A few years ago, I worked alongside some oil commodity traders. Environmental concerns aside, I never realized how many parts were required to get the oil out of the ground, not to mention everything else that finally resulted in the production of refined products that surround our lives. As a cybersecurity professional, I was more interested in how all the pipelines were intertwined and, of course, protected.

When the commodity traders asked me to install the America Online Instant Messenger application onto their desktops, I hesitated. For what legitimate purpose could an office use such an application? They informed me that a person standing on an oil rig in the ocean would use AOL-IM to communicate operational advisories to people working on the mainland, including the commodity traders. This instant knowledge enabled them to execute trades, predict the futures markets, and facilitate a group of other commodity trading endeavors. However, I was thunderstruck at this lack of security forethought by an entire industry!

I saw some of the communications, which were quite elegant in their simplicity, and quite scary from a security perspective.  To paraphrase:

Oil Rig Operator: Valve 725 open at line 60.

Group recipients: Understood. Will notify downstream operators.

Can you ponder some of the varied ways that a malicious actor could wreak havoc with such information?

Introducing the Pipeline Cybersecurity Initiative

Fortunately, in recent years, the Department of Homeland Security has developed a plan to increase security of this area of critical infrastructure. This plan was then assigned to the Cybersecurity & Infrastructure Security Agency (CISA) to carry out its implementation. It is called the Pipeline Cybersecurity Initiative (PCI), and while I wish they came up with a better name as to avoid confusion with the PCI-DSS Standard, I will not quibble.

It (Read more...)