Fraud and product theft prevention in industrial enterprises

Measurement and process automation, products and materials tracking, advanced data analytics and correlation will deliver increased detection, better investigative capabilities and deter fraud and product theft.

By Leszek Mroz and Michal Paulski, EY OT Advisory Services August 20, 2014

For quite a while now, industrial facilities have been designed and built with physical safety and security in mind. The same, however, cannot be said about cyber security, which includes the internal threats of product thefts, sabotages, and production data frauds. Depending on the type of product being manufactured and characteristics of particular industrial processes, it may be challenging for a business to detect and investigate such incidents. Obviously, no special means are required to detect an instance of large volume thefts. The problem arises, when the scale of a single incident is "invisible to the bare eye," but losses resulting from multiple occurrences are considerable.

In large volume manufacturing like at an oil refinery, measurements of particular values may not be precise enough to reveal discrepancies between product volumes existing on paper and those in an actual tank or pipe. For example, a 1 mm drop of the level of fuel in a 80m diameter tank would translate into 5 000 liters of missing product.

While enterprise resource planning (ERP) and other financial systems, placed at the end of volumes tracking and billing process, were under close surveillance and audits for years, tools and systems at the industrial level, that are used to gather and process different process values and equipment parameters, escaped scrutiny. This is a problem because values gathering is often based on manual measurements, paper documents and in-house developed applications to process everything. Using an accurate industrial automation and control system (IACS) provides ability to track and audit product data, which reduces the window of opportunity for anyone to sabotage production or steal. Certain activities also can help.

Measurement and process automation

Measuring equipment for billing purposes used to be limited to local indication sensors only, which must be manually read. Despite new methods, this way of gathering billing information is still used in many places. Measurements are read by two people from each side of the transaction and written down on paper. This makes it possible for the two individuals to make an illegal agreement to keep the unregistered volumes to themselves and insert different values than actually indicated by the equipment.

In order to ensure reliable billing of materials of specific physical and/or chemical properties, regulations were introduced requiring a certification of the measurement system, together with requirement for periodical validation of compliance by external entities or government bodies. The downside of the idea is that the certification process is expensive and troublesome. As a result, progress in those systems’ evolution was slowed down. However, if the certification process is expensive and troublesome and as a result, progress in the systems’ evolution has slowed. Integration with other systems is limited as well since the measurement system has to be certified as a whole and so in many cases physical documents must be manually transferred to a next system for further use. While certification mitigates the risk of product thefts to some extent, the entire process may still involve manual data transfer, which still makes data alteration possible. At the same time, tons of printed protocols are kept in archives and are only analyzed in case there is a suspicion that the certified output was not properly transferred to the next system, such as ERP systems, for further processing.

Certified databases

The solution came a few years ago, when fully automated measurement systems with certified databases were introduced. Computing components of those systems are being protected in the same manner as measurement equipment. The physical seals blocked unauthorized configuration changes blocked and made it necessary to follow strict operational rules to keep the system certificate valid. The systems themselves were equipped with data analysis and report generating applications, which help users identify suspicious, potentially illegal actions.

The volume of product isn’t the only aspect that makes small changes difficult to detect, however. Temperature is a matter of great importance because it influences the liquid’s volume and its level in a tank. This can create a significant margin of error in measurement if no precise compensation exists to take all variables into consideration. An insider who is aware of how much product can disappear without exceeding those "buffer" values can exploit this loophole.

Fortunately, the technology to precisely monitor product volumes already exists. The system can monitor the volume stored in tanks as well as in pipelines and during the product’s movement (such as during blending). Systems like that can even take into consideration time required for fuel surface to level after the product was flown into or out of the tank, so that the volume measurement is not distorted by an uneven liquid surface. 

Products and materials tracking

Production plant is a closed area, relatively easy to control, usually protected by CCTV and security guards. It makes stealing of large, valuable goods almost impossible without help from someone on the side. Even with that consideration,chances are the thieves will be identified by different technical security systems. That is why in most cases, products are being stolen during transit rather than from the production site.

Radio frequency identification (RFID) technology can be used to reduce thefts because RFID does not require a visual contact between the tag and reader to confirm package location. The reader located inside the transport vehicle periodically emits a radio signal, which then powers small tags placed on the packages/containers. In response, the tags send back their ID to confirm their presence inside the vehicle. Data gathered by the reader can then be sent over GSM network to wherever it is needed. This way, any unexpected event, even the disappearance of one package, is immediately reported.

Advanced leak detection is also worth mentioning from the point of view of incident discovery. Especially in case of pipeline transmission, where parts of the pipeline network are located beyond visual control of the operator. Cases are known of thieves drilling into pipelines to steal the product either occasionally or even as a long term operation, if for example the thief is collaborating with someone on the inside, who manipulates the values on the output side of the pipe so that the missing volume goes without notice in the documents. In case of pipeline drillings, an important capability is not only precise detection mechanisms (such as pressure, flow, and ultrasound based measurements), but also the ability to locate the exact place of the leak.

Advanced data analytics, correlation

If internal personnel commit fraud or theft, it is usually done by a user with a deep understanding of internal affairs, process configurations, and knowledge of cracks in volume tracking systems. If one is not caught red-handed, it may not be possible to track down the event. One of the problems of successful fraud investigation is identification of exact moment of when the incident took place and its sequence of events. The source of such information can be found in many technologies available and in use today, but not used to support incident detection and after-the-fact investigations. Manufacturing execution systems (MES) used to optimize manufacturing processes can be successfully used to detect frauds and materials theft in real time.

Symptoms of an incident may include increased number of registered items which did not meet quality standards, deviations of numerous process parameters from expected values or higher than normal materials or energy consumption.

Also, data can be correlated from multiple different systems to create output indispensable to incident prevention and investigation. So-called big data on physical processes can be intelligently analyzed by advanced tools connecting the dots from data pieces gathered from multiple different systems related to process operations and security, including physical security. An incident may not be visible from analyzing data from one system, but when multiple sources are analyzed together, previously undetectable or difficult to investigate incidents, can now be detected. Data sources can include distributed control systems, supervisory control and data acquisitions systems, historians, physical access card systems, motion detectors, closed circuit televisions, asset management, RFID, active directory logics, application and operation system logs, and global positioning systems.


Fraud and product theft is known to take place and is certainly a problem worth looking into by industrial enterprises. Measurement and process automation, products and materials tracking, advanced data analytics and correlation will deliver increased detection, better investigative capabilities and, in turn, reduced loses. Fortunately, the technology in use for other purposes already can be used to help, so little new investment in hardware and software needs to be made in many cases since what is required is proper utilization of what is in place already. 

Michał Paulski: Michal is working as an ICS Security Consultant at EY. He has conducted numerous control systems security assessments for oil and gas, electricity, chemical, water and transportation sector enterprises in Europe, North America and Middle East. He is a member of the International Society of Automation (ISA) and an active contributor to ISA99/IEC 62443 standards.

Leszek Mróz: Leszek is working as an ICS Architecture Consultant. His main occupation is developing strategies for industrial automation environments, mainly for companies in oil and gas sector. He has years of experience in ICS designing, programming, commissioning and maintenance.