Sensitive to possible threats to oil and gas industry process control networks and related systems, the US government brought together 14 organisations in an effort to identify new types of security sensors. A 12-month demonstration project has highlighted an opportunity to reduce vulnerabilities by sensing, correlating and analysing abnormal events in order to identify and prevent cyber security threats.

For the past 12 months, Sandia National Laboratories based in Albuquerque, New Mexico, US, has served as the lead national laboratory in project LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security).

The project was created to keep US oil and gas control systems safe and secure, and to help minimise the chance that a cyber attack could severely damage or cripple the nation's oil and gas infrastructure.

Such an attack by viruses, worms or other forms of cyber-terrorism on oil and gas industry process control networks and related systems could destabilise energy industry supply capabilities and negatively impact the national economy.

LOGIIC, funded by the department of homeland security's science and technology Directorate, brought together 14 organisations to identify ways to reduce cyber vulnerabilities in process control and supervisory control and data acquisition (Scada) systems. The goal of the project was to identify new types of security sensors for process control networks (see ‘The motivation for LOGIIC’, below).

Sandia worked with project partners to create a simulation test bed and apply this environment to counter potential threats to the oil and gas industry using hypothetical attack scenarios. Sandia researchers created two real-time models of control systems used for refinery and pipeline operations.

Ben Cook, project lead for Sandia, says the objective of LOGIIC was to bring together government, asset owners, vendors, and the research community to protect the critical infrastructure. He says a key element of LOGIIC's public-private partnership model was the leadership role it gave to industry partners, "in this case the oil and gas asset owners" to define the technical problem to be tackled and manage the project towards a successful outcome.

Current control system operators have limited situational awareness, he said. In LOGIIC, industry leaders chose to focus the partnership team’s initial work on addressing their concern that control networks are not monitored for cyber intrusions as is routinely done on business networks. As a result, it is difficult to detect cyber adversaries who might be attempting to compromise critical system components.

The monitoring system developed in LOGIIC is based on the very latest commercial enterprise detection and correlation technologies adapted to monitor control networks, providing asset owners with dramatically improved situational awareness, Cook said.

To test LOGIIC’s monitoring capabilities, Sandia researchers came up with five vulnerability scenarios based on cyber compromises commonly used in the hacker community. Two scenarios were extensively tested to illustrate the effectiveness of the LOGIIC monitoring solution. Ray Parks, who led the development of the scenarios, used his background as a member of Sandia's cyber red team, which has performed numerous vulnerability assessments of oil and gas and other critical infrastructure facilities.

As well as experts from the department of homeland security's science and technology Directorate, LOGIIC drew on oil and gas expertise supplied by Chevron, CITGO, BP and Ergon Refining. Alongside Sandia, other research was carried out by SRI International and Adventum Labs. Security vendors included ArcSight, 3Com and Symantec. Process control vendors involved in the project include Honeywell, OMNI Flow Computers and Telvent.

Project results were shared at a recent LOGIIC summit in Houston, Texas. The meeting showcased results and promoted the partnership model as a template for future public-private partnerships to improve infrastructure security. A field test of the LOGIIC solution may begin in 2007.

Motivation for LOGIIC

The process control networks and Scada systems used by the oil and gas industry are facing new threats and vulnerabilities. New threats come from terrorists who want to destabilise energy industry supply capabilities and the national economy. New vulnerabilities have been introduced with the migration to standard IT components such as general-purpose computing platforms and standard operating systems, introduction of standard networking technology such as TCP/IP and Ethernet in the Scada environment, and integration of business and process control networks.

This aim of the project is to examine needs and solutions for correlating and analysing abnormal events to provide indications and warnings of cyber-security threats. The end vision is to enable informed response to threats by taking corrective action.

The goal of the project is to achieve the ability to correlate abnormal events from the process control network and its interfaces to the business network with alerts from sources on the business network such as intrusion detection systems and firewalls. The aim of the project partners is to: identify new types of security sensors for process control networks; adapt a best-of-breed correlation engine to this environment; integrate in test bed and demonstrate, and; transfer technology to field operations.