How Cyber Security Can Be Improved

Every day we get more interconnected and that naturally widens the threat surface for cybercriminals. In order to protect vulnerabilities and keep pace with hacker methods, security – and non-security professionals must understand how to protect themselves (and their companies). And that involves looking for new ways to improve cyber security. To start, we believe cyber security can be improved by focusing on three areas: enterprise-wide cyber awareness programs, within cyber teams via persistent training, and in communication between the C-suite and the CISO. Check out our recommendations below and if you have a strategy that worked to improve cyber security in your company or organization, we’d love to hear about it.

Company-Wide Security Awareness Programs

Regardless of company size or budget, every person employed at a business should understand fundamental cyber concepts so they can protect themselves from malicious hackers. Failure to do so places the employee and the company at risk of being attacked and could result in significant monetary and reputation damages.

Simple knowledge of what a phishing email looks like, what an unsecured website looks like, and implications of sharing personal information on social media are all topics that can be addressed in a company-wide security program. Further, staff should understand how hackers work and what kinds of tactics they use to get information on a victim to exploit. Reports vary but a most recent article from ThreatPost notes that phishing attempts have doubled in 2018 with new scams on the rise every day.

But where and how should companies start building a security awareness program—not to mention a program that staff will actually take seriously and participate in?

We believe in the power of gamified learning to engage employees in cyber security best practices.

Our mobile app inCyt helps novice and non-technical professionals learn the ins and outs of cyber security from hacking methods to understanding cyber definitions. The game allows employees to play against one another in a healthy, yet competitive, manner. Players have digital “hackables” they have to protect in the game while trying to steal other player’s assets for vulnerabilities to exploit. The back and forth game play teaches learners how and why attacks occur in the first place and where vulnerabilities exist on a variety of digital networks.

By making the learning fun, it shifts the preconceived attitude of “have to do” to “want to do.” When an employee learns the fundamentals of cyber security not only are they empowering themselves to protect their own data, which translates into improved personal data cyber hygiene, but it also adds value for them as professionals. Companies are more confident when employees work with vigilance and security at the forefront.

Benefits of company-wide security awareness training

  • Lowers risk – Prevents an internal employee cyber mishap with proper education and training to inform daily activities.
  • Strengthens workforce – Existing security protocols are hardened to keep the entire staff aware of daily vulnerabilities and prevention.
  • Improved practices – Cultivate good cyber hygiene by growing cyber aptitude in a safe, virtual environment, instead of trial and error on workplace networks.

For more information about company-wide cyber learning, read about our award-winning mobile app inCyt.

Persistent (Not Periodic) Cyber Training

For cyber security professionals like network analysts, IT directors, CISOs, and incident responders, knowledge of the latest hacker methods and ways to protect and defend, govern, and mitigate threats is key. Today’s periodic training conducted at off-site training courses has and continues to be the option of choice—but the financial costs and time away from the frontlines makes it a less-than-fruitful ROI for leaders looking to harden their posture productively and efficiently.

Further, periodic cyber security training classes are often dull, static, PowerPoint-driven or prescriptive, step-by-step instructor-driven—meaning the material is often too outdates to be relevant to today’s threats—and the learning is passive. There’s minimal opportunity for hands-on learning to apply learned concepts in a virtualized, safe setting. These roadblocks make periodic learning ineffective and unfortunately companies are spending thousands of dollars every quarter or month to upskill professionals without knowing if it’s money well spent. That’s frustrating!

What if companies could track cyber team performance to identify gaps in security skills—and do so on emulated networks to enrich the learning experience?

We believe persistent training on a cyber range is the modern response for companies to better align with today’s evolving threats. Cyber ranges allow cyber teams to engage in skill building in a “safe” environment. Sophisticated ranges should be able to scale as companies grow in security posture too. Our Project Ares cyber learning platform helps professionals develop frontier learning capabilities on mirrored networks for a more authentic training experience. Running on Microsoft Azure, enterprise, government and academic IT teams can persistently training on their own networks safely using their own tools to “train as they would fight.”

