Countering security threats to oil and gas networks

With greater connectivity between operational technology (OT) and information technology (IT), and the rise of the IIoT, can increase and even change the vulnerabilities of oil and gas assets to cyber attack. Companies and standards groups are looking to counter these efforts.

09/10/2018


The spread of digital technologies in the oil & gas industry is generating new opportunities to improve performance, profitability and sustainability, but it also brings new safety and security challenges in operations, including gas networks.

Gas transmission system operators are looking at artificial intelligence, the Industrial Internet of Things (IIoT), machine learning and augmented reality to see how they may improve operational efficiency and safety, for example. Some are already integrating digital technologies into more sophisticated data gathering, analysis and visualization to maintain, repair and operate gas networks.

Along those lines, DNV GL's 2018 Industry Outlook survey found 43% of more than 800 senior oil and gas professionals globally expect their organizations to increase spending on cybersecurity this year. Digitalization (75%) and cybersecurity (68%) are clear investment intentions over the next five years.

Attack surface increases

Greater connectivity between operational technology (OT) and information technology (IT), and the rise of the IIoT, can increase and even change the vulnerabilities of oil and gas assets to cyber attack.

Cybersecurity breaches can lead to lost production; raised health, safety and environmental risk; costly damages claims; breach of insurance conditions; negative reputational impacts; and loss of license to operate.

"The industry is guarded about the frequency and impact of such breaches, but we are certainly seeing cybersecurity move up the agenda for pipeline owners, operators, industry associations, and for governments and their agencies," said Petter Myrvang, information risk manager, DNV GL - Digital Solutions. "Looked at in more detail, the risk arises as critical OT network segments that were once isolated are now being connected to IT networks."

These segments include, among others, supervisory control and data acquisition (SCADA) systems, safety and automation systems (SAS) and control systems with programmable logic controllers (PLCs): An attractive target for hackers.

Managing cyber-threats to OT requires detailed domain knowledge beyond general IT security. This encompasses traditional oil and gas operational domain competence as well as automated, unmanned, integrated and remote operations, which are accessible online.

Standards view

Confronted by the OT/IT cybersecurity challenge, parties responsible for the safe and sustainable operation of oil and gas assets need to take a holistic approach. The International Electrotechnical Commission's IEC 62443 standard covering security for industrial automation and control systems is the first stop for information on cybersecurity. DNV GL's Recommended Practice (RP) DNVGL-RP-G108 "Cybersecurity in the oil and gas industry based on IEC 62443" provides best practice on how to apply the IEC 62443 standard to the oil and gas industry, including pipelines.

The globally-applicable, tailored guideline came out of a two-year joint industry project (JIP) in response to demand to address how operators, working with system integrators and vendors, can manage the emerging cyber threat. The Norwegian Petroleum Safety Authority observed the work and exchanged experiences with the JIP group from a regulatory perspective.

The recommended practice is relevant for the whole oil and gas industry including the midstream and downstream sectors. It embraces international practices and experiences, and considers health, safety and environmental requirements, as well as the IEC 61511 standard for specification, design, installation, operation and maintenance of a safety-instrumented system. DNVGL-RP-G108 applies not only to new installations; existing and more mature assets may need to be updated to prevent and protect against cyber threats.

The recommended practice is intended to include all elements—people, processes, and technology—to ensure cybersecurity is addressed in industrial automation and control systems.

This includes the asset owner/operator, system integrator, product supplier, service provider and compliance authority. The practice explains shared responsibilities and describes who performs activities, who should be involved, and the expected inputs and outputs.

Cyber simulation

Simulating a cyber attack on a pipeline system can demonstrate strengths and weaknesses within an organization and is a practical exercise to start building defenses. Some companies recruit and develop "ethical hackers" to perform testing and verification of OT, IT and linkages between them. These ethical hackers combine hacking expertise with profound domain knowledge of OT.

The ethical hacking process begins with passive and active reconnaissance of an asset or system's cybersecurity. Remote metering of infrastructure scans for potential vulnerabilities, for example. If any are found, the next step is to try to gain access through penetration testing to reveal actual vulnerabilities and help customers mitigate risk.

From the use of default system passwords and missing patching to unsecured Wi-Fi providing a route into control systems, vulnerabilities can be simple. Ethical hackers also scan for weaknesses in customer OT and IT systems that could be used to enter and exploit the system to affect operations or access confidential information. Some of this scanning and testing can be carried out remotely.

Further verification

Ethical hacking can also assist the verification and technical qualification of equipment and systems. Penetration testing is a relevant third-party verification step for any critical, cyber-enabled infrastructure, such as gas networks.

"Applied at the concept phase, it can then be used to validate the effectiveness of the barriers that were initially designed into the integrated system," Myrvang said.

Cybersecurity is an ever-changing challenge, requiring continual updates to standards. IEC 62443 committees will likely issue a new standard for protection levels in the future, for example. Protection level is a methodology for evaluating protection of plants in operation. It includes combined evaluation of technical capabilities and related processes, and of technical and organizational measures.

The technical implementation and configuration in the industrial automation and control system, and how this system is operated, maintained, and deployed will be reflected in the protection level.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me