Transit, Infrastructure Still Top Worry, but Cyber War Looms
September 1, 2007
Some make security sense.
Video analysis with smarter object alarm and more intelligent motion detection. There’s night vision video working the borders. More sophisticated access controls ranging from biometrics-enabled passports and trusted traveler lanes at some U.S. airports to better and more consistent government IDs as well as fingerprint recognition tied into visitor management systems.
In airports, new people and luggage scanning systems bring a higher level of security while, maybe, speeding up the process. And there’s detection, the almost forgotten sister of video, access and scanning. More cargo and containers now are getting an electronic pat-down. There are Weapons of Mass Destruction (WMD) detectors in some often classified areas around the country and world. And Oak Ridge National Laboratory is in final testing of a “dirty bomb” detection system.
Some are “iffy.”
REAL ID, Homeland Security’s program to have all states issue more consistent and secure driver’s licenses and citizen ID cards, is in the crosshairs of more than a handful of the states. Then there’s that cell phone idea. Embed certain technology into all handsets and a new ring tone will alert to a terrorist gas attack.
Washington, D.C.-based Gentag already has the technology that can perform diagnostic functions from a cell phone. Its patent called the Method and Apparatus for Wide Area Surveillance of a Terrorist or Personal Threat would allow handset makers to program devices to detect most chemicals, from pollen and carbon monoxide to the noxious gases released by criminals or terrorists.
It is uncertain if cell phones users would want terror ring tones over, say, a Prince song; and it could be that people will react poorly to this “Big Brother” program while accepting traveler biometrics and video on the streets.
And some may have hidden agendas.
Take license plate recognition. While making sense for certain applications such as parking lot and garage access, use in Red Light cameras and in a New York City plan to throw up cameras in midtown Manhattan with license plate recognition seem aimed more at generating additional local government revenue than catch a terrorist. And there’s those day/night cameras on private Texas border land in which that state’s government wants images shown on the Internet so that everyone can catch an illegal immigrant. Just think about that number of false alarms.
Newer yet is the increased fear of cyber wars between countries and cyber terror attacks.
Just months ago, the Republic of Estonia experienced a massive cyber attack that brought down government servers in a broad-based distributed denial of service incident. Some suggested the Russian government was involved. U.S. Homeland Security, NATO and even private firms such as Cisco Systems have active programs to alert to cyber attacks, take action as well as develop prevention models. Cisco executives see the Internet as a national infrastructure as important as electricity, gas and oil.
In the U.S., so-called “Black Ice” training sessions have been held for more than five years in an effort to anticipate and better handle terrorist cyber attacks, sometimes timed with physical attacks often on U.S. infrastructure.
For this special homeland report, Security Magazine asked Yahya Mehdizadeh, a world-recognized security expert specializing in protecting oil and gas assets, to provide insights that all chief security executives can share. The contribution follows.
To protect oil and gas assets, the challenge centers on addressing these assets from a holistic view (logical and physical security) while taking into account all aspects of these revenue generating enclaves.
The International Energy Outlook predicts that with an average annual growth rate of 3.8 percent, oil consumption will rise from 80 million barrels per day in 2003 to 98 million bbl/d in 2015 and then to 118 million bbl/d 2030. This increase in demand, along with an anticipated price rise per barrel, has made the security of oil and gas assets crucial.
Furthermore, according to a recent benchmark index, the cost of major oil and gas production projects has raised more than 53 percent in the past two years and no significant slowing is in sight. Add to this the very nature of oil and gas makes it an attractive target for terrorists such that a potential impact of a successful attack can be magnified on the local environment or global economies. Since much of the assets are located in remote, isolated terrains encompassing oilfields, refineries, production facilities, pipelines, corporate offices and transportation infrastructures, security is even a bigger ordeal.
The key strategy: Address security from a holistic view while taking into account all aspects of these revenue-generating enclaves.
LOGICAL SECURITYPeople are one of the most important, if not the most important, asset of any energy company. Logical security focuses on authentication and authorization. Authentication is the process of determining whether someone or something is, in fact, who or what they declared to be, usually done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic. Usernames and passwords granting access to corporate intranets and other systems are examples of authentication.
Authorization on the other hand looks at the permission granted to do something or have something, and the associated privilege of use. Accessing networks, file directories, real-time production data, along with the time and level of access, are all within the realm of authorization. Defining which users are granted access to which systems are determined by the level of authorization.
