Using either a quantitative or qualitative approach, you will complete a risk assessment to determine the risks and benefits of paying ransom to the organization.

Read Do or Do Not scenario.

Based on the Ransomware attack scenario, conduct a risk assessment.

Produce a meaningful report for management to determine the best course of action to prevent or mitigate future risks, with a timeline towards full prevention.

You can select the appropriate risk assessment approach to assess the case and present the assessment data for management to decide how to prevent future incidents.

The risk assessment should:

Present all assets associated with/threatened by the ransomware attack, including the assessments of costs and the costs associated with downtime.

Calculate risks associated with the ransomware attack.

Present the risk in a hybrid risk assessment approach to include both qualitative and quantitative approaches.

Include a risk mitigation approach /Courses of Action for management to consider.

Incorporate legal and regulatory issues in your assessment.

Include your recommendation to leadership on how to respond to this ransomware attack based on your assessment of cost/benefit.

Present your rationale with supporting details on cost and benefit of risk mitigation recommendations.

The report should be of the following length: between 1250 and 2500 words.

COMPONENTS OF RISK ASSESSMENT REPORT

Using either a quantitative or qualitative approach, you will complete a risk assessment to determine the risks and benefits of paying ransom to the organization. The risk assessment report will include the following components:

Executive summary on the risk assessment outcomes and recommendations.

List of assets with their values involved in the risk assessment scope. Assets include tangible and intangible assets with values to the organization.

Vulnerabilities to these assets based on the ransomware attack vector.

Assign asset values impacted to the organization based on the ransomware attack outcome.

Compare these asset values impacted by the ransomware attack and the replacement costs.

Draw up recommendations to recover these ransomware attack by paying the ransom or by replacing these assets.

Write your conclusions on risk assessment for management to decide whether Ackme should pay the ransom or to replace these assets.

Requirements: 2500 max

“Do or do not. There is no try.”

Please read  and the scenario information below before attempting your assignments for this module.

 

Much has been learned about the ransomware deployed and the state of the platform management systems.  Assessments of the management options have been produced.

The onsite team at one location believes they have devised a plan to recover management access.  The team thinks they can reroute management of systems one at a time to ensure uptime for all managed systems and devices, while individual management systems are reverted to a prior state from backups.  However this plan is not without risk on two fronts:

The systems will still be vulnerable to the point of entry used by the attackers since the systems are end-of-life.  It is possible that the attackers will retaliate and increase their demands if this route is taken.

System downtime could result, preventing access to manage critical components of the extraction & separation process for sets of systems and devices during the recovery process.

The risk management process may also consider if any of the pipelines can be shut down temporarily until the new systems arrive. If they go ahead and pay the ransom, this may alleviate some costs, but a value judgement is needed.

Ackme is located in the US, what are the applicable laws to be considered in terms of paying ransom for this type of attack?

Thinking back to Module 3, what are the presumed objectives of the attacker?  

How do they factor into the decision process?  

What next steps might the attacker take for any decision made?  

If the ransom is paid, has the attackers objectives been met?  

Were they really after money or the impact to Ackme?  

Is the scope of the attack limited to these systems and what has been detected to date?

H. Ackme Oil & Gas Background Material

A – Current Platform Control Systems Technology

B – Platform Control Systems IO & Communications Protocols

C – Acronyms & References

Introduction

 

Ackme is a vertically integrated company that extracts natural gas (NG) and Crude Oil from Ocean wells, processes it and then wholesales it to a relatively small number of customers. The wells contain largely NG on a 70% to 30% ratio. Figure 1 below provides a visualization of the enterprise in its operational area.

Figure 1 – H. Ackme Operations & Major Customers

All of Ackme’s field operations use Automated Control Systems (ACS) for monitoring & controlling (M&C) the product processing & flow. There are separate systems for the platforms, refining processes, and distribution. ACSs are the brains and nervous system of Ackme’s operations.

Customers

Ackme supplies natural gas over a large geographical customer base including 2 major metropolitan areas, one an old banking center and the other hosting a number of HQs for large commercial enterprises. Thirty-nine percent of the NG product flowing locally is used for electrical generation, 30% by heavy industry, 13% goes to retail and office buildings, and the remaining 18% to homes. In times when demand is weak Ackme contracts with Liquefied Natural Gas (LNG) operators to ship their gas overseas. Ackme also has a smaller refining operation where its crude oil is processed. It’s primary outputs are jet fuel, delivered to the nearby major airports via pipeline, and diesel fuel, used to power generators on its own platforms with excess sold on the spot market. In times of particularly low demand Ackme will sell their excess crude production to larger refiners.