Browser-based, Project Ares also allows professionals to train on their terms – wherever they are. Artificial intelligence via natural language processing and machine learning support players on the platform by acting as both automated adversaries to challenge trainees in skill, and as an in-game advisor to support trainee progression through a cyber exercise.

The gamified element of cyber training keeps professionals engaged while building skill. Digital badges, leaderboards, levels, and team-based mission scenarios build communicative skills, technical skills, and increase information retention in this active-learning model of training.

Benefits of persistent cyber training

Gamifying cyber training is the next evolution of learning for professionals who are either already in the field or curious to start a career in cyber security. The benefits are noteworthy:

  • Increased engagement, sense of control and self-efficacy
  • Adoption of new initiatives
  • Increased satisfaction with internal communication
  • Development of personal and organizational capabilities and resources
  • Increased personal satisfaction and employee retention
  • Enhanced productivity, monitoring and decision making

For more information about gamified cyber training, read about our award-winning platform Project Ares.

CISO Involvement in C-Suite Decision-Making

Communication processes between the C-suite and CISO need to be more transparent and frequent to achieve better alignment between cyber risk and business risk.

Many CISOs are currently challenged in reporting to the C-suite because of the very technical nature and reputation of cyber security. It’s often perceived as “too technical” for laymen, non-cyber professionals. However, it doesn’t have to be that way.

C-suite execs can understand their business’ cyber risks in the context of business risk to see how the two are inter-related and impact each other.

A CISO is typically concerned about the security of the business as a whole and if a breach occurs at the sake of a new product launch, service addition, or employee productivity, it’s his or her reputation on the line.

The CISO perspective is, if ever a company is deploying a new product or service, security should be involved from the get-go. Having CISOs brought into discussions about business initiatives early on is key to ensuring there are not security “add ons” brought in too late in the game. Also, actualizing the cost of a breach on the company in terms of dollar amounts can also capture the attention of the C-suite.

Furthermore, CISOs are measuring risk severity and breaking it down for the C-suite to help them understand the business value of cyber.  To achieve this alignment, CISOs are finding unique ways to do remediation or cyber security monitoring to reduce their workloads enough so they can prioritize communications with execs and keep all facets of the company safe from the employees it employs to the technologies it adopts to function.

Improving Cyber Security for the Future

Better communications between execs and security leaders, continual cyber training for teams, and company-wide cyber learning are a few suggestions we’ve talked about today to help companies reduce their cyber risk and harden their posture. We’ve said it before and we will say it again: cyber security is everyone’s responsibility. And evolving threats in the age of digital transformation mean that we are always susceptible to attacks regardless of how many firewalls we put up or encryption codes we embed.

If we have a computer, a phone, an electronic device that can exchange information in some way to other parties, we are vulnerable to cyber attacks. Every bit and byte of information exchanged on a company network is up for grabs for hackers and the more technical, business, and non-technical professionals come together to educate and empower themselves to improve cyber hygiene practices, the more prepared they and their company assets will be when a hacker comes knocking on their digital door.

Photo of computer by rawpixel.com from Pexels

Living our Mission Blog Series #3: New Learning Curriculum in Project Ares 3.6.4

We’ve made several new updates to our gamified cyber learning platform Project Ares. We are releasing new battle room and mission cyber security exercises for professionals to continue training and honing skills and competency and have optimized some aspects of performance to make the learning experience smoother.

New Missions and Battle Rooms

To ensure professionals have access to the latest threats to train against, we develop new missions and battle rooms for our users so they can continually learn new cyber security skills, both technical and professional. The following new missions are available to users of the Professional and Enterprise licenses of Project Ares; while the new battle rooms updates are available to users of the Academy, Professional, and Enterprise licenses of Project Ares.

Mission 5 – Operation Wounded Bear

Designed to feature cyber security protection for financial institutions, the learning objectives for this mission are to identify and remove malware responsible for identity theft and protect the network from further infections. Variability in play within the mission includes method of exfiltration, malicious DNS and IP addresses, infected machines, data collection with file share uploads that vary, method of payload and persistence, and a mix of Windows and Linux.

