Industry, Government Secure Infrastructure With LOGIIC

Signal, Feb 2007 by Lawlor, Maryann

However consumers may think of oil companies as they fill their gas tanks these days, they might be surprised that the oil and gas industry is leading the way in cybersecurity with some significant work. The result of a workshop that took place more than two years ago, the project solidifies a new model for government-industry collaboration and creates a protection method for industry-specific systems that connect to business networks.

Called Project LOGIIC, which stands for Linking the oil and Gas Industry to Improve Cyber Security, the work began when oil and gas industry leaders expressed concerns to the U.S. Department of Homeland Security (DHS) about cybersecurity in general and control systems security in particular. Business leaders from companies such as Chevron met with the DHS cybersecurity leadership team to identify a path forward on security issues. After several brainstorming sessions, industry representatives decided that they should focus on improving the security of the process control systems they rely on to manage the pipelines.

Sandia National Laboratories, Albuquerque, New Mexico, joined the effort in March 2005 to provide technical guidance for the project. Ben Cook, LOGIIC's project lead at Sandia, explains that LOGIIC actually is the name of two connected yet distinctly different efforts. First, LOGIIC refers to the way industry and the government, specifically the DHS, collaborate. "One of the key elements of this partnership model is that industry is given a leadership position. We saw that in our case over the past year. Industry officials had the lead in selecting the problems that were of interest to them, and they were intimately involved in the project. In our case they actually managed the project," Cook relates. Government and industry shared equally in supplying program resources, including funding and personnel, he adds.

Second, the acronym refers to the specific project involving the DHS as well as Sandia, oil and gas companies, research organizations, security vendors and process control technology companies. The endeavor, also called LOGIIC, is the first example of how the partnership model can produce tangible results.

The changing face of networking in the oil and gas industry is one of the reasons for the heightened importance of cybersecurity, Cook states. In the past, process control systems were isolated and companies used proprietary operating systems at the pipeline control sites. If someone gained access to one computer and tried to install malicious software or a virus, the attempt would most likely fail, and a virus would have no way to spread. "Now, control system networks look very much like business networks; they use the same technologies. They're connected to one another, and those control system networks are connected indirectly to the Internet through business networks. So they have the same type of threat exposure that business networks have. All of a sudden the control system networks are at risk," he explains. The vulnerability level should not be over sensationalized, Cook stresses, because high-consequence networks have backup safety systems that avert cyber intrusions.

The Sandia team focused on improving situational awareness for network security. Toward this end, the researchers decided not only to take advantage of information gathered from business networks such as intrusion detection systems, but also to apply enterprise security technologies to the process networks that are used for pipeline control. Sandia scientists worked with control system vendor partners to build a laboratory model of the system architectures used in the field. With this model as a testbed, the team deployed emerging commercially available security solutions such as intrusion detection devices and embedded firewalls.

To ensure that security personnel would not be overwhelmed with information, the team brought in an enterprise security management (ESM) application that acquires data from the security devices. A programmable LOGIIC controller that interfaces with the mechanical device or flow computers located on a pipeline incorporates data about events, including cyberattacks and state-of-health indications. The data then is aggregated, and security events are prioritized so that patterns can be identified.

To test the effectiveness of the security system, Sandia researchers developed five vulnerability scenarios, and the laboratories' red team created a model of potential adversaries. The scenarios included attacks through the Internet, extranets and wireless connections as well as a tap into one of the network nodes at a pipeline location.

"By the end of the project we had taken all of these vendor products and we had simulated a whole enterprise-a business network connected to the demilitarized zone connected to the control system network in our lab that used real control system technologies. We thought about the vulnerabilities of that architecture. We went out and identified and deployed these best-of-breed security technologies-point solutions, in a sense. Those point solutions were integrated through the correlation engine, which provides the bird's eye view of what's happening within the system and prioritizes what turns out to be the millions and millions of events that were generated," Cook says.