In the oil and gas in­dus­try, the con­se­quences may be higher in terms of in­ter­rupted pro­duc­tion, en­vi­ron­men­tal im­pact and le­gal li­a­bil­ity.

OffComm News - - CONTENTS - By Lars Thore­sen, man­ager PS GRC/ De­fence at NTT Com Se­cu­rity

Lars Thore­sen at NTT Com Se­cu­rity of­fers ad­vice when ad­dress­ing net­work se­cu­rity in the O& G sec­tor.

As oil prices re­main at a dis­may­ingly low level, oil and gas pro­duc­ers are in­creas­ingly look­ing for ways to cut costs and in­crease mar­gins. One fea­si­ble and ob­vi­ous method would be to move to­wards in­creased au­to­ma­tion of pro­duc­tion fa­cil­i­ties, which would lead to re­duced ex­pen­di­ture and the right­siz­ing of per­son­nel ( and the re­duced salary cost that fol­lows).

How­ever, some con­sid­er­a­tions need to be made in terms of net­work se­cu­rity. This as­pect is of­ten over­looked, par­tic­u­larly as there is an in­creased re­liance on SCADA ( Su­per­vi­sory Con­trol and Data Ac­qui­si­tion) sys­tems, which will inevitably be used to a greater ex­tent when in­creased au­to­ma­tion oc­curs. The threats the sec­tor faces are in­creas­ingly sim­i­lar to the gen­eral threat en­vi­ron­ment in cy­berspace. As more SCADA sys­tems are us­ing the in­ter­net as a car­rier of in­for­ma­tion ( mainly through VPN func­tion­al­ity), the threat ac­tors that op­er­ate on the in­ter­net be­come more in­ter­ested in at­tack­ing th­ese sys­tems. Se­cu­rity by ob­scu­rity, which for a long time has been the main line of de­fence for com­pa­nies, is in­ef­fec­tive. One key ex­am­ple of this is the Stuxnet and Flame mal­ware in­fec­tions, tar­get­ing vul­ner­a­bil­i­ties in op­er­at­ing soft­ware that is only found on SCADA sys­tems. By in­fect­ing pro­duc­tion net­works, hack­ers can both col­lect in­for­ma­tion stored on those net­works and af­fect the pro­duc­tion it­self. In both cases, there are sub­stan­tial eco­nomic as­sets at risk.

There is also, of course, the as­pect of phys­i­cal and cy­ber ter­ror­ism. Sev­eral times over the re­cent years, there have been in­stances where ter­ror­ist groups have seized phys­i­cal con­trol over pro­duc­tion fa­cil­i­ties and their re­spec­tive SCADA sys­tems.

There are sev­eral ways to en­sure that phys­i­cal con­trol does not mean log­i­cal con­trol, but th­ese mea­sures need to be im­ple­mented be­fore a breach event. En­cryp­tion pro­to­cols, se­cu­rity tech­nol­ogy and a well built ISMS ( In­for­ma­tion Se­cu­rity Man­age­ment Sys­tem) can be an or­gan­i­sa­tion’s best al­lies when op­er­at­ing in such a threat en­vi­ron­ment. The key is in un­der­stand­ing that it is too late to do any­thing once the fa­cil­ity has been taken over, or when the mal­ware in­fec­tion is a fact.

To sum up, au­to­ma­tion comes at a cost in terms of in­for­ma­tion se­cu­rity as­sur­ance, and it needs to play a role when mak­ing de­ci­sions in to­day’s cost cut­ting frenzy.

Can we legally not have man­u­ally mon­i­tored pro­duc­tion pro­cesses?

Sev­eral coun­tries have very rigid re­quire­ments when it comes to the safety and se­cu­rity aspects of in­for­ma­tion sys­tems han­dling and sup­port­ing pro­duc­tion pro­cesses within the oil and gas sec­tor.

Is the avail­abil­ity as­pect of the sys­tem well bal­anced with the need for con­fi­den­tial­ity and in­tegrity?

It is the­o­ret­i­cally and tech­ni­cally pos­si­ble to mon­i­tor and run an oil well in the North Sea from a tablet de­vice while snugly lo­cated in the user’s own liv­ing room? Or rather the ques­tion should be on whether it is a wise thing to do.

Is the risk con­nected to au­to­ma­tion prop­erly as­sessed be­fore a de­ci­sion is made to rely in­creas­ingly on au­to­mated sys­tems?

Far too of­ten, we see a gut feel­ing anal­y­sis ap­plied, and the def­i­ni­tion of risk ap­petite and im­ple­men­ta­tion of risk re­me­di­a­tion over­looked when the fi­nan­cial pro­jec­tions are be­ing dis­cussed. Sadly, some com­pa­nies rarely dis­cuss the im­pact of a se­vere se­cu­rity breach on the bot­tom line.

There is no doubt that it is pos­si­ble to pro­tect the net­works on which SCADA sys­tems run, but it may be costly. And, the higher the con­se­quence of a se­cu­rity breach, the more a com­pany needs to con­sider im­ple­ment­ing se­cu­rity mea­sures. This is com­mon sense, and ap­plies to all walks of pro­duc­tion and busi­ness. In the oil and gas in­dus­try, the con­se­quences may be higher in terms of in­ter­rupted pro­duc­tion, en­vi­ron­men­tal im­pact and le­gal li­a­bil­ity.

Au­to­ma­tion comes at a cost in terms of in­for­ma­tion se­cu­rity as­sur­ance

Newspapers in English

Newspapers from International

© PressReader. All rights reserved.