SlideShare a Scribd company logo

Cybersecurity Presentation at WVONGA spring meeting 2018

Jack Shaffer
Jack Shaffer

Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas

Technology
1 of 14
Download to read offline
Presentation to WVONGA Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas Jack L. Shaffer, Jr. Business Transformation Director vCIO / vCISO
Ransomware Wanacry, NotPetya, and Bad Rabbit. Verizon – Security lapse exposes 14 Million customers data Uber – 57 Million customers data exposed Equifax –145 Million Americans impacted Yahoo Breach expands to 3 Billion users 2017 Cybersecurity in the news
 Cyberattack Shows Vulnerability of Gas Pipeline Network - 4/4/2018 – New York Times  Compromise and service interruption of Latitude Technologies  Nomination / EDI system  Hackers halt plant operations in watershed cyber attack - 12/14/2017- Reuters  Hackers likely working for a nation-state recently invaded the Triconex safety system – widely used in the energy industry, including nuclear and oil and gas plants. Energy industry under attack
 Lack of Awareness and Training  Employees with a lack of training are likelier to commit errors that leave the system open to attack. Especially true for field personnel as the internet of things (IoT) proliferates.  Remote Work  Although this technology places people away from harmful locations and tasks, the exchange is more vulnerabilities in cybersecurity. Enables a hacker to gain access and perform tasks an employee can, without detection.  Using IT Products with Known Weaknesses  Opting to use IT products with known weaknesses because of economics or vendor in- attentiveness to patching or updating systems. Old systems are more vulnerable as the vulnerabilities have been more widely distributed.  Cybersecurity Culture Is Limited  Even in a very technological culture, cybersecurity remains a niche sector. In field operations even more so. What makes the Oil and Gas Industry vulnerable to cyber attacks?
 Data Network Separation Is Insufficient  An insufficient separation of data networks provides more avenues for cybersecurity attacks. I.E. SCADA or EM systems on the same computer network as accounting systems.  Lack of complete asset inventory  Not know what your assets are, what technology platforms, software versions, etc. is an opening for attackers. You can’t protect what you don’t know about.  Software Weaknesses  When choosing software to aid with cybersecurity, the oil and gas industry should be wary of the lowest bidder. Not all software is the same when it comes to security.  Outdated and Aging Control Systems  Cybersecurity threats constantly evolve, with hackers working to exploit systems old and new. Whereas at least the new systems have recent threats in mind during their development, outdated systems may not be equipped to handle newer issues. Technology continues to develop at a rapid pace, and hackers are adapting. The oil and gas industry needs to adapt as well, requiring frequent updates of its control system software and infrastructure. (I.E. Patches/update) What makes the Oil and Gas Industry vulnerable to cyber attacks?
So what should we do?
 ISO 9000 -  ISO 9000 is a set of international standards on quality management and quality assurance developed to help companies effectively document the quality system elements to be implemented to maintain an efficient quality system. They are not specific to any one industry and can be applied to organizations of any size.  ISO 9000 can help a company satisfy its customers, meet regulatory requirements, and achieve continual improvement. However, it should be considered to be a first step, the base level of a quality system, not a complete guarantee of quality.  ISO 14001 -  ISO 14001 is the international standard that specifies requirements for an effective environmental management system (EMS). It provides a framework that an organization can follow, rather than establishing environmental performance requirements.  Part of the ISO 14000 family of standards on environmental management, ISO 14001 is a voluntary standard that organizations can certify to. Integrating it with other management systems standards, most commonly ISO 9001, can further assist in accomplishing organizational goals. Natural Gas Standards / Frameworks
 ISO/IEC 27000 Family (27001/27002)  The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.  https://www.iso.org/isoiec-27001-information-security.html  Center for Internet Security (CIS) Critical Security Controls  CIS Controls Version 7 - https://www.cisecurity.org/controls/  National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security  Framework for Improving Critical Infrastructure Cybersecurity Ver 1.1 Draft 2 – Dec. 2017 - https://www.nist.gov/cyberframework  Payment Card Industry (PCI)  PCI Data Security Standard (DSS) – Ver 3.2 – Apr. 2016 - https://www.pcisecuritystandards.org/document_library?category=pcidss&docume nt=pci_dss  Energy Industry developed:  Cyber security in the oil and gas industry based on IEC 62443  DNVGL-RP-G108 - https://www.dnvgl.com/oilgas/download/dnvgl-rp-g108-cyber- security-in-the-oil-and-gas-industry-based-on-IEC-62443.html Cybersecurity also has frameworks
Information Security is a PROCESS not just a firewall! Annual Risk Assessment Security Awareness TrainingPolicies and Procedures Threat Management Security Event Monitoring Change and Configuration Management Access Control
 Work with your IT department during all phases of a project, not just implementation  The reality is that most devices have internet connectivity today. (Internet of Things IoT)  Train your field personnel on cybersecurity awareness  Conduct a true security risk assessment  Implement a security information and event management (SIEM) system to monitor all network activity  Asset inventory with technical details Action Items -
Push current vendors to acquire and evaluate new vendors that have Security Related CyberSecurity Certifications and Frameworks, like NIST Work with your IT department to implement and merge ISO / NIST standards for field operations and cybersecurity  Provides a complete best practice set of frameworks Action Items -
Questions
advantage.tech/expert

