Cisco Blogs


Cisco Blog > Energy - Oil & Gas and Utilities

Ferguson Group Ltd keeps an Eye on Operations with Cisco Physical Security

April 11, 2014 at 9:21 am PST

I remember growing up in the UK years ago during the UK’s  ‘North Sea Oil Boom’. It was a time of great excitement and opportunity for the nation. A whole industry was developed to deal with offshore exploration to ‘bring the energy home’.

It was Aberdeen’s local ‘moon landing’ event -  just five months after Neil Armstrong landed on the moon, the North Sea oil fields were discovered off the east coast of Scotland. Certainly parts of Scotland, Aberdeen especially, saw an uptick in employment from the gloomy ’60s, and the economy changed from rural farming, fishing and textiles to include a more industrial oil and gas setting. Employment, property prices and investment in the City boomed.

Video Surv. from Ferguson Case StudyFerguson is a great Scottish name, but the founder is a great example of how folks were attracted  from outside Scotland (founder Bill Ferguson Jr. is an American) to help further the oil industry in Scotland. Today, Ferguson Group are a key part of the Aberdeen economy, as a leading suppliers of containers, accommodations, and workspace modules for the offshore energy industry (now worldwide).

I thought I’d share how Ferguson conquered a business challenge -- namely protecting high-value equipment and, at the same time, use a standardized system and process worldwide whilst keeping up with industry security standards.

As Graham Cowperthwaite said in a recent article: “For years our headquarters in Scotland relied on an analog video security system”. Graham is director of operations at Ferguson Group, and went on to say “That system wasn’t meeting our needs in terms of image quality and remote accessibility.” He added: “For example, our board members are often traveling between bases, and want to have the ability to check back on facilities from any networked location, even from an iPad. We simply couldn’t do that with an analog system.”

So Ferguson switched from a an analog security system to an IP-based solution, from Cisco. And it wasn’t just cameras and door hardware. They also needed to consider the security and reliability of the network on which camera images and access history would be transmitted and stored.

 ”We looked at other physical security offerings on the market, but nothing came close to Cisco in terms of comprehensiveness,” says Graham Cowperthwaite. “Only Cisco could provide us with a total combination of Cisco IP video cameras, door readers, firewalls, and routers, all available globally with the highest levels of vendor support. We were already a Cisco house in terms of our network infrastructure, and the interoperability of these solutions fit in perfectly with our goals for standardization.”

Ferguson Group now relies on the Cisco® Video Surveillance Manager to monitor its entire facility in Aberdeenshire, including doors, buildings, and the many valuable assets in the company’s storage yard. Supervisors on the Ferguson network can access live, high-quality footage on a laptop or mobile device. They can even review recorded footage as necessary. This all runs on an integrated Cisco architecture (based on Cisco Desktop Virtualization with VMware (VXI), running on the Cisco Unified Computing System™ (UCS®), for the techies amongst you!).

The business results? Read More »

Tags: , , , , , , , , , ,

Safety first, business second, security none?

Based on 25 years of professional experience in various businesses around the globe, I can say that many industry verticals have a pretty good state of safety culture as it relates to the health and safety of their employees.  This is especially true for companies involved in high-risk businesses such as oil and gas, (nuclear) energy, manufacturing, chemicals, food processing, and so on.  In such industries, it is pretty clear that there is a risk that something may blow up, hurt, or even kill people.

However, it seems that the next big driver for them is business alone, and they are not as focused on information or IT security when it comes to the logic side of security like bits and bytes, document handling of confidential information, and similar subjects.  This is in stark contrast to their keen attention to physical safety and security issues.

It would seem intuitive that any organization with  a commitment to safety by counting (and incentivizing) the hours (days, weeks, months, …) of safety-incident-free time should also be easy to convince that taking a similar approach to information security would be a good thing. But it is not that easy.  Operations in these businesses are very physical, so it is not really in the mind-set of a rig guy or gal, a welder, a component mixer, machine operator, or similar, that another devastating incident (attack) could happen from “within” the system(s), by a human adversary committed to do harm in the interest of their nation state or paying agent.  All those systems in the above mentioned industries that are working at the process level (sensors/actuators, process control, SCADA (supervisory control and data acquisition) are designed for efficient and effective, good performing, and reliable operation, but they were not really designed and built to resist logic attacks from a human smart guy who can outsmart almost every defense.

In industrial networks, spanning the areas of instrumentation, control bus, operations, business, or enterprise, the often cited Purdue reference model that provides for several “levels” or “zones” of abstraction and segregation can be used.  A really good introduction can be found in the Secure Data Transfer Guidance for Industrial Control and SCADA Systems.

The main security points to address are:

Tags: , , , , , ,

Securing Cloud Transformation through Cisco Domain Ten Framework v2.0

Businesses of all sizes are looking for Cloud solutions to solve some of their biggest business and technology challenges—reducing costs, creating new levels of efficiency, transform to create agile environment and facilitate innovative business models. Along with the promise of Cloud comes top concern for Security. With rise of applications, transactions and data in the Cloud, business are losing control and have less visibility on who and what is moving in and out of the business boundaries. 

Any  transformation initiative with Cloud, whether a private, hybrid or public, with early focus on security from architecture, governance, risks, threats and compliance perspective can enable the business with a compelling return on investment with a faster time to business value – regardless of geographic, industry vertical, operational diversity or regulatory needs.

Here, I would like to bring to your attention on Cisco Domain Ten framework v2.0 and my blog on What’s New in Cisco Domain Ten Framework 2.0 that is born from Cisco’s hard won experience of deploying both private, hybrid and public Cloud environments, Cisco has developed the Cisco Domain Ten framework and capabilities to help customers accelerate IT transformation.