From a security perspective, process becomes very important by creating the needed framework to secure a business or technical outcome.
Examples of process in logical security are: How should production data be transmitted from service companies to asset holders? What is the data classification and encryption policy for seismic data? What is the disaster recovery process for production servers? How often are username and passwords changed/audited? What is the incident response for a breach on the corporate network? What is the corporate security policy on remote access? What are the security requirements for connecting customers and suppliers? How should access be granted to exploration data from multiple wells to various asset holders without compromising competitive information?
The key issue with process is that it needs to be defined based on the corporate security policy and more important enforced through automation tools ensuring proper management approvals throughout the various phases to get the desired outcome.
One of the biggest logical security exposures impacting technology for energy producers is Supervisory Control and Data Acquisition (SCADA) systems, which are vulnerable to physical and cyber attacks. Recent studies have shown three primary concerns related to SCADA security.
1) Unsecured data transmissions: Older SCADA systems still transmit both data and control commands in unencrypted clear text. This allows potential attackers to easily intercept and issue unauthorized commands to critical control equipment.
2) Open public network connections: Recent advances, such as Web-based reporting and remote operator access, have driven the requirement to interface with the Internet. This opens up physical access over the public network and subjects SCADA systems to the same potential malicious threats as those corporate networks face on a regular basis.
3) Technology standardization: SCADA systems have begun to use operating systems such as Windows, UNIX and Linux which are all susceptible to numerous attacks.
When it comes to logical security, there needs to be a focus on the preservation of confidentiality, integrity and availability. Confidentiality ensures that information is accessible only to those authorized to have access. Integrity safeguards the accuracy and completeness of information; and availability ascertains that authorized users have access to information when required.
PHYSICAL SECURITYPhysical security addresses the protection of personnel, assets, facilities, hardware and data from physical circumstances and events such as fire, natural disasters, burglary, theft, vandalism and terrorism. Determining who is authorized and approved to gain physical access to these facilities and with the right credentials and training is crucial. More so, once access is granted, authorization looks at what privileges are granted in a secured or restricted area based on position and training. Field engineers, directional drillers and asset managers all must go through proper authentication and authorization to gain access to any oil producing facility. This entails not only validating the identity of the person with a badge or ID but also ensuring they have the needed operational and safety training prior to entering the premises.
No doubt, the security personnel that protect and grant access to the premises are a major component of physical security. The very presence of security personnel acts as a terrorist deterrent. In guarding structures, security personnel are integral since cameras, motion sensors, barricades and scanners cannot interact with people the way a human can and are not as mobile. The human factor allows the security personnel to see it from their perspective. This can work to an advantage since a human thinks like other humans, and with that thought process may be able to pre-empt a potential access breach by finding it before an intruder could. Lack of proper training, defined processes and a valid incident response program have been main concerns when it comes to the security of personnel.
For all types of enterprises, optimizing production, increasing recovery, reducing costs and ensuring the safety of the personnel and operations are primary goals. So the physical security process should be defined with these objectives in mind. Physical security specifically uses technology to monitor and mange people and facilities by authenticating and authorizing the individual’s access, looking for anomalies, and deterring possible malicious attacks or security breaches. Access control systems, which include door controllers, egress motion detectors, keypads, readers, badges, biometric readers and time and attendance systems form the barrier defense systems that decides where an individual can go or not go.
ASSESSMENT GUIDELINESAccording to Mehdizadeh, there are six important elements.
- The scope of the assessment including the people, assets, infrastructure, facilities and operations that were assessed needs to be defined.
- A summary of how the assessment will be conducted including details of the risk management process used need to be identified.
- Strategically important assets, infrastructure and operations that need to be protected should be identified and evaluated.
- Possible security risks to people, assets, infrastructure and operations, and the likelihood and consequences of their occurrence need to be identified and assessed.
- Existing security measures, procedures and operations need to be documented.
- Selection and prioritizing of possible risk treatments and their effectiveness in reducing risk levels including identified vulnerabilities need to be outlined.