This mission provides practical application of the following skill sets:

  • Computer languages
  • Computer network defense
  • Information systems
  • Information security
  • Command line interface
  • Cyber defense analysis
  • Network and O/S hardening techniques
  • Signature development, implementation and impact
  • Incident response

Mission Objectives:

  1. Use IDS/IPS to alert on initial malware infection vectors
  2. Alert/prevent download of malicious executables
  3. Create alert for infections
  4. Kill malware processes and remove malware from the initially infected machine
  5. Kill other instances of malware processes and remove from machines
  6. Prevent further infection

Mission 6 – Operation Angry Tiger

Using threat vectors similar to the Saudi Arabia Aramco and Doha RasGas cyber attacks, this mission is about responding to phishing and exfiltration attacks.  Cyber defenders conduct a risk assessment of a company’s existing network structure and its cyber risk posture for possible phishing attacks. Tasks include reviewing all detectable weaknesses to ensure no malicious activity is occurring on the network currently. Variability in play within the mission includes the method of phishing in email and payload injection, the alert generated, the persistence location and lateral movement specifics, and the malicious DNS and IP addresses.

Core competencies used in the mission:

  • Incident response team processes
  • Windows and *nix systems administration (Active Directory, Group Policy, Email)
  • Network monitoring (Snort, Bro, Sguil)

Mission Objectives:

  1. Verify network monitoring tools are functioning
  2. Examine current email policies for risk
  3. Examine domain group/user policies for risk
  4. Verify indicator of compromise (IOC)
  5. Find and kill malicious process
  6. Remove all artifacts of infection
  7. Stop exfiltration of corporate data

Mission 13 – Operation Black Dragon

Defending the power grid is a prevailing concern today and Mission 13 focuses on cyber security techniques for Industry Control Systems and Supervisory Control and Data Acquisition systems (ICS/SCADA).  Players conduct a cyber defense assessment mission on a power distribution plant. The end state of the assessment will be a defensible power grid with local defender ability to detect attempts to compromise the grid as well as the ability to attribute any attacks and respond accordingly.

Core competencies used in the mission:

  •  Risk Management
  • Incident Response Management
  • Information Systems and Network Security
  • Vulnerability Assessment
  • Hacking Methodologies

Mission Objectives:

  1. Evaluate risks to the plant
  2. Determine if there are any indicators of compromise to the network
  3. Improve monitoring of network behavior
  4. Mitigate an attack if necessary

Battle Room 8 – Network Analysis Using Packet Capture (PCAP)

Battle Room 8 delivers new exercises to teach network forensic investigation skills via analysis of a PCAP. Analyze the file to answer objectives related to topics such as origins of C2 traffic, identification of credentials in the clear, sensitive document exfiltration, and database activity using a Kali image with multiple network analysis tools installed.

Core competencies used in the mission:

  • Intrusion Detection Basics
  • Packet Capture Analysis

Battle Room 10 – Scripting Fundamentals

Scripting is a critical cyber security operator skillset for any team. Previously announced and now available, Battle Room 10 is the first Project Ares exercise focus on this key skill.  The player conducts a series of regimented tasks using the Python language in order to become more familiar with fundamental programming concepts. This battle room is geared towards players looking to develop basic programming and scripting skills, such as:

  • Functions
  • Classes and Objects
  • File Manipulation
  • Exception Handling
  • User Input
  • Data Structures
  • Conditional Statements
  • Loops
  • Variables
  • Numbers & Operators
  • Casting
  • String Manipulation

Core competency used in the mission:

  • Basic knowledge of programming concepts

Game client performance optimizations

We made several adjustments to improve the performance of Project Ares and ensure a smooth player experience throughout the platform.

  • The application size has been reduced by optimizing the texture, font, and 3D assets. This will improve the load time for the game client application.
  • 3D assets were optimized to minimize CPU and GPU loads to make the game client run smoother; especially on lower performance computers.
  • The game client frame rate can now be capped to a lower rate (i.e. 15fps) to lower CPU utilization for very resource constrained client computers.

