Energy utilities certainly have not been spared by hackers who for years have targeted vulnerabilities in process control systems and networks with alarming success.
In a move to close the gap and keep that corner of the U.S.’ critical infrastructure secure, a new information sharing group popped up this week in the oil and natural gas industries that hopes to formalize the trade of threat intelligence and indicators of compromise, eventually in an automated and machine-readable fashion.
Modeled after the well-established Financial Services Information Sharing and Analysis Center (FS-ISAC), the ONG-ISAC is busy recruiting members and simultaneously planning the mechanisms by which its members, many of which are likely to be competitors, will share information on attacks and hackers.
“This is very important because companies realize the benefits of knowing what threat actors might targeting in the industry,” said ONG-ISAC chairman David Frazier. “Perhaps an individual company may not be a target, but they realize the benefits of knowing if a competitor or a service provider is a target.”
In the past 18 months, hundreds of incidents have been reported to the Industrial Control System Cyber Emergency Response Team (ICS-CERT), many of which involved energy companies in advanced attacks or companies falling victim to straight-ahead SQL injection attacks, for example.
“We know from just reading the press that many of the companies have been targets,” Frazier said. “But the ability to know about that before it hits the press, not to the extent of what was taken, but the raw indicators giving us intelligence about how we spot threat actors and what tools can we use in our SIM or IPS to know what they’re targeting. That’s so important.”
Frazier, whose day job is senior director of IT security, controls and risk management at Halliburton in Houston, is trying to recruit organizations already involved in informal sharing relationships through the American Petroleum Institute, primarily its IT security subcommittee. The API is a sponsor of the ONG-ISAC and some threat and intelligence sharing happens at quarterly meetings, Frazier said, but it’s more likely to happen between peers than in a group setting.
One of the new ISAC’s immediate goals is to provide a mechanism for sharing without attribution; anonymity has long been a hurdle for success in information sharing because companies are hesitant to share anything with competitors, even data that could be for the greater good. Frazier said the ultimate goal is to make the dissemination of threat data automatic and machine readable.
“Each company would be responsible for not sharing confidential information beyond their company, but to be able to share indicators of compromise and have the ability to do so without attribution is attractive,” Frazier said. “Company A may not tell you details about a breach, but they may have indicators they can share anonymously with Companies B, C and D, and that would make the industry stronger.”