Recommended

Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
 
ICS (Industrial Control System) Cybersecurity Training
ICS (Industrial Control System) Cybersecurity TrainingICS (Industrial Control System) Cybersecurity Training
ICS (Industrial Control System) Cybersecurity TrainingTonex
 
CLASS 2018 - Palestra de Mariana Pereira (Diretora – Darktrace)
CLASS 2018 - Palestra de Mariana Pereira (Diretora – Darktrace)CLASS 2018 - Palestra de Mariana Pereira (Diretora – Darktrace)
CLASS 2018 - Palestra de Mariana Pereira (Diretora – Darktrace)TI Safe
 
Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015 Industrial Control Cyber Security Europe 2015
Industrial Control Cyber Security Europe 2015 James Nesbitt
 
Get to zero stealth natural gas_executive_overview_ch
Get to zero stealth natural gas_executive_overview_chGet to zero stealth natural gas_executive_overview_ch
Get to zero stealth natural gas_executive_overview_chSherid444
 
CLASS 2016 - Palestra José Antunes
CLASS 2016 - Palestra José AntunesCLASS 2016 - Palestra José Antunes
CLASS 2016 - Palestra José AntunesTI Safe
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...TI Safe
 
第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンス第7回VEC制御システムサイバーセキュリティカンファレンス
第7回VEC制御システムサイバーセキュリティカンファレンスchomchana trevai
 

More Related Content

What's hot

Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Azstec cyber-security-workbook
Azstec cyber-security-workbookAzstec cyber-security-workbook
Azstec cyber-security-workbookYulia Dianova
 
CLASS 2018 - Palestra de Murilo Morais (Head do segmento Cloud Application So...
CLASS 2018 - Palestra de Murilo Morais (Head do segmento Cloud Application So...CLASS 2018 - Palestra de Murilo Morais (Head do segmento Cloud Application So...
CLASS 2018 - Palestra de Murilo Morais (Head do segmento Cloud Application So...TI Safe
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksProtecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksMaurice Dawson
 
John kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn Kingsley
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)TI Safe
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control SystemsEric Andresen
 
The Benefits of Security From a Managed Services Provider
The Benefits of Security From a Managed Services ProviderThe Benefits of Security From a Managed Services Provider
The Benefits of Security From a Managed Services ProviderCSI Solutions
 
SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 Derek Harp
 
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...Perforce
 
Industrial Control Security USA Sacramento California Oct 13/14
Industrial Control Security USA Sacramento California Oct 13/14Industrial Control Security USA Sacramento California Oct 13/14
Industrial Control Security USA Sacramento California Oct 13/14James Nesbitt
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Security
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of CornSecuring Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of CornEric Andresen
 

What's hot (20)

CyCron 2016
CyCron 2016CyCron 2016
CyCron 2016
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Azstec cyber-security-workbook
Azstec cyber-security-workbookAzstec cyber-security-workbook
Azstec cyber-security-workbook
 
CLASS 2018 - Palestra de Murilo Morais (Head do segmento Cloud Application So...
CLASS 2018 - Palestra de Murilo Morais (Head do segmento Cloud Application So...CLASS 2018 - Palestra de Murilo Morais (Head do segmento Cloud Application So...
CLASS 2018 - Palestra de Murilo Morais (Head do segmento Cloud Application So...
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksProtecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber Attacks
 
John kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultant
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control Systems
 
The Benefits of Security From a Managed Services Provider
The Benefits of Security From a Managed Services ProviderThe Benefits of Security From a Managed Services Provider
The Benefits of Security From a Managed Services Provider
 
SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016
 
Application Security
Application SecurityApplication Security
Application Security
 
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
 
Industrial Control Security USA Sacramento California Oct 13/14
Industrial Control Security USA Sacramento California Oct 13/14Industrial Control Security USA Sacramento California Oct 13/14
Industrial Control Security USA Sacramento California Oct 13/14
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
 
