By Gregory Hale
It wasn’t too long ago when a virus called Shamoon got the order and attacked some major manufacturing automation companies in the Middle East.
Saudi Aramco, RasGas and SAFCO all fell victim to the attack. While all companies worked to recover their respective damages, SAFECO knew it had to resume operations and continue business flow, but ensure a more secure environment at the same time, said Dennis Lanahan, director of sales and services at Owl Computing during a cyber security sessions last Thursday at the 2014 Yokogawa Users Conference and Exhibition in Houston.
Shamoon was a computer virus discovered in 2012 that attacks computers running Microsoft Windows. Shamoon was capable of spreading to other computers on the network, through exploitation of shared hard drives. Once a system suffers infection, the virus continues to compile a list of files from specific locations on the system, erase and then send information about these files back to the attacker. Finally, the virus will overwrite the master boot record of the system to prevent it from booting.
SAFCO is the Saudi Arabian Fertilizer Company and it produces, processes, manufactures and markets the principal fertilizers for local and international markets. It produces and manufactures ammonia, urea, melamine and sulfuric acid. SAFCO is a division of Saudi Basic Industries Corporation (SABIC), which makes chemicals and intermediates, industrial polymers, fertilizers and metals
“When they were hit by the attack, they immediately disconnected,” Lanahan said. “But the disconnection impeded efficient operations, but it helped increase the security. SAFCO separated and security issues were solved, but they lost business continuity.”
With such an important process that could pose a huge safety issue, they needed to reestablish continuity as quickly as possible, he said.
Just by thinking through their security with the help of an outside provider and recreating their security program, Lanahan said, they were able to:
• Restore business continuity by allowing data flows to resume
• Ensure network security with network domain separation
• Limit unauthorized access to plant networks from outside the plant
One of the typical devices SAFCO had protecting the network was a firewall. The firewall separated the process network from the business network, he said. That was a pretty standard configuration with bidirectional data going through the firewall.
What SAFECO felt they needed was to eliminate the bidirectional nature of the data flow and only have a one-way communication via a data diode.
By creating the new installation, SAFECO was able to maintain OPC workstations through DCOM or a tunneling capability. Now SAFECO was free to get information from its process network and send it out one-way to the business enterprise for their information.
“That allowed for restored business continuity, ensured network security with network domain separation and enforced no access to the plant network from outside the plant,” Lanahan said.