These features are part of the Project Ares version 3.6.4 on the Azure cloud which is available now. Similar updates in Project Ares version 3.6.5 for vCenter servers will be available shortly.

 

Top 10 Cyber Myths

The top cyber security myths CISOs and security professionals fall victim to. Empower yourself with persistent training and skill building instead.

Microsoft Azure Government Secret Helps Enhance Cyber Training

Across the board there’s been a push from a policy perspective to get into secure cloud environments that provide organizations with the on-demand and protected availability that they need to improve business processes. Azure Government Secret is a cloud solution that delivers comprehensive and mission-enabling cloud services to US Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and US government partners working within Secret enclaves. It can also have global implications for how cyber defenders prepare for tomorrow’s threats.

The April 2019 announcement of Azure Government Secret enables Circadence to deliver Project Ares to similar defense industry partners in support of their cyber training and readiness missions. Having the power of the Azure Secret cloud infrastructure behind Circadence is necessary to deliver infinite cyber range scalability for gamified training and learning opportunities to defenders across the globe who need specialized security and scalability in training programs.

As cyber threats grow more frequent and more malicious, it is mission critical to government cyber protection teams to have the flexibility and accessibility to scale training to their needs, with limitless opportunity for enhanced cyber preparedness. The persistent, gamified training and frontier learning that occurs in Project Ares, coupled with this new level of secure cloud, enhances the protection of the nation’s most critical digital assets and will undoubtedly contribute to our overall national security.

VP of Global Partnerships Keenan Skelly tells us how it helps improve cyber training today.

“Our partnership with Microsoft Azure allows us to build infinitely scalable cyber ranges to do cyber exercises and trainings,” said Skelly.

With the help from Microsoft Azure Government Secret cloud, Circadence can continue to evolve cyber training solutions that help today’s elite, DoD cyber security professionals anticipate, prevent, and react to threats more efficiently and effectively. In doing so, we are proud to contribute to a world-class security culture that proactively protects our most critical assets and our people.

Nichols College Students Spearhead Cyber Security Education for the Entire Campus 

Policy makers are now prioritizing data security over talent, efficiency and controlling costs. As students growing up and being educated in the digital age, we are just starting to understand the importance of cyber security to individuals and their companies. Taking part in a Research Associate Internship on campus at Nichols College, our eyes have been opened to the vast number of threats we face on a daily basis.

Oracle conducted a study titled “Security in the Age of Artificial Intelligence,” where 341 C-Suite executives and 110 policy makers were asked of their plans to improve their company’s security in the next two years. The top answer from this sample was to train existing staff. Human error poses the greatest risk to these companies (Oracle). In order to mitigate this risk, it is imperative to understand the opportunity cost of training employees on the importance of cybersecurity. Prioritizing training would prevent small mistakes, potentially costing a company much more in the long run.

A Nichols College Associate Professor of Accounting and Finance, Bryant Richards, noticed a gap in cyber security education, wanting to bring cyber to campus in a big way, stating “As cyber risks have become ubiquitous throughout the industry, it is our responsibility to provide some degree of cyber literacy to our business students. We must train our accounting students to be data and technology professionals who understand accounting. The realistic and experiential nature of Project Ares matches how our students learn and provides a transformative learning experience.” Richards along with the two of us, helped Nichols partner with Circadence to complete a three-month pilot program of their gamified cybersecurity learning platform Project Ares.

What We Found: Circadence did a great job with Project Ares, with an appealing, gamified user interface that sucks you in and is easy to use. As a student with no technical experience in the cybersecurity field, Project Ares proved to be both engaging and challenging. It provided an abundance of resources through its Media Center and Mini Games. Users can obtain a base layer of knowledge, progressing into education on concepts like the Cyber Kill Chain and how hackers utilize it. The interactive Battle Rooms provide real-life, technical lab environments where users can spin up virtual machines, explore real-world tools, build their confidence, and hone their skills.

