threats present the most clear and present danger to oil and gas networks?

Shahnawaz Sheikh, sales manager for MEA at SonicWall, despite having a strong focus on Unified Threat Management (UTM) products, presents one of the best overviews of the security requirements of the sector.

"Most of the oil and gas organisations look for the high-end UTM devices which are powerful in terms of processing speed and bandwidth but they also look very carefully at features like application firewalls and data leakage prevention solutions. These are some of the primary requirements when it comes to their security," said Sheikh.

"But in addition to that these organisations are particular about remote access activity, the end-point control, and who is accessing and working on information and whether they are authorised to do so," he added.

People problems

Most industry spokespersons seemed to concur that one of the most prominent threats to the integrity of the network, and the encompassed data within those networks, comes from the people that use it.

HP ProCurve is one such voice: "Like all sectors user-based security is a major challenge," said Alaa Al Shimy, HP ProCurve's general manager for the Middle East. "It's about how to identify the device or person as they connect to the network and how to protect the network from guest users while giving them the ability to access internet resources in a safe and secure manner."

There are plenty of solutions that tackle the problem of access management and also data leakage. HP ProCurve for instance offers its 802.1x solution which it says dynamically assigns controls to individuals based on security policies and other variables.

Symantec points out that it is not only user access that has to be tightly controlled though, it is the devices that are able to access the network as well. Symantec's Dijani says user access may be carefully scrutinised at each facility and that this is the prerogative of the administrators at each facility.

"At the same time there is absolutely zero control over USB sticks," he warns. "It is moving away from saying ‘how can I control what goes onto a USB stick?'  They are now looking at how to lock down the port, or the OC, or the server and there are ways to do that."

He also recounts instances where they have run tests for oil and gas end-users and shown them examples of data leaving their organisation without their consent or knowledge that have truly shocked them. As Dijani underlines: "Security is now getting closer and closer to the data itself."

The threat of data leaving an organisation through a USB, portable hard drive or via careless emails, might be on the rise. But security has to be looked at holistically and an end-to-end oil and gas security provision must also include firewalling and physical security at the gateway.

"Today, the application firewalling is a must for any large enterprise network," said SonicWall's Sheikh who also points out that although DLP solutions are a valid investment for oil and gas end-users, if you are having to work out what has gone missing or what malicious content has entered the network, security measures have already failed with potentially devastating and unacceptable consequences.

It is for this reason that most oil and gas end-users will be employing or looking to employ UTM devices to safeguard the gateway to the network. As it is ideal that productivity and usage are not reduced as a result of network security provisions, SonicWall claims that its offerings in this area are more efficient than most due to the multi-core processor its UTM features and the fact that this allows packet scanning ‘on the fly' as opposed to packet buffering as traditional UTM devices are designed, which supposedly can cause delays.

As a final thought, CIOs in this sector may well be using the financial crisis to take stock of their  security provisions and command vendors to prove to a greater extent the worth of their solutions, but it is unlikely requirements for security will stay the same.

In fact in the very near future, as IT leaders look to virtualisation to answer the flexibility needs of the oil and gas industry and reduce costs, security will also have to mature in this sector to answer it. Plus, it is likely that the sector will migrate towards cloud computing, around which security is a paramount concern. So it is, in an industry that works with numerous contractors and sub-contractors, that such future concerns will have to start taking greater precedence today.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code