Gross Revenue from Product

 

Natural Gas Production from each platform averages 185,000 thousand (185 million) cubic feet per week. With NG prices ranging from $6.50 to $10.00 per thousand cubic feet the platform gross revenue per platform is valued at $72 million annually. Additionally Crude Oil withdrawal averages 13,000 barrels per week. At $60 per barrel platform Oil gross revenue per day is valued at $111, 500 daily or $41 million annually. So a platform produces gross revenue in the neighborhood of $113 million per year, or for all 10 platforms $1.13 billion. A single well produces for 6 years. A platform lifespan is in the neighborhood of 20-40 years.

Figure 2. Average Gas Platform Production per day

Stakeholders

Ackme (ticker AKC) is a publicly traded company on the NASDAQ exchange. Due to the significant increase in natural gas supply from new wells in the Marcellus Shale regions in the Northeast US, the price of NG has fallen. But due to it’s vertical nature in its region, Ackme has a strong hold on local supply and has kept prices higher than elsewhere in the country. Business and political leaders in the Bi-City area have started serious discussions with alternate NG providers, located further inland, about financing new pipeline construction to take advantage of the favorable pricing. Ackme is a big employer in the region with over slightly over 3,000 employees.

Natural Gas Processing & Distribution

After extracted from the well, separated from oil & water on the platform, and transported to shore, the NG is routed to a refining facility. There it is further processed to remove contaminants and become pure methane before being routed directly to customers, or to underground storage. The storage provides the capability to balance flows when production is slow or usage high. The gas is stored in depleted land based subterranean caverns. Total available storage is approximately 3 days high usage for the entire service area. See Figure 3 below for details on the purification process to refine the raw gas to methane.

Figure 3 – Ackme Natural Gas Refining Facility Process

Ackme delivers its NG product via pipeline from its processing facility in large volumes to over 100 major customers in the Old Borough (OB) and New City (NC) Metropolitan Areas. Both OB and NC have metro populations in excess of a million. Ackme’s NG customers include;

large electrical utilities that use it as their primary fuel source for power generation, (39%

large gas distribution utilities that deliver it for heating and cooking to office buildings, commercial areas & homes(31%), and

major industrial sites with a variety of customers where it is used as fuel for heating production materials and for running large generators. (30%)

The Natural Gas Distribution Control System

NG distribution pipelines require constant monitoring and control over pipeline pressure, volume flow/usage, temperature and valve opening/closing. To accomplish this Ackme employs a regional Automatic Metering Infrastructure (AMI). See Figure 4, below. Its components include an extensive network of programmable logic controllers (PLCs), communications equipment, sensors, and actuators. These devices sit along the pipelines at crucial junctions and at points of connection (POCs) also known as “gates” with some customers.

Figure 4 – H. Ackme Natural Gas Automatic Metering Infrastructure (AMI)

More detail on the gates follows in the next section. While Ackme has a little over 100 customers, they only maintain 12 gate stations. Beyond the gate stations, advanced meters are used primarily to track flow, temperature, and pressure. The pressure in the pipeline after the gate station is substantially reduced to from 1,000 to 200psi and then at the meters there is further reduction, depending on demand level requested by the customer. At connection points there is a sophisticated process happening because the gas has to be heated (moving from high to lower pressure produces cooling – the gas can “freeze” – become a solid ). Also an agent is injected at connection points so that the gas has a smell. Methane is normally odorless.

 

Figure 5. Gate and Meter Connections

All metering connections include safety systems that can open and close valves automatically in emergency situations. The meter usage data is recorded with electro-mechanical sensors and sent through the control system to the Ackme Regional Center (ARC) and then to corporate HQ for billing.

Ackme’s NG technology is considered 3rd Generation, with the most recent technology being 4th generation. The 4th generation has more security by default and also has the capability to place security devices in-line. Generations in control systems technology tend to be quite long compared to end user computer devices.The processing equipment for oil & gas processing is very expensive and once in place it is not unusual for it to be employed for 20 to 40 years along with the same control system hardware and software. But due to radical technology changes and critical infrastructure becoming a cyber target, that cycle is shortening. At Ackme the Automatic Meter Infrastructure (AMI) distribution & control system is all Modbus TCP/IP enabled with a combination of wired ethernet & wireless. It was state of the art 7 years ago. Gate stations are multi-million dollar investments, and advanced meters, tens of thousands with installation.