The Cisco Domain Ten does not prescribe that customers must build each domain into their strategy – rather it provides guidance on what aspects should be considered, what impacts should be identified, and what relationships exist between domains.  Cisco Domain Ten framework 2.0, we can establish the foundation of a true IT transformation and the factors you need to consider for success. Key is to identify, establish and track strategic, operational and technological outcomes for IT transformation initiates. A major thrust of the Cisco Domain Ten is to help customers strategize for transformation vision, standardize their technology components and operational procedures, and automate their management challenges, to deliver on the potential of IT Transformation– covering Internet, Branch, Campus and Data Center environments.

Security consistently tops CIO’s list of cloud concerns. The security domain highlights identification of security and compliance requirements, along with an assessment of current vulnerabilities and deviations from security best practices for multisite, multitenant physical and virtual environments for one’s IT transformation vision.

Security should be a major consideration in any IT transformation strategy. The architecture should be designed and developed with security for applications, network, mobile devices, data, and transactions across on-premise and off-premise solutions. Moreover, security considerations for people, process, tools, and compliance needs should be assessed by experts who understand how to incorporate security and compliance safeguards into complex IT transformation initiatives.

Security is an integral part of the Cisco Domain Ten framework, applies to all ten domains, and provides guidance to customers on all security aspects that they needs. Our Senior Architect from Security Practice – Ahmed Abro articulates well in Figure – 1 Cisco Domain Ten Framework with Security Overlay that there are security considerations for all ten domains for Cloud solutions.

 d10secoverlay

Figure – 1 Cisco Domain Ten with Security Overlay

Now that we understand how Cisco’s Domain Ten Overlay approach that helps one to discuss security for each domain of Cisco Domain Ten Framework, let’s now talk about the how Cisco Domain Ten aligns with Cloud Security Alliance’s (CSA) Cloud Control Matrix to discuss the completeness and depth of the approach.

CSA Cloud Control Matrix Alignment with Cisco Domain Ten

Application & Interface Security

  • D-8 – Application

Audit Assurance & Compliance

  • D-10 – Organization, Governance, processes

Business Continuity Mgmt & Op Resilience

  • D10 – Organization, Governance, processes

Change Control & Configuration Management

  • D10 – Organization, Governance, processes and
  • D-3 – Automation

Data Security & Information Lifecycle Mgmt

  • D-9 – Security and Compliance

Datacenter Security Encryption & Key Management

  • D-9 – Security and Compliance and
  • D-1 – Infrastructure

Governance & Risk Management

  • D10 – Organization, Governance, processes

Human Resources Security

  • D10 – Organization, Governance, processes

Identity & Access Management

  • D-4 -- Customer Interface

Infrastructure & Virtualization

  • D-1 – Infrastructure and Environment and
  • D-2 – Abstraction and Virtualization

Interoperability & Portability

  • D-7 – Platform and
  • D-8 – Application

Mobile Security

  • D-8 – Application and
  • D-1 – Infrastructure and Environment

Sec. Incident Mgmt , E-Disc & Cloud Forensics

  • D-9 – Security and Compliance and
  • D10 – Organization, Governance, processes

Supply Chain Mgmt, Transparency & Accountability

  • D10 – Organization, Governance, processes
Threat & Vulnerability Management
  • D-9 – Security and Compliance

 Table – 1 CSA Cloud Control Matrix Alignment

with Cisco Domain Ten Framework

From above table, one can see that Cloud Security Alliance Cloud Control Matrix and Cisco Domain Ten aligns well and it also highlights key facts that many areas such as Mobile security requires one to focus on Application and Infrastructure (network, virtual servers), etc to address security needs. One should also note that Cisco Domain Ten’s focus on Catalog (Domain 5) & Financials (Domain 6) that highlights security specific SLA and assurance discussions for security controls.

Now that that we discussed, Cisco Domain Ten approach for Security, In the next blog, I would try to discuss how Cisco Service’s focus on the strategy, structure, people, process, and system requirements for Security can help business address an increasingly hostile threat environment and help successful migration to Secure Cloud based transformation. We will also discuss current questions in business asks or should ask to understand security and privacy in the vendor’s agreements.

 

Tags: , , , , , , , , , , , , , , , , , , , , , ,

Summary: Friend or Foe? When IoT Helps You Get Hacked by Your Security

August 14, 2013 at 5:00 am PST

Businesses of all types and sizes stand to benefit greatly from the Internet of Things (IoT), with a wealth of intelligence for planning, management, policy, and decision-making that will help them maximize productivity and efficiency while minimizing costs. However, if not properly protected by integrating it with a solid network security solution, the consequences can be devastating. Read More »

Tags: , , , , , , , ,

Friend or Foe? When IoT Helps You Get Hacked by Your Security

August 8, 2013 at 6:00 am PST

IoT Needs Physical and Network Security 4Earlier this year, the number of connected devices reached the 10 billion mark, surpassing the world’s human population, and experts expect that number to reach 50 billion over the next two years. This phenomenon, known as the Internet of Things (IoT), comprises a highly distributed model of connected objects, devices, and sensors that are used to communicate data. Everyday products can then use that data to analyze, plan, and make intelligent decisions. While IoT promises to fundamentally change our daily lives, arguably the most significant impact of IoT will be to the business world.

While consumers will enjoy new levels of connectivity with IoT, businesses will receive the lion’s share of the benefits. IoT will usher in a wealth of intelligence that businesses can use for planning, management, policy, and decision-making that will help them maximize productivity and efficiency while minimizing costs. In fact, some of these business applications already exist. For example, by connecting their cameras to the network, retailers can use analytics tools that can help them improve customer service, understand traffic patterns, and enhance inventory decisions. Read More »

Tags: , , , , , , , ,