What We Learned: You do not have to be a professional hacker to steal someone else’s information or gain access to their computer. Understanding the code is no longer enough; this is much more than an individual problem. If your own device is compromised, the hacker can steal your personal information, and steal information from your employer and worse. This harsh reality surprised us when we first commenced our research. From clicking a wrong link in an email, to accidentally tapping an advertisement banner on your phone; these small errors can seem harmless but are really detrimental to your overall security.

The gamification of cybersecurity training has allowed those of us with no prior knowledge, a chance to get a leg up. With increased demand to train existing staff, new training approaches must be made for the next generation of cybersecurity specialists. Gamifying the process made it easily digestible, directly benefitting any potential company or individual.

The first step in becoming educated on cybersecurity is understanding that there are threats present in our everyday lives. In the words of the man who gave us our initial walkthrough of Project Ares, Brad Wolfenden compared cybersecurity to buying a gallon of milk, saying:

“I believe that part of the disconnect around cybersecurity best practices comes from the assumptions we make as consumers in general – that what we’re buying is designed and sold with our best interests, and security, in mind … The food you buy and eat is certified by the Food & Drug Administration to indicate it has been safely grown/ raised and suitable for human consumption. When making technology purchases, we cannot take these same conveniences for granted.”

It is everyone’s ‘job’ to maintain high ethical standards and awareness when operating on the Internet nowadays. It is no longer up to one person or pre-installed software to protect your personal information. The more we are educated on the basic underlying principles of cybersecurity, the safer we will all be.

References

Oracle. “SECURITY IN THE AGE OF AI .” Oracle, 2018, www.oracle.com/a/ocom/docs/data-security-report.pdf.

Wolfenden, Brad. “A Rising Tide Lifts All Boats: Celebrating National Cybersecurity Awareness Month.” Circadence, 30 Oct. 2018, www.circadence.com/national-cybersecurity-awareness-month/.

*Students R.J. LeBrun & Lorenzo Secola guest authored this blog post as part of their Research Associate Internship at Nichols College 

 

 

 

Guest Blog: Reimagining Cyber Learning for Students, Featuring Divergence Academy

 

It’s one thing to talk about the importance of teaching cybersecurity in an engaging way, and another thing to actually do it. Divergence Academy is proud to partner with Circadence to reimagine how cybersecurity is taught to current and aspiring professionals.

About Divergence Academy

Divergence Academy is an education institution creating adaptive learning solutions to empower individuals to pursue the work they love on the most relevant skills of the 21st century – from web development to data science to product management. It was established in 2014 as the first Data Science school in the Dallas/Fort Worth area school that used a hybrid approach to learning. It offers immersive and weekend programs for working professionals, college grads and transitioning workers.

In early 2017, the academy grew to partner with leading cybersecurity organizations including E.C. Council and CompTIA to offer certified learning for students. However, it found that the curriculum was missing something—a “WOW” factor—a platform where learning could be managed and developed using a more hands-on approach, allowing students to level up and reinforce the skills they were learning towards certification.

A Gamified Approach to Cyber Learning

In realizing that we needed a more robust learning platform that complemented the certifications we offered, we were introduced to Circadence, a market leader in cybersecurity readiness, known for its Project AresÒ cyber range solution. It incorporated gamification into every aspect of the learning process, which encouraged students to progress through real-world exercises at their own pace and with a level of engagement unseen in previous traditional course sessions.

Finding Project Ares put us on the map as an institution that put learning to work and it showed that we are not just an AI school but a school that teaches what we preach!

The Class: Cybersecurity Professional Penetration Tester

We launched our 12-week class using Project Ares in early February 2019. The program is a 400-hour course delivered over 2 weekday evenings and Saturday to prepare students for the role of Certified Ethical Hacker. We have a mix of students from mathematicians to software engineers to IT students all with varying levels of knowledge of cybersecurity, but anxious to learn.

In Project Ares, students are able to identify “learning moments” where they begin to connect the dots on how a cyber concept is applied to a real scenario. They try to solve problems together, which is exactly what a real cybersecurity job would require.