Gate Station & Meters Technical Detail

Ackme Gas distribution utilizes the Badger Model 2 line of controllers across their entire infrastructure. The controllers are manufactured by the Critical Infrastructure Hardware Corporation (CIHC) with their headquarters in the U.K. Ackme utilizes Badgers in the Gate Station and the Advanced Meter products.

The Badger Gate Station technology monitors & controls all the processes including ball valve opening/closing, pressure regulation, odorant insertion, gas heating, emergency shutdown, leakage monitor, relief valves, and all telecommunication. They require a 120v AC 100 amp power source. See Figure 6 below. The Badger Gate Station Controller Systems were purchased due to their unique technology employing parallel Siemens S-7 200 controllers running the Modbus protocol, a crossover power supply, and the Wind River VxWorks operating system. All gate stations operate using an IP enabled wired ethernet. The OS is configured and the Human Machine Interface (HMI) custom programmed (Python and C++), by Badger software engineers. The controller system has a 12 hour battery backup UPS.

The Badger Advanced Meters use Modbus for reporting, and are remotely programmable to use different protocols, react to changes in line pressure, and modify reporting formats. Routine power to the device is 24v x 30 amp and supplied through an electro mechanical pressure conversion device. The Badger system also contains a 12 hour battery backup.

Figure 6 – Badger Gate Station Technology & Advanced Meter

In both the gate station and advanced meter, if the battery fails after 12 hours, the valves will close, shutting off the gas supply to the customer. They may only be manually turned back on with a special master key, kept by Ackme operators.

Both the Gate station and Advanced Meter controllers have communications modules that can connect via TELCO modems, reserved radio bandwidth, internet service providers, or via satellite. The specific choice of medium is dependent on topography, availability of comm infrastructure at the point of connection, and cost. The communications channels are all directed into the regional center. Some intermittent issues with communications on the AMI network, primarily in the reserved spectrum radio, were experienced in previous months but those issues have ceased.

Ocean Platform Operations

Ackme contracts with drillers to sink wells on the ocean floor and to connect those wells to platforms. The platforms are movable, but are set in one place for years in large oil/gas fields that have been surveyed and contain years of supply. On average ten wells are fed into one platform. New wells are drilled in the same locale when an old well becomes depleted, and a new pipeline is installed to the platform for extraction. Due to its depth 2 miles underground the oil/gas mixture comes to the surface at a pressure of 2,000 pounds per square inch (psi). When the product, an oil, gas, & water mixture, comes to the surface it undergoes a separation process into its components aboard the ocean platforms. From there the oil and compressed NG flow in separate batches through a pipeline to an onshore facility where they are routed for further processing to the NG purification facility or to an oil refinery, respectively. Most of the platforms also have the capability to load the products directly onto transport ships, but scheduling for this must be done months in advance.

Due to the significant cost of laying seafloor pipeline from the platform to the shore, the separated NG and oil must utilize the same pipe from each platform. And where possible the pipelines from two or more platforms are connected on the seafloor. After the crude is run through the separator only either gas or oil can be sent directly to shore. The other product must be stored temporarily, until the required batch in the pipe is completed. Then the pipe is quickly cleaned and the opposite material flow starts. Controlling movement from 100 wells to 10 platforms to connecting links to a shore facility to meet current demand is a complex process.

Once ashore the crude oil is refined into either Diesel or Jet Fuel. The diesel fuel is used primarily to power its own ocean platform generators with excess production sold in bulk to specialty wholesalers. Jet fuel is the primary output at the refinery. Due to its proximity Ackme can offer the fuel at a very attractive price to airlines at both OB and NC airports. As a result, Acme has an 80% market share at those locations.

Ocean Platform Automated Control Systems (ACS)

Figure 6 below provides a view into the automated operations of extracting, processing and transporting their products from the platforms.

In the bottom “control system” layer of the diagram the physical machinery for processing the oil & gas product is shown. See Appendices A & B for specifics regarding each subsystem. Proceeding left to right in the diagram:,

Diesel Power Generators are maintained aboard the platform to supply power to all phases of the operation. The diesel’s piston engine turns a shaft connected to a coil where the electricity is created.

Wells are drilled on the ocean floor and then long flexible piping from each well brings the oil/gas/water product to the platform on the surface.

At the surface, the product is separated into Oil, Natural Gas, and Water. The water is cleaned of contaminants and returned to the Ocean.