Shining a Light on Shadow Devices
Shining a Light on Shadow DevicesShining a Light on Shadow Devices
Shining a Light on Shadow Devices
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of CornSecuring Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
 

Similar to Cybersecurity Presentation at WVONGA spring meeting 2018

Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443WoMaster
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 
Cyber Security Challenges on Latest Technologies
Cyber Security Challenges on Latest TechnologiesCyber Security Challenges on Latest Technologies
Cyber Security Challenges on Latest TechnologiesIRJET Journal
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsFrederic Roy-Gobeil, CPA, CGA, M.Tax.
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?sohailAhmad304
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedTiffany Graham
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxInfosectrain3
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich TopCyberNewsMAGAZINE
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
Symantec Migration infographic
Symantec Migration infographic Symantec Migration infographic
Symantec Migration infographic BHD Creative Ltd
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developerstechtutorus
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
A Trusted TPA Model, to Improve Security & Reliability for Cloud StorageA Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
A Trusted TPA Model, to Improve Security & Reliability for Cloud StorageIRJET Journal
 

Similar to Cybersecurity Presentation at WVONGA spring meeting 2018 (20)

Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Cyber Security Challenges on Latest Technologies
Cyber Security Challenges on Latest TechnologiesCyber Security Challenges on Latest Technologies
Cyber Security Challenges on Latest Technologies
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
Symantec Migration infographic
Symantec Migration infographic Symantec Migration infographic
Symantec Migration infographic
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptx
 
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
A Trusted TPA Model, to Improve Security & Reliability for Cloud StorageA Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
 

More from Jack Shaffer

Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
Healthcare/HIPAA Cybersecurity best practices
Healthcare/HIPAA Cybersecurity best practicesHealthcare/HIPAA Cybersecurity best practices
Healthcare/HIPAA Cybersecurity best practicesJack Shaffer
 
Advantage wvde containerization - june 2018
Advantage wvde containerization - june 2018Advantage wvde containerization - june 2018
Advantage wvde containerization - june 2018Jack Shaffer
 
The obligatory EHR Implementation Lessons Learned presentation
The obligatory EHR Implementation Lessons Learned presentationThe obligatory EHR Implementation Lessons Learned presentation
The obligatory EHR Implementation Lessons Learned presentationJack Shaffer
 
HealtheMountaineer PHR presentation to WorldVistA
HealtheMountaineer PHR presentation to WorldVistAHealtheMountaineer PHR presentation to WorldVistA
HealtheMountaineer PHR presentation to WorldVistAJack Shaffer
 
Personal health record launched in Clay County, West Virginia
Personal health record launched in Clay County, West VirginiaPersonal health record launched in Clay County, West Virginia
Personal health record launched in Clay County, West VirginiaJack Shaffer
 
Broadband presentation to WV Legislature
Broadband presentation to WV LegislatureBroadband presentation to WV Legislature
Broadband presentation to WV LegislatureJack Shaffer
 
WV Telehealth Alliance presentation to USAC
WV Telehealth Alliance presentation to USACWV Telehealth Alliance presentation to USAC
WV Telehealth Alliance presentation to USACJack Shaffer
 
Managing Gas Well Operations with hand held computing
Managing Gas Well Operations with hand held computingManaging Gas Well Operations with hand held computing
Managing Gas Well Operations with hand held computingJack Shaffer
 
Intermec Case Study - Columbia Natural Resources
Intermec Case Study - Columbia Natural ResourcesIntermec Case Study - Columbia Natural Resources
Intermec Case Study - Columbia Natural ResourcesJack Shaffer
 
Next gov.com VA EHR
Next gov.com VA EHRNext gov.com VA EHR
Next gov.com VA EHRJack Shaffer
 
Improving Patient Health Outcomes with an EHR whitepaper
Improving Patient Health Outcomes with an EHR whitepaperImproving Patient Health Outcomes with an EHR whitepaper
Improving Patient Health Outcomes with an EHR whitepaperJack Shaffer
 
mHealth and IHS RPMS-EHR Discussion
mHealth and IHS RPMS-EHR DiscussionmHealth and IHS RPMS-EHR Discussion
mHealth and IHS RPMS-EHR DiscussionJack Shaffer
 
The W.Va. Experience with the IHS RPMS-EHR
The W.Va. Experience with the IHS RPMS-EHRThe W.Va. Experience with the IHS RPMS-EHR
The W.Va. Experience with the IHS RPMS-EHRJack Shaffer
 
