Cyber security attacks on industrial control systems have increased in number and complexity in the last few years. Attacks like Stuxnet and Night Dragon have proven that cyber attacks can have significant negative business impacts and potentially even loss of life.
At the upcoming Cyber Security for Oil & Gas Canada event, Chris Shipp, the Chief Security Information Officer for Fluor Federal Petroleum Operation, will provide an overview of current successfully cyber attacks and threats, followed by a live hacking demonstration of a control system and conclude with a case study demonstrating important security components in control systems. This interview provides a sneak peek of what’s to come at the event …
* The thoughts expressed here are solely the opinions of Chris Shipp and not necessarily that of the Strategic Petroleum Reserve.
HH: Walk us through the journey that led to you being known as the utmost “hacking” expert in the industry.
CS: As Chief Security Information Officer for Fluor Federal Petroleum Operation, I function as the chief cyber security representative at the U.S. Department of Energy’s Strategic Petroleum Reserve for about 14 years.
When I started in October 2000, I was the only person allocated to cyber security. I first got into cyber security via a rather circuitous route because there wasn’t a direct route to become proficient in cyber security. As part of my earlier job history, I worked at a professional services company where we provided maintenance and professionals services related to IT systems, implementation of networks and applications and so on for various commercial and federal customers. I have also taught some at Tulane University and during those years, one of the things that I noticed with respect to teaching the curriculum I was looking at and with the systems I was implementing, was that there wasn’t a lot of information directly about cyber security. It began to concern me. I had a few customers who were very forward thinking who asked about security and how their data was protected and so I began to do a lot of my own research and in that research I became something of a cyber security expert. I’m not really comfortable with that term because I’m still learning and it’s an ever-evolving process, but I became very proficient in cyber security, which is something not a lot of other people at that time were able to achieve simply because they weren’t a lot of avenues or requests for it.
I began to incorporate more security information into the curriculum I was teaching at the local university as well as talking more with my customers about things that we could do to secure their data. Through these conversations, I was put into contact with the Department of Energy because they were looking for a Chief Cyber Security guy. I’ve had the wonderful opportunity to work through a cybersecurity program that really was in its infancy, its adolescence, as most programs were back then, since there weren’t as many federal regulations or they were just starting to be implemented. We were able to build that program all the way through and build a risk management program for both classified and unclassified systems; systems that have to do with standard business operations and control systems.
Although you don’t like to call yourself an expert and instead refer to yourself as a student of your industry, I am very appreciative that you have knowledge of both sides of the coin since you have knowledge of both government and industry cyber security practices. Would you provide a brief overview of the cybersecurity discrepancies between government and business in terms of how they are able to prevent, protect and manage security threats? What can government agencies learn from industry and vice versa?
First let me say that I would divide industry into two separate camps. One would be commercial entities that don’t have a lot of federal or local regulatory requirements specifically related to cyber security yet. And then the other camp would be those that do like NERC CIP, which is energy regulation with respect to cyber security, HIPAA has some cyber security elements related to health information or the Gramm-Leach Bliley Act, which applies to financial entities. So, those entities have some very strict regulatory environments that correspond pretty well to typical federal government agency requirements.
I would put other commercial entities that don’t necessarily have that regulatory requirement yet in their own separate camp. With respect to the commercial entities that do have regulatory requirements and typical federal government entities I would group them into one group.
There are two common issues that they have. The first and foremost would be that cyber security personnel typically do not have a strong business background and so they do not have the capability or the proper business knowledge to present cyber security proposals in a way business decision makers understand and approve of. For example, if I were to tell a decision maker, someone who holds control of a particular budget, “Hey I need a new intrusion detection system because it does a better job of detecting and stopping the bad guys, what does that really mean from a business perspective? I haven’t expressed that in terms where a person who is business minded would understand.
Conversely, I would be more successful if I had said, “Look, we have this very important system, and well all agree it is important, but we have seen within the last three months increasingly complex attacks against that system that are coming closer and closer to being successful and based on that we predict with pretty reasonable probability that that system will be successfully hacked within the next 90-120 days if we don’t introduce this particular intrusion detection system will cost you $100,000, if that system were hacked and down for a day, it would cost $1.2 million.”
