If $3 a gallon for gas seems high, imagine the cost consumers could face if a terrorist attack were to severely damage or cripple America’s oil and gas infrastructure.

Such an attack by viruses, worms, or other forms of cyber-terrorism on oil and gas industry process control networks and related systems could destabilize energy industry supply capabilities and negatively impact the national economy.

To help reduce the chance that such an attack could succeed, the Department of Homeland Security (DHS) and oil and gas companies created Project LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security). It aims to keep US oil and gas control systems safe and secure.

The LOGIIC consortium, funded by industry and the DHS Science and Technology Directorate, brought together 14 organizations to identify ways to reduce cyber vulnerabilities in process control and SCADA (supervisory control and data acquisition) systems. The goal of the 12-month project was to identify new types of security sensors for process control networks.

One of several related projects

LOGIIC is one of several related information infrastructure protection R&D projects — including the DOE National SCADA Test Bed and the I3P control systems security research programs being conducted by Center 5600’s Information Assurance and Survivability business area led by senior manager Gary Rivord (5610).

A Sandia-created test environment was used to counter potential threats to the oil and gas industry using hypothetical attack scenarios. Based on the knowledge gained from their industry partners, Sandia researchers created two real-time models of control systems used for refinery and pipeline operations.

Ben Cook (5634), project lead for Sandia, says the objective of LOGIIC was to bring together government, asset owners, vendors, and the research community to develop ways to better protect the critical infrastructure. He says a key element of LOGIIC’s public-private partnership model was the leadership role it gave to industry partners — in this case the oil and gas asset owners — to define the technical problem to be tackled and manage the project toward a successful outcome.

“Current control system operators have limited situational awareness,” he says. “In LOGIIC, industry leaders chose to focus the partnership team’s initial work on addressing their concern that control networks aren’t monitored for cyber intrusions as is routinely done on business networks. As a result, it’s difficult to detect cyber adversaries who might be attempting to compromise critical system components.”

The monitoring system developed in LOGIIC is based on the very latest commercial enterprise detection and correlation technologies adapted to monitor control networks, providing asset owners with dramatically improved situational awareness, Ben says.

Sandia scenarios

To test LOGIIC’s monitoring capabilities, Sandia researchers came up with five vulnerability scenarios based on cyber compromises commonly used in the hacker community. Two scenarios were extensively tested.

The first scenario highlighted the increased risk control systems are exposed to as they are increasingly connected to business networks. These networks are in turn commonly connected to the Internet.

“This provides adversaries anywhere in the world with potential access to control systems running key industrial processes like refineries,” Ben says.

Entering either through the Internet or by hacking into a local wireless network, once on the business network an adversary can compromise a computer and learn about the business and its connected networks.

“We wanted to show how someone can get from the outside all the way in through the business network down through the control system and affect a piece of equipment in the field,” says Ray Parks (5612), who led the development of the scenarios. In this role, Ray used his background as a member of Sandia’s cyber red team, which has performed numerous vulnerability assessments of oil and gas and other critical infrastructure facilities.

The second scenario showed how someone can gain physical access to the process control systems from a remote, often unmanned, field site such as a pipeline flow meter. Each pipeline has flow meters at regular intervals to measure the flow of oil or gas.

“By breaching the physical security at a field site, an adversary could potentially then gain access to the control systems network by simply plugging in their laptop,” Ben says. “Once on the control systems network, they could once again disrupt operations, or depending on their intent, they could use the access gained at the remote field site to begin navigating to other corporate networks, potentially even the business network.”

Sandia team effort

In addition to Ben and Ray, the Sandia team includes Weston Henry (5612), John Herzer (5634), and Bryan Richardson (5615).

A major focus of the project involved developing and implementing a realistic test environment at Sandia that would mimic the real system configurations typically found in the oil and gas industry. LOGIIC industry team members either donated or loaned most of the hardware and software required to set up the Sandia test bed. Bryan led this task, coordinating with the process control and network security hardware and software vendors involved in the project to get the test bed components delivered, installed, and configured for the project.

John led subsequent work involving the integration and demonstration of a commercial event correlation technology to help process control

system operators identify and deal with cybersecurity threats.

“Event correlation allows us to collect events such as messages and log entries from many different devices on the network and infer the relationships among them,” John says. “Identifying the connections among many disparate events coming into the control center allows us to filter out much of the noise, identify significant patterns, and ultimately provide the big security picture to the plant operators.”

Weston implemented the attack scenarios developed by Ray, adapting publicly available attack tools and scripting the attack scenarios, which were then executed in the test bed to evaluate the effectiveness of the monitoring and correlation solution framework.

“In LOGIIC, we were able to access industry knowledge that we don’t get from our brief site visits or assessments,” Ray says. “We were able to see the kind of detailed knowledge on how they really work, how their business processes actually happen, the shortcuts they take, what they really put together. With that information, we were

able to build a much better test and a better prototype system.”

LOGIIC partners

LOGIIC brought together experts in homeland security, oil and gas, security research, security technology, and process control technology.

• Government: DHS Science and Technology Directorate
• Oil and gas industry: Chevron, CITGO, BP, and Ergon Refining
• Research: Sandia, Adventium Labs, and SRI International
• Security vendors: ArcSight, 3Com/ Adventium Labs, and Symantec Corp.
• Process control technology vendors: Honeywell, OMNI Flow Computers, and Telvent

Project results were shared at the LOGIIC Summit, Sept. 11, in Houston, Texas. The meeting showcased results and promoted the partnership model as a template for future public-private partnerships to improve infrastructure security. A field

test of the LOGIIC solution will begin later this year. The LOGIIC website is at www.logiicpcs.com.

Doug Maughan, LOGIIC program manager at DHS, says 85 percent to 90 percent of the critical infrastructure in the US is in the hands of the private sector. “The success of this project is a strong example of how private industry can team with the Department of Homeland Security to further the cause of critical infrastructure protection,” he says.