WV transformation slide show may conference2
WV transformation slide show may conference2WV transformation slide show may conference2
WV transformation slide show may conference2Jack Shaffer
 
Legislative presentation oct 16, 2006 final2
Legislative presentation oct 16, 2006 final2Legislative presentation oct 16, 2006 final2
Legislative presentation oct 16, 2006 final2Jack Shaffer
 
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA complianceTechnologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA complianceJack Shaffer
 

More from Jack Shaffer (20)

Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
Healthcare/HIPAA Cybersecurity best practices
Healthcare/HIPAA Cybersecurity best practicesHealthcare/HIPAA Cybersecurity best practices
Healthcare/HIPAA Cybersecurity best practices
 
Advantage wvde containerization - june 2018
Advantage wvde containerization - june 2018Advantage wvde containerization - june 2018
Advantage wvde containerization - june 2018
 
The obligatory EHR Implementation Lessons Learned presentation
The obligatory EHR Implementation Lessons Learned presentationThe obligatory EHR Implementation Lessons Learned presentation
The obligatory EHR Implementation Lessons Learned presentation
 
HealtheMountaineer PHR presentation to WorldVistA
HealtheMountaineer PHR presentation to WorldVistAHealtheMountaineer PHR presentation to WorldVistA
HealtheMountaineer PHR presentation to WorldVistA
 
Personal health record launched in Clay County, West Virginia
Personal health record launched in Clay County, West VirginiaPersonal health record launched in Clay County, West Virginia
Personal health record launched in Clay County, West Virginia
 
Broadband presentation to WV Legislature
Broadband presentation to WV LegislatureBroadband presentation to WV Legislature
Broadband presentation to WV Legislature
 
WV Telehealth Alliance presentation to USAC
WV Telehealth Alliance presentation to USACWV Telehealth Alliance presentation to USAC
WV Telehealth Alliance presentation to USAC
 
Managing Gas Well Operations with hand held computing
Managing Gas Well Operations with hand held computingManaging Gas Well Operations with hand held computing
Managing Gas Well Operations with hand held computing
 
Intermec Case Study - Columbia Natural Resources
Intermec Case Study - Columbia Natural ResourcesIntermec Case Study - Columbia Natural Resources
Intermec Case Study - Columbia Natural Resources
 
Next gov.com VA EHR
Next gov.com VA EHRNext gov.com VA EHR
Next gov.com VA EHR
 
Improving Patient Health Outcomes with an EHR whitepaper
Improving Patient Health Outcomes with an EHR whitepaperImproving Patient Health Outcomes with an EHR whitepaper
Improving Patient Health Outcomes with an EHR whitepaper
 
mHealth and IHS RPMS-EHR Discussion
mHealth and IHS RPMS-EHR DiscussionmHealth and IHS RPMS-EHR Discussion
mHealth and IHS RPMS-EHR Discussion
 
The W.Va. Experience with the IHS RPMS-EHR
The W.Va. Experience with the IHS RPMS-EHRThe W.Va. Experience with the IHS RPMS-EHR
The W.Va. Experience with the IHS RPMS-EHR
 
WV transformation slide show may conference2
WV transformation slide show may conference2WV transformation slide show may conference2
WV transformation slide show may conference2
 
Legislative presentation oct 16, 2006 final2
Legislative presentation oct 16, 2006 final2Legislative presentation oct 16, 2006 final2
Legislative presentation oct 16, 2006 final2
 
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA complianceTechnologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
 
ARRA - RHITEC
ARRA - RHITECARRA - RHITEC
ARRA - RHITEC
 
3G HIT
3G HIT3G HIT
3G HIT
 
EMR 101
EMR 101EMR 101
EMR 101
 

Recently uploaded

QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 

Recently uploaded (20)

QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 

Cybersecurity Presentation at WVONGA spring meeting 2018

  • 1. Presentation to WVONGA Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas Jack L. Shaffer, Jr. Business Transformation Director vCIO / vCISO
  • 2. Ransomware Wanacry, NotPetya, and Bad Rabbit. Verizon – Security lapse exposes 14 Million customers data Uber – 57 Million customers data exposed Equifax –145 Million Americans impacted Yahoo Breach expands to 3 Billion users 2017 Cybersecurity in the news
  • 3.  Cyberattack Shows Vulnerability of Gas Pipeline Network - 4/4/2018 – New York Times  Compromise and service interruption of Latitude Technologies  Nomination / EDI system  Hackers halt plant operations in watershed cyber attack - 12/14/2017- Reuters  Hackers likely working for a nation-state recently invaded the Triconex safety system – widely used in the energy industry, including nuclear and oil and gas plants. Energy industry under attack
  • 4.  Lack of Awareness and Training  Employees with a lack of training are likelier to commit errors that leave the system open to attack. Especially true for field personnel as the internet of things (IoT) proliferates.  Remote Work  Although this technology places people away from harmful locations and tasks, the exchange is more vulnerabilities in cybersecurity. Enables a hacker to gain access and perform tasks an employee can, without detection.  Using IT Products with Known Weaknesses  Opting to use IT products with known weaknesses because of economics or vendor in- attentiveness to patching or updating systems. Old systems are more vulnerable as the vulnerabilities have been more widely distributed.  Cybersecurity Culture Is Limited  Even in a very technological culture, cybersecurity remains a niche sector. In field operations even more so. What makes the Oil and Gas Industry vulnerable to cyber attacks?
  • 5.  Data Network Separation Is Insufficient  An insufficient separation of data networks provides more avenues for cybersecurity attacks. I.E. SCADA or EM systems on the same computer network as accounting systems.  Lack of complete asset inventory  Not know what your assets are, what technology platforms, software versions, etc. is an opening for attackers. You can’t protect what you don’t know about.  Software Weaknesses  When choosing software to aid with cybersecurity, the oil and gas industry should be wary of the lowest bidder. Not all software is the same when it comes to security.  Outdated and Aging Control Systems  Cybersecurity threats constantly evolve, with hackers working to exploit systems old and new. Whereas at least the new systems have recent threats in mind during their development, outdated systems may not be equipped to handle newer issues. Technology continues to develop at a rapid pace, and hackers are adapting. The oil and gas industry needs to adapt as well, requiring frequent updates of its control system software and infrastructure. (I.E. Patches/update) What makes the Oil and Gas Industry vulnerable to cyber attacks?
  • 6. So what should we do?
  • 7.  ISO 9000 -  ISO 9000 is a set of international standards on quality management and quality assurance developed to help companies effectively document the quality system elements to be implemented to maintain an efficient quality system. They are not specific to any one industry and can be applied to organizations of any size.  ISO 9000 can help a company satisfy its customers, meet regulatory requirements, and achieve continual improvement. However, it should be considered to be a first step, the base level of a quality system, not a complete guarantee of quality.  ISO 14001 -  ISO 14001 is the international standard that specifies requirements for an effective environmental management system (EMS). It provides a framework that an organization can follow, rather than establishing environmental performance requirements.  Part of the ISO 14000 family of standards on environmental management, ISO 14001 is a voluntary standard that organizations can certify to. Integrating it with other management systems standards, most commonly ISO 9001, can further assist in accomplishing organizational goals. Natural Gas Standards / Frameworks
  • 8.  ISO/IEC 27000 Family (27001/27002)  The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.  https://www.iso.org/isoiec-27001-information-security.html  Center for Internet Security (CIS) Critical Security Controls  CIS Controls Version 7 - https://www.cisecurity.org/controls/  National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security  Framework for Improving Critical Infrastructure Cybersecurity Ver 1.1 Draft 2 – Dec. 2017 - https://www.nist.gov/cyberframework  Payment Card Industry (PCI)  PCI Data Security Standard (DSS) – Ver 3.2 – Apr. 2016 - https://www.pcisecuritystandards.org/document_library?category=pcidss&docume nt=pci_dss  Energy Industry developed:  Cyber security in the oil and gas industry based on IEC 62443  DNVGL-RP-G108 - https://www.dnvgl.com/oilgas/download/dnvgl-rp-g108-cyber- security-in-the-oil-and-gas-industry-based-on-IEC-62443.html Cybersecurity also has frameworks
  • 9. Information Security is a PROCESS not just a firewall! Annual Risk Assessment Security Awareness TrainingPolicies and Procedures Threat Management Security Event Monitoring Change and Configuration Management Access Control
  • 10.  Work with your IT department during all phases of a project, not just implementation  The reality is that most devices have internet connectivity today. (Internet of Things IoT)  Train your field personnel on cybersecurity awareness  Conduct a true security risk assessment  Implement a security information and event management (SIEM) system to monitor all network activity  Asset inventory with technical details Action Items -
  • 11. Push current vendors to acquire and evaluate new vendors that have Security Related CyberSecurity Certifications and Frameworks, like NIST Work with your IT department to implement and merge ISO / NIST standards for field operations and cybersecurity  Provides a complete best practice set of frameworks Action Items -
  • 13.

Editor's Notes

  1. Security is a process – it never ends!
  2. Great way to get started