Data Security Throughout the Supply Chain

Boston Strategies International offers proactive threat prevention, detection, and remediation throughout gas, oil, and power supply chains through multi-tier security certification, technical contract and subcontract analysis, contract administration, activity logging, correlation analysis, and threat hunting.

Working with your team, BSI helps you plan and execute an integrated cyber approach to avoid, manage, and remediate security and privacy breaches. We offer three services: Diagnostic Audits, Ongoing Management, and Damage Control and Remediation.

 

BSI’s Data Security Services

security-services

The Problem

Infrastructure, intellectual property, and private data has been compromised by deliberate attacks on gas, oil, and power supply chains through the vulnerabilities of today’s immature, unregulated global Internet. For example

  • The US power grid recently suffered three major cyber attacks. In 2012 and 2013, Russian hackers were able to successfully send and receive encrypted commands to U.S. power generators. In 2015, unauthorized cyber hackers injected malicious software into the grid operations that allowed spying on U.S. energy companies. And also, in 2015, US law enforcement officials reported a series of cyber attacks that were attempted by ISIS targeting the U.S. power grid.
  • Saudi Aramco was practically brought to its knees in 2012 by hackers inflicting a self-replicating virus which deleted information on up to 30,000 of its Windows-based computers.

The cost of these cyber attacks is massive. A cyber attack targeted at 50-100 generators that supply power to 15 Northeastern United States, including Washington D.C., would leave almost 93m people without electricity and cause $62 billion to $228 billion in economic losses in the first year. Damage to turbine generating power plants and metering systems would cost $1 billion to $2 billion. Loss of electricity revenue would cost the utilities $1 billion to $4 billion. And loss of revenue to electricity consuming customers of the utilities would cost $60 billion to $222 billion. If recovery takes longer than a year, these costs would multiply. This damage assessment is according to a study by the Centre for Risk Studies at the University of Cambridge.

Major gas, oil, and power companies are now becoming aware of the risks that cyber attacks pose, and are investing capital to get their systems more secure to attack. Utilities are most vulnerable to cyber threat from a third tier supplier, which has no direct connection to the utility and supplies the equipment through a third party vendor or a distribution channel. Second tier suppliers also carry the same risk but are more visible and vetted.

Our Solution

Diagnostic Audit

For one-time projects, BSI’s Security Consulting Services reviews security infrastructure to understand the existing information technology control framework; identifying where your organization is most vulnerable to cyber threats and attacks.

We help you establish secure procurement practices for IT infrastructure to block out malicious components before they enter the supply chain, years before an attack occurs. Our consulting process prevents counterfeiting, tainting, and compromising, thereby helping you to avoid hardware, software, and component failures.

Our diagnostic services include Security Strategy Assessments, Technical Security Assessments, and PCI Compliance reviews.

BSI’s Cyber Security Diagnostic Assessments

  • Policy Framework Analysis
  • Security Awareness
  • ISO Compliance
  • Situational Consulting
  • CMMI Security Process Review
  • Vulnerability Assessments
  • Penetration Tests
  • Web Application Assessments
  • Firewall Rule Review
  • Domain Password Audit
  • Network Security Architecture
  • Wireless/Mobile Assessment
  • Cardholder Data Environment (CDE) scoping
  • Gap Assessment
  • Remediation Roadmap
  • Network Segmentation Designs
  • Audit (RoC, SAQ)
  • Risk Assessments

We reduce the vulnerability of our power industry clients throughout their generation, transmission, and distribution infrastructure.

  • Generation: SCADA systems in power plants are vulnerable through hardcoded passwords, weak authentication solutions, firmware vulnerabilities and ladder logic. Viruses such as ‘Stuxnet’ can be used to exploit these vulnerabilities to execute cyber attack on the computerized control systems in a well-targeted manner. Some of these sophisticated malwares can cover hide its presence until well after the damage is done.
  • Transmission: Transmission systems have been the most targeted sub-system in the power system value chain..The relays on the transmission sub-system are time sensitive, and delays of even a few milli-seconds can negatively impact the performance of power transmission. The common cyber attacks in this area include Distributed Denial of Service (D-DOS), which can cause the network and communication channels send delayed responses and cause the malfunction of the Smart Grids.
  • Distribution: Smart meters, which are increasingly common in network infrastructure, connect to the central control or Network Operating Centre (NOC) room of the utility to transmit and receive data. Poor security implementations in the smart meters could make it possible for an unauthorized third-party to intrude the NOC. The consequence can be disastrous if the meter has the “switch off” capability. Given the scale of utilities, which for large utilities could run into millions of smart meters, security vulnerabilities in this area can lead to widespread damage.

Ongoing Management

For long-term projects, it may be important to ensure cyber security over an entire project life cycle. BSI sets up a cyber security team that works in collaboration with your Project Management Office (PMO) from concept through installation.

We ensure consistency in security products, support tools, administration techniques and delivery mechanisms. Depending on the needs of the project, project update calls and documented status updates are scheduled and completed with all team members.

We scan for malicious software code in equipment and components that could compromise security, as well as kill-switches and backdoors that enable attackers to steal data or disable the system.

We audit vendors’ maintenance and repair activities including software upgrades and equipment services, whether done onsite or remotely, that could also allow hackers to corrupt or compromise systems. This includes components that could enter the supply chain from the secondary suppliers or contractors, which are less visible to the utility operators.

A Project Manager or Coordinator is assigned and works with internal team members as well as our expert consultants. A Project Manager creates a work plan to schedule all components of the plan in close collaboration with you.

Damage Control and Remediation

If you have been the victim of a cyber attack, we help undo the damage and put in place corrective and preventative measures. This may include, for example:

  • Incident response
  • Secure architectures (policies, people, and processes)
  • Preventative controls (technologies, tools, and techniques)
  • PCI

BSI’s remediation projects results in improved responsibility, better business and operational transparency, and secure access management, and data visibility. Remediation also enhances resilience from such attacks so you can get back to normal operations quickly.