CYBER SECURITY AND THE MODERN PRODUCTION ENVIRONMENT
In the oil and gas industry, the consequences may be higher in terms of interrupted production, environmental impact and legal liability.
Lars Thoresen at NTT Com Security offers advice when addressing network security in the O& G sector.
As oil prices remain at a dismayingly low level, oil and gas producers are increasingly looking for ways to cut costs and increase margins. One feasible and obvious method would be to move towards increased automation of production facilities, which would lead to reduced expenditure and the rightsizing of personnel ( and the reduced salary cost that follows).
However, some considerations need to be made in terms of network security. This aspect is often overlooked, particularly as there is an increased reliance on SCADA ( Supervisory Control and Data