MITIGATION STRATEGIESNow that terrorist threats have been identified, proper mitigation strategies must be implemented to off-set these risks. Any mitigation strategy should be part of the overall corporate security objective which is mandated and endorsed by senior management (i.e. the chief security officer and, ultimately, the CEO) and should be based on a “defense-in-depth” approach, where multiple layers of defense are placed within systems, people, technology and process. It is important that the corporate security goal be aligned with the business strategy.
A mitigation strategy typically begins with a comprehensive risk assessment allowing for proper evaluation of the physical and logical security posture of the assets. Once the assessment is done, the next step is implementing the appropriate countermeasure. Countermeasures can be deterrent in nature which reduces the likelihood of a deliberate attack. This requires having proper incidents response, policy, procedure and change management in place. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact.
Authentication and authorization systems, encryption, personnel security and awareness training are solid control mechanisms to implement. Corrective controls such as physical security and network segmentation reduce the effect of an attack. But it is only through detective controls such as monitoring and measurement, audit/logging and intrusion detection, that attacks are discovered triggering preventative or corrective controls to contain the assault.
A comprehensive cyber security policy is crucial to securing logical access to any infrastructure environment, where security controls such as firewalls, intrusion prevention systems, anomaly-based network detection systems and identity and access management systems, create boundaries between networks by controlling the flow of traffic between different logical segments thus providing security. Add to this virus-detection software, anti-spyware programs and proper patch management and you’ve minimized the risk of a logical security incident driven from a terrorist or disgruntled employee.
In fighting terrorism or criminal elements, each asset needs to be viewed independently to identify the potential vulnerabilities associated with them.
Physical security looks at two main components to secure these assets. First, is placing hardened obstacles in the way of potential attackers to prevent or minimize the level of attack. Such measures can include walls, fences, cement barricades and fireproof gates. Second, surveillance and notification systems should be put in place, such as cameras, motion sensors, lighting, heat sensors, smoke detectors, intrusion detectors, radar systems and alarms to allow for monitoring and managing security incidents or breaches.
The first zone or “outer zone” should be extended at least two miles from the actual facility. Any individual, vehicle or boat entering the outer zone must present valid credentials and to identify their name, destination and purpose of visit. Once the credentials have been verified and cargo/vessel inspected, initial security is granted only when the “visitor” is accompanied by security staff to the final destination. The “inner zone” where the actual facility is located should be guarded at all times by identifiable security personnel and non-security personnel (plainclothes) who have been designated by the company as safety officers.
INCIDENT RESPONSE GOALSObserved Mehdizadeh, there are eight response goals of security.
- Verify that an incident occurred
- Maintain or restore business continuity
- Reduce the incident impact
- Determine how the attack was done or the incident happened
- Prevent future attacks or incidents
- Improve security and incident response
- Prosecute illegal activity
- Keep management informed of the situation and response.
WHO IS RESPONSIBLE?Ultimately line managers are responsible and accountable for implementing security programs. It is up to them to enforce security guidelines and policies throughout their departments and people.
However, to drive the importance of security, the mandate and directive need to come from the C-level executive management organization. Due to the convergence of logical and physical security, the responsibility of security should be shared by the chief information officer, chief security officer and the health, safety and environment function. These organizations need to work together to create a comprehensive anti-terror program to provide the needed structure and information. This collaborative security consul will have a primary responsibility to define and implement incident response teams and plans and to assist line management implement standards and then quantify the compliance by conducting periodic impromptu audits.
SECURITY VIDEO, GPS REQUIREMENTSAccording to Mehdizadeh, there are a number of crucial elements.
- Support JPEG and MPEG4
- Progressive scan CCD image sensor
- 30 frames-per-second
- Pre-posts alarm buffers
- Input/output for external devices
- Pan 360, tilt 180, zoom
- Clear picture in low light
- Intrinsically safe
- IP capabilities
- Watch, pager or implantable
- Small, durable and moisture-resistant
- Long battery life
- Work inside buildings
- Support quad band 850/900/1800/1900
- GPS assist function
THE TECHNOLOGY FACTORTechnology plays a vital role in the homeland security structure. It provides the real-time infrastructure needed to review a situation and take the necessary response. When it comes to physical security, perimeter intrusion should be the primary line of defense to prevent unauthorized access to secure facilities. Most of these systems include video detection systems and alarm-activated sensors tied to a command and control center. In addition it is highly recommended to use digital video motion guard technology which analyzes, detects and records all movements and background changes in the picture scene, where even changes as small as three pixels can trigger an alarm and log an event.