That is something a business decision maker could understand and what I find when I talk to many different people in the cyber security realm, often you will find somebody who was initially very technically astute, brilliant people and they end up running a cyber security program. They’re very good at what they do, but they don’t necessarily have the business acumen to express the need in that way.
That’s a good point, and let’s jump in to the hiring process of these operators. As the saying goes, a business is only as good as its workers, especially for oil and gas companies. What best practices could you provide for the hiring and maintenance of cyber security staff so that they are fully prepared to prevent and address threats?
That’s a great question, in fact, of the two main issues that I find in organizations with cyber security is that they simply don’t have people with technical know-how at the technical level to properly implement and maintain cyber security. It’s a difficult problem to solve because cyber security is a relatively new discipline; it’s not as mature, so therefore there are not as many people who have the necessary skill set.
Cyber security is a skill set that would be akin to a specialty in the medical field. For example, you would never try to train somebody to be a cardiologist before they became a MD. First, you learn how to become a good doctor and then you use that as a baseline if you go to finishing school to learn how to be a good cardiologist. The same thing is true with cybersecurity. You can’t learn cybersecurity in a vacuum. A good cybersecurity technical person, for instance, has to build their security knowledge on some other discipline that they have strong knowledge in. For example, they may be a person who’s worked with network infrastructure switches and so they have a very good working knowledge of those systems and can take that knowledge and build upon it to make good systems for cybersecurity in those environments. Perhaps they are an application developer. They can use that knowledge to build upon and become very good at application security. So, one difficulty is that it’s not a discipline where you can take the smartest person from scratch and teach them fairly easily.
The other difficulty is many colleges do not provide good cybersecurity programs. Often colleges are teaching somewhat antiquated computer science. Not always, but that’s often the case because computer science changes frequently unlike some other disciplines. The good news is that the National Security Agency (NSA) has established something called the National Centers on Academic Excellence. Colleges can apply for this program, which incorporates cyber security elements into their curriculum, as defined by the NSA. If a student goes through the program and learns those elements then they have a good working knowledge of cyber security in which to build. Personally, I’ve been able to leverage that avenue to hire several top notch cyber security people that didn’t require a tremendous amount of education and training to bring them up to speed.
Will you share with us the risk management strategy for the cyber security program at the Department of Energy Strategic Petroleum Reserve? How has vulnerability management, continuous monitoring and incident response evolved during your tenure and where do you see areas for growth?
I want to make sure I don’t share information that is sensitive, so I will talk about the program that is provided by NIST, which we make heavy use of with respect o risk management.
NIST 800-37 is a wonderful document, and let me point out, too, that NIST standards are paid for and developed by the government and available freely to anyone. There’s a six-step process involved in what the NIST calls their risk management framework. It starts with a business process, which is categorizing information systems. For example, in the oil and gas industry you may be talking about a business system or a control system. What does that control system really do for you and how important is it to your mission? That is a business determination not an IT or cybersecurity determination, so business decision makers must be involved in that process. Based on the determination, you follow a process where you select the appropriate security controls to apply to that system. You implement those controls and then once they’re set up you continually assess their value and monitor them. It’s a circular process.
Sometimes there’s the misperception by those outside the IT industry that once you develop a system and put it into place it’s fairly static. Nothing could be further from the truth. Even if you have no new projects and just say, ‘we’re running as is,’ you have many, many software and application updates that will change as the risks and updates come out. It’s a continual process to determine how important this system is to our business and therefore we determine how much time, money and effort we’re going to spend to protect it. That informs the selection of the appropriate security controls, how they’re implemented in the environment and how well they continually operate. That’s the process of boots-on-the-ground implementation and the procedural and technical goals we use for cyber security.
The next question would be how to maintain the system from the perspective of the business. It’s done by storytelling. When I tell people this, they laugh at me because they think it means I’m telling something that’s an untruth, but what I mean is when you hire someone who has a strong background and understanding of cybersecurity and they also have some business acumen then they need to tell a true and accurate story to business decision makers: “This is the risk to the system, this is how we’re mitigating that risk and this is the residual risk.”
I know I’ve emphasized this before, but I see the redundancy again and again. Business decision makers are in business to make money or in the case of a federal government entity, they have a tight budget, so you have to explain to them the benefit of that spend. You have to tell a story in business terms that helps them understand why they should spend the additional dollars, why they should hire the additional personnel or allocate the additional resources to do the additional tasks you’re defining.