The oil or natural gas product flows into storage containers or right into a pipeline for transport to shore, primarily through pipes on the seafloor. Tanker ships docked just off the platform can also be used to transport the product.

As can be seen in the diagram, ACSs include sensors for measurement of flows, temperatures, pressures & actuators that regulate valves, start/stop motors, cameras. Programmable Logic Controllers do the monitoring & regulating using specialized protocols. See Appendix A for details on the subsystems and Appendix B for sensor, actuator, and protocol details. Ackme has tried to maintain a base of Siemens hardware and software where possible. The sensor and activator activity is reported to a local workstation where it is repackaged and sent forward to the Master Control Room(MCR), and then stored in the Server & Data Historian room and sent in small batches to the ARC. While the MCR Workstations are primarily to monitor, they also have the ability to reach down and make adjustments on the subsystem workstations when necessary. There are operators on duty at all times when processing is in progress.

Figure 7 – H. Ackme Ocean Platform Control Systems & SCADA

Ackme Field operations and ACS Personnel

As a billion dollar company Ackme maintains a large staff of skilled labor in engineering and technical control. Generally the personnel tracks are divided into operators, engineers, and support personnel. The diagram below portrays the division of labor by product group. ACS personnel maintain unique skills in high demand.

Figure 8 – Field Operations organization

Ackme ACS operational personnel (operators & engineers) are employed in all phases of Ackme’s operations to oversee, monitor, & control production. At the local and regional centers the control, computer, and communication systems are monitored 24/365. Operators work around-the-clock shifts. Responding to alarms and alerts are a routine part of a typical ACS operator’s day. In some cases the alarms must be handled immediately by field personnel. The ACSs typically have a safety system that allows them to “fail safe.” Nonetheless not having Monitoring & Control (M&C) personnel on duty and/or the inability of operators to access the ACSs, irrespective of location, can present a very dangerous situation. Approximately 100 personnel are continuously stationed at each ocean platform. Of those 100, 35-40 are control systems operators and engineers working rotating shifts at the processing substations, in the Master Control Room, or troubleshooting the equipment. Platform operators & engineers live on the platform for 2 week periods working 80-100 hours per week but are then off for 3 weeks. The pay is lucrative but the time away from home is challenging for families. Being relieved mid-period is only available for exceptional circumstances.

Figure 9 – Platform Operators

image sources: Creative commons

Ackme has a cadre of control systems engineers who work closely with the operators and equipment vendor engineers. Those engineers are stationed largely at the ARC and work a routine 8-5 workday but are also on-call 24/365. They work on updating or new designs and help solve complex M&C challenges. Occasionally they are in the field fine-tuning & replacing ACS equipment or updating & reprogramming the ACS software.

Supervision of the operations personnel fall under the various divisions The ACS engineering staff also falls under the Chief of Field Operations, not Information Technology, and is divided into 5 subgroups as follows with number of personnel in parentheses.

Control & Communications Engineering Groups 1-4 Work out of the ARC near New City. Refining and NG Distribution ACS engineers are on site. There is frequent travel to the remote substations for alert mitigation and fine tuning of the control systems. The ACS groups work closely with the field operators. Due to the large quantity of Siemens equipment, a Siemens engineer is co-located with Acme at the ARC site.

Cyber Incident Response Procedures

Platform workers routinely practice incident response related to the well, separation, & transport procedures. So they know how to shut down and report operational anomalies but they are not necessarily educated or trained in IT. There is an automatic real time digital redundancy on the sub-systems and the processes are designed to fail-safe. However none of the operators are equipped to handle an entire failure of the process computer system (including VOIP phones and the serial controllers) except to just to report it via the hand held radio network. The capability to restore all software is contained on one of the servers in the server room. But personnel for doing the reimaging are not aboard, and it may be 24 hours before they can be brought aboard, primarily due to limited air transportation vehicles and routine scheduling. So telecommunication back to the ARC is vital for the operators in unusual circumstances.

Ackme Regional Center (ARC)

All Ackme operations can be viewed in a centralized command center on the Ackme HQ Campus located near the Airport about 5 miles west of OB and about 30 miles south of New City. A significant number of communications mechanisms are used to receive, forward, collect data and control field operations. The center utilizes Dell, Microsoft Server & workstation, and CISCO technology. Physical Access to the ARC and all Ackme facilities is controlled by the Central Security Service, not Field Operations. The CSS also oversees cameras, physical intrusion detection, and special locked rooms. Ackme has a centralized RFID card access system from Gallagher Corp. New, reassigned and expanded duty employees are given access to areas based upon their position and location. Regretfully the procedures for removing personnel from the system have been lax and during audits this issue has been raised multiple times.