Last but not least, barrier sensors providing both physical barrier to intrusion and sensors for detection should be deployed. And finally for covert coverage, radar and microwave systems provide a proactive means for detecting motion and movement of objects towards the assets.
Two technologies that have proved effective are global positioning systems or GPS and asset tracking. The GPS location systems should be used to track the movement and location of personnel in high risk areas. For personnel in remote danger zones where risk of kidnapping is high, embedded GPS devices can be very useful in finding people should an event take place. New generation RFID tags provide instant location information for the any asset that is tagged.
Command and control centers (CCS) are the heart of any logical and physical security system. Based on a network-centric architecture, a typical CCS collects intelligence and information from sensors and other relevant sources, processes and analyzes the information and provides the results to the analyst, giving that person total situational awareness for appropriate action.
On the logical side, the system should use security event management or SEM technology where input from logs and alerts from a variety of systems, such as firewalls, routers and servers are gathered analyzed and correlated, and then informs the security analyst of unusual occurrences which warrant further investigation.
On the physical side, the CCS is tied to the perimeter intrusion detection system with the ability to control access, monitor alarms, digital video, intrusion detection and provide asset tracking for employees and visitors. The information from both the logical and physical systems should be correlated to provide answers to two simple questions: What is the incident? And how do we resolve it?
Communications systems are the most critical component of any logical and physical security infrastructure. The communications infrastructure not only provides the real-time capabilities for the various systems that are monitored, but also is key to any mitigation actions that need to be taken. Hence communications should be designed and built with redundancy and resiliency in mind.
Building multiple data paths with diverse vendors is a must. Combining terrestrial lines with non-terrestrial technologies such as wireless, GSM networks and satellite connectivity is crucial in any terror-sensitive environment. It is essential that the design consider bandwidth requirements, application latency and committed information rate to ensure the network supports the intended security applications.
About Security’s ExpertYahya Mehdizadeh has more than 18 years experience designing and deploying logical and physical security systems for leading companies in the oil and gas industry. He can be reached at email@example.com
SIDEBAR: Video Analytics Springs ForwardBusiness and homeland security driven, companies are releasing libraries of image processing software to video manufacturers and systems integrators.
A recent case in point: Eutecus just introduced an integrated image processing software environment with tools and libraries especially optimized to run at extremely high speeds on embedded vision systems. What the firm calls InstantVision features a new library especially designed to help application developers and systems integrators working in the rapidly expanding security/surveillance video content analysis sector to build powerful embedded applications with reduced time-to-market.
The bandwidth and processing demands of today’s video content analysis systems require that image processing move from central servers to embedded systems at the edges of the network.
SIDEBAR: Worldwide Web Security Snapshots
- Experts estimate there are now over 100,000 different types of spyware programs on the Internet, with more than 80 percent of all business computers estimated to be infected with one or more programs.
- Up to 50 new bots are now detected every day. Around 95 percent of all spam is sent via zombie PCs - with up to one million new machines infected each day.
- In 2006, Japan’s security agent, IPA, detected almost 45,000 different viruses on the Internet worldwide.
- The global watchdog Spamhaus blocks more than 50 billion e-mail spam messages every day. www.itu.int/cybersecurity
SIDEBAR: Most Common Terror TargetsAccording to a study by New York University’s Wagner Graduate School of Public Service, the most common components targeted by terrorists have been distribution facilities (69.5 percent) and production facilities (15.1 percent). Within the distribution facilities, the most commonly attacked components are pipelines. This global climate according to an oil and gas security summit forces the international petroleum industry to spend about $1.75 billion dollars a year on security measures for exploration, production, transportation and refining.
SIDEBAR: World Climate for Incidents
- May 2004, attacks on Saudi government facilities caused security concerns for the largest oil producer in OPEC.
- December 2004, around 300 unarmed Nigerians from the Kula community in southern Niger Delta seize three oil flow stations operated by multinational oil companies Shell and Chevron, shutting down 100,000 barrels per day (bbl/d) of production for one week.
- March through April 2005 saw numerous attacks by insurgents on the Iraqi pipeline carrying crude oil from Kirkuk to Daura and Bayji.
- January 2006, heavily armed militants stormed a Royal Dutch Shell facility in the volatile Niger Delta region in Nigeria, killing at least 17 people.
