“Virtualization allows the implementation of environments via a software-based solution rather than with the introduction of additional hardware,” the federation says. “Like other industries, interest is high on any opportunities that can reduce the hardware footprint, address the challenges of finding hardware for unsupported operating systems and provide flexibility in creating training and testing environments.”
Dubbed the “LOGIIC Virtualization Project,” the report focuses on conveying what factors should be considered when weighing virtualization in an IACS environment. Researchers evaluated and tested current automation system vendor practices to generate guidelines and best practice references for securing virtual environments across multiple process control network layers. In addition, the study was designed to support an ongoing discussion between critical infrastructure asset owners, operators and automation system vendors.
Key points highlighted in the report include:
- VMWare and Hyper-V architectures provide a nearly equivalent attack surface.
- Technical vulnerabilities, though reduced in number, exist mainly due to patching issues, implementation issues or the limitations of the hardware/software. Standard products and services, such as RDP, provide a broader attack surface that typically requires patching.
- Operational findings are not specific to automation vendor products. These general findings should be considered during the decision to design and implement a virtual solution in an IACS environment. The findings apply to the implementation of VMWare, Hyper-V, blades, clusters and scalable configurations.
The report was commissioned by the Linking Oil and Gas Industry to Improve Cybersecurity, or LOGIIC.
According to the federation, the LOGIIC Consortium, now in its 10th year, was established by members of the oil and gas industry in partnership with the Cybersecurity Research and Development Center (CSRDC) of the US Department of Homeland Security (DHS), Science and Technology (S&T) Directorate to study cybersecurity issues in IACS that impact safety and business performance as they pertain to the oil and gas sector.
LOGIIC’s objective is to promote the interests of the sector while maintaining impartiality, the independence of the participants and vendor neutrality. Current members of LOGIIC include BP, Chevron, Shell, Total and other large oil and gas companies that operate significant global energy infrastructures.
The Automation Federation serves as the LOGIIC host organization and has entered into agreements with the LOGIIC member companies and all LOGIIC project participants.
All LOGIIC project reports can be found on its website. Download the full report here.