Figure 10. Monitoring & Control Center

ARC Sub-Groups

In the ARC the operators are arranged by groups: Supervisory, Platform & Oil Refining, Gas Refining & Distribution, and Storage and Transportation.

As the “clearinghouse for all Ackme operations the ARC maintains a status reading of all the system components. From there continuous calculations are being made to maximize the efficiency of Ackme operations, matching orders to production while maintaining optimal product levels to meet demand.

Most of the central operation is concerned solely with harvesting summary data from the platforms and refining operations. This would include data such hourly production and storage tank volumes. Detailed data such as temperatures, pressures, etc on the platforms are collected but only stored locally, kept for 90 days and then purged. In the large single large master control room the sub-groups from the NG, Platform, fuels and storage groups can coordinate their operations and make adjustments for perturbations in their chain.

Relationship with IT

Field Ops has its own testing lab for testing potential changes to their infrastructure. They rely upon a small group of embedded device code programmers in the IT department who assist the ACS Group with scripting and occasional code rewrites of HMI browsers, Online Linking & Embedding for Process Control (OPC), or other code when Operating Systems (OS) or other updates are installed. Other than that the Control Engineers handle all MCR, workstation, etc computing issues. Occasionally they work with a contractor, CSC Solutions, to swap aging equipment or perform some maintenance tasks on hardware & software when operations are stressed.

A centralized Information Security Control Board works for all of Ackme. Its members, headed by the IT dept head of IT security are:

Information Technology

Finance & Accounting

Communications Group

Control Systems

Operator Representative

All changes to policy with respect to control systems cybersecurity must go through this board.

 

 

Appendix A – Current Platform Control Systems Technology

Platform Networks

Subsystem communication to Master Control Room using SNMP, ProfiNet

Ethernet using CISCO Systems Hardware, IOS and Static IP addressing

Sub-system Switches

Main Router

Server Room

MS-Windows 2008 & 2012 Servers, DNS, SNMP, Active Directory

OSI PI Data Historian

Master Control Room – Monitor & Control of all Platform systems

Operators Desktop: Windows 7 32 bit Professional OS, SP2

Applications: MS-Office 2013, Outlook/Exchange Server; Wonderware

Engineering Workstation:

Platform Subsystems:

Wellheads, Separation, and Platform Storage & Transportation all have similar configurations as follows:

Local HMIs: (Windows XP SP 2 HMI using Wonderware with extended C coding and .net; local and central data storage using OSI Pi cvf

Controllers: Siemens PCS-7 using Profibus RS-485 full Duplex Multipoint Serial Platform to HMI

HMI to Platform Control Center Comm: OPC and .Net Framework 3.0 SP2

Physical Security

CISCO Security Camera & DVR System

Gallagher Corporate Level Physical Access Control System

Operators Desktops: Windows 7 32 bit Professional OS, SP2

Analog Handheld Radio, digital phone system

Physical Plant Engineering Room

Oversight of Johnson Controls HVAC

New Platform

All Fiber optic IP network: sensors/actuators, controllers, local HMIs, switches & routers, platform center, backup wireless capability; Digital IP radio for voice

 

 

Appendix B – Platform Control Systems IO & Communications Protocols

*Indicates a secure version is available

 

 

Appendix C – Acronyms

ACS – Automated Control System

AMI – Automatic Meter Infrastructure

AMR – Automatic Meter Reading

ARC – Ackme Regional Center

CRAC – Computer Room Air Conditioning

FO – Field Operations

HMI – Human Machine Interface

HVAC – Heating Ventilation & Air Conditioning

ICS – Industrial Control System

IP – Internet Protocol

M&C – Monitoring & Control

NC – New City

NG – Natural Gas

OB – Old Borough

OPC – Online Linking & Embedding for Process Control

PCS – Process Control System

PLC – Programmable Logic Controller

POC – Point of Connection

RTU – Remote Terminal Unit

Appendix D. References

Roach, E. A Primer on Offshore Drilling. May 8, 2014.

Oil: Crude and Petroleum Products Explained.

CISCO, AVEVA & Schneider Electric. Oil and Gas Pipeline Industrial Security Reference Design. January2019.

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.