- February 2006, Yemen security forces foiled an attempt by suicide bombers to blow up two oil installations with explosives-laden cars.
- February 2007, Canadian Public Safety Minister Stockwell Day considers terror groups calling for jihadists to attack Canada's oil and natural gas facilities to starve the United States of energy.
- April 2007, 65 Ethiopians and nine Chinese oil workers were killed in an attack on an oil field in Ethiopia's remote Somali region.
- May 2007, six foreign oil workers were kidnapped and a Nigerian sailor was killed when dynamite-wielding militants from the Movement for the Emancipation of the Niger Delta attacked an oil vessel.
SIDEBAR: Thermal Imagers Get More CompactAt America’s borders and in airport and energy infrastructure applications, night video is gaining.
For instance, FLIR System's new thermal imaging cameras consist of four available infrared cameras with focal lengths of 19, 35, 50 and 100mm. All cameras are built around highly reliable uncooled infrared sensors, and use a composite video output which makes them well-suited to legacy network installations.
Such emerging technology, easily integrated into existing networks, uses a thermal imaging technology that is completely passive, but still able to detect intruders at ranges in excess of one mile. The homeland security tech is based on microbolometer infrared sensor technology, creating images from the thermal energy given off by the objects and people within its field-of-view. No active illumination is needed, making covert surveillance of wide areas effortless and tight security of large fence-less areas easy.
SIDEBAR: Smaller but Mightier BarricadesThe trend in barricades is to smaller equipment that’s easier and faster to install. One example, Delta Scientific started the first phase in which the Phoenix Sky Harbor Airport parking structures will incorporate shallow foundation barricades. This fast, small, shallow foundation barricade is K12 crash certified with no penetration, meaning it will stop a 15,000 pound (66.7 kN) vehicle traveling 50 mph (80 kph) dead in its tracks.
Set in a foundation only ten inches deep versus the standard 18 inches on most shallow foundation barricades, the gear survived and operated after a crash test with a 1.5 million foot pound impact, exceeding Department of State and Department of Defense test standards.
Important for Sky Harbor’s busy parking structures, the unit will go from the “down” to “up” position in less than one-half second and is designed for heavy use of more than 100,000 cycles per month, providing increased security for such high capacity locations. In the lowered position, the barrier ramp is completely flush with the roadway. Buttresses, counterweights and road plates do not obstruct authorized pedestrian or vehicular traffic.
SIDEBAR: Check Fingerprints of VisitorsThere have been instances of visitors to corporations trying to slip through security at the reception desk to steal products or intellectual property or conduct terrorist surveillance.
Now visitor management can include fingerprint biometrics.
EasyLobby, for one, now offers its visitor management solution with fingerprint capture and matching for quickly identifying and processing returning visitors.
Thousands of organizations have replaced their outdated paper sign-in logs with computerized visitor management systems. Instead of just capturing a visitor’s scribbled, unreadable name in a guest book, these systems electronically read the visitor’s ID (driver's license, passport or business card), and capture all relevant information about them in a SQL Server or Oracle database, including the name of the person being visited, the reason for the visit, entry and exit times, photo and signature, and now fingerprint as well. In 20 seconds or less, the visitor is professionally checked in and a high quality, customized visitor badge is printed in full color.
Now EasyLobby’s system, for example, lets enterprises and their reception and security operations to verify a returning visitor’s identity and check them in or print them a badge with just the touch of their finger to a reader. For returning/frequent visitors, this method will be much faster than doing a license scan or a database lookup by name.
SIDEBAR: Emergency Response VehiclesIn situations that require emergency response, or for mobile communications during homeland security incidents or special events, every second counts. Security officials and first responders must rapidly establish command presence, resource control and communications interoperability for incident command and control.
Uniquely, Cisco Systems, better known for its router business, now has a state-of-art network emergency response vehicle. The six-wheel truck maintained by the firm’s tactical operations support team assists both its own internal customers and external customers in establishing essential communications.
The entire system is self-contained and can be operational in less than 20 minutes after arriving at an incident. The vehicle includes, among other tech, a Cisco IP telephone solution; land mobile radio capability for total cross-band interoperability; IP-based video surveillance; wireless connectivity; audio and Web conferencing as well as more traditional video conferencing.