Not only are students learning industry-wide technical competencies such as information assurance, risk management and incident detection but also workplace competencies like teamwork, planning and organizing, problem-solving, and more. In preparing for a CEH role, students engage in the battle rooms, learning foundational skill sets and then apply them to a methodology in the missions. Skills like system hacking are learned in Missions 8-10, 12, and 13, and enumeration in Mission 1, and reconnaissance in Mission 1.

The feedback from them is reassuring that Divergence Academy and Circadence are a powerful partner. We hear they enjoy collaborating with their peers in exercises within the platform and they kind of form their own “tribes” if you will and that’s the beauty of gamified learning. It really teaches these students how to work together, build soft skills, and technical skills needed for today’s workforce.

The Impact of Project Ares

Project Ares has allowed our instructors to really focus on our student’s performance. The automated, in-game advisor Athena within Project Ares helps students progress from activity to activity and solve problems quicker, which helps instructors prioritize the pace of learning from all students and in using the trainer view in Project Ares, see where the skills gaps are and how to better inform the exercise content to meet the individual needs of the students. Further, the automatic scoring and badging in the platform coupled with the media center allows instructors to easily align course curriculum with the platform’s games, whether it’s in a mission, a battle room, or through a mini-game.

A Vision Come to Life

Divergence Academy is excited to build a network with local community colleges in the Dallas/Fort Worth area in order to help upcoming graduates and faculty see us as a school that takes student learning to new levels—applied levels—practical levels that are relevant to the workforce. We hope local schools see our trade school as the next step in their learning journey to cybersecurity professionalism and understand that they will be able to get hands-on skill building (or upskilling) and practical experience.

 

To learn more about Divergence Academy and how they’re using Project Ares to support student learning, visit https://divergenceacademy.com/.

 

Guest Blog: Taking Cybersecurity Learning to a Whole New Level

Last week I was lucky enough to be able to attend Circadence’s Cyber Learning Tour at the Microsoft Technology Center in Chicago.  This event was hosted by Laura Lee, VP of Rapid Prototyping,  and one of the lead creators of the Project Ares training platform.

The opportunity to attend this event and hear from the brains behind Project Ares was an eye-opening experience for me.  The passion that Laura spoke with was something that I could relate to.  As someone who personally advocates for introducing more people to information technology and more specifically cybersecurity, it was amazing to hear Laura Lee talk about how she utilizes Project Ares in schools as early as middle school to educate students on not only the importance of cybersecurity but also real-world scenarios.  Hearing Laura talk about kids using Metasploit, Nmap, Wireshark and learning how to defend simulated cyber-attacks or infiltrating networks with Project Ares is taking learning to a whole new level.

One of the more interesting topics Laura brought up about the platform is the scoring capability and how it works within the learning environment.  She often finds students begin competing against each other on the platform by going through missions and assessments over and over again to see who can get the better score.  This brings another avenue of excitement and energy to cybersecurity that could lead to more exposure with things such as e-sports using Project Ares.

The fact that Circadence has created a learning environment that brings gamification, cybersecurity, and training to the same platform is ground-breaking to me.  Here is a platform that will simulate real-world scenarios like bank networks, power grids, and other enterprise networks and you either must attack (red team) or defend (blue team) using real-world skills and tools.  If you’re a rookie at cybersecurity, Project Ares offers a variety of battle rooms and assessments that will help get you up to speed.

To hear more about why gamification and AI-powered cyber learning is the future of cybersecurity skill building, check out one of their other Cyber Learning Tour stops here: https://marketing.circadence.com/acton/media/36273/cyber-learning-tour-with-microsoft.

Follow Zach’s YouTube Channel I.T. Career Questions for all things cybersecurity learning and development here: https://www.youtube.com/channel/UCt-Pwe2fODjH4Wuwf5VqE7A.

Making Cybersecurity BETTER: Dan Manson to Speak at RSA 2019

With the New Year in full swing, we are resolved to improve not only our own products to meet industry shifts but helping improve cyber professional’s skill sets against evolving threats. One of the ways we are doing this is through the help of our team member Dan Manson, Instructional Designer (Level 5) and current Professor of Computer Information Systems at California State Polytechnic University, Pamona.

Dan is speaking on a panel discussion at the upcoming RSA 2019 conference, titled “How to Create a Truly Diverse Cyber Workforce” on Thursday, March 7 from 1:30 p.m. – 2:30 p.m. alongside panelists Mat Neufield, CISO for Unisys, Jordan Jacobson, California State Polytechnic University, Pomona student. Shelly Westman, principal with EY will moderate.

It is at events like RSA (Find Circadence and Project Ares at booth 6583), the Circadence team and visitors to our booth share industry perspectives and explore dynamic learning solutions for cybersecurity professionals. The insights from these meetings often influence our advance product capabilities, features, and offerings.

In addition to sharing his expertise on the ways to diversify the cyber workforce, Dan looks forward to playing an integral part in our Project Ares® cyber learning platform evolution alongside the rest of our incredible team.  He is helping integrate proficiency standards and competencies into Project Ares curriculum to improve the overall training value, player scoring, points, badges, etc. He also supports the analysis of how well the training content aligns to the NIST NICE Cybersecurity Workforce Framework, identifying the gaps for our Cyber Education and Training department to consider in curriculum design.

We know the cybersecurity landscape is fluid, in a constant flux of improving security provisions, processes, technology, and the professionals behind it all. Circadence understands that there is no “one-size-fits-all” solution, which is why our solution capabilities ride on the coattails of the frequent industry changes. Our “Living our Mission” blog series keeps customers and interested parties current on the latest updates to our platforms and the benefits of the developments on organizational security posture.

To learn more about how our gamified learning platform Project Ares is supporting a more diversified workforce in the midst of a widening skills gap, download our white paper “The Importance of Gamification in Cybersecurity Training” now. 

 

Oil and Gas Cyber Security: Understanding Risks, Consequences, and Proactive Measures

The oil and gas sector is susceptible to security vulnerabilities as it adopts digital communication methods that help power energy production and distribution. For context, there exist approximately 1,793 natural gas-powered electricity plants in the U.S. and they generated 34 percent of the nation’s electricity last year. Much of how we live and work is dependent upon the energy produced from oil and gas production, including everyday cooking, heating/cooling, communication, and use of electronic devices and appliances. Therefore, even the smallest cyber attack on one of the thousands of interconnected and digital systems can yield devasting effects.

A company that goes through an attack can experience a plant shutdown, equipment damage, utilities interruptions, production shutdown, inappropriate product quality, undetected spills, and safety measure violations—to name a few. Recently, 87% of surveyed oil and gas senior executives have reported being affected by cyber incidents in the past 12 months. Further, 46% of attacks in Operational Technology go undetected.

Oil and Gas Cyber Security Breaches throughout History

  • In 2010, Stuxnet, a malicious computer worm, was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, a person with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computers and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups.
  • In December 2018, Saipem fell victim to a cyber attack that hit servers based in the Middle East, India, Aberdeen and Italy.

These examples show other oil and gas companies the consequences that arise from insecure cyber environments, vulnerable systems, and cyber teams that lack the latest skills to stay ahead of attackers.

How Circadence Can Help

To lessen the attack surface and protect critical infrastructure against cyber threats, teams need to be prepared to address all possible scenarios that can occur on said attack surface in order to effectively protect and defend IT and OT critical infrastructures.

Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own oil and gas networks to be most effective. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in the oil and gas industry. Further, targeted training can be achieved from the library of mission scenarios to work on specific skill sets.

Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kind of learning include:

  • Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
  • Opportunities to close skills gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
  • Risk mitigation and improved problem-solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.

By placing the power of security in human hands, cybersecurity teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Users are the last line of defense against threat actors so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cybersecurity in oil and gas sectors.

This solution coupled with proper collaboration between IT and OT divisions to share real-time threat intelligence information will do wonders for companies looking to stay out of the negative news headlines and stay safe against an attack.

Download our Infographic “oil and gas cybersecurity” for more details on cyber readiness and training.

oil_gas_infographic

DOWNLOAD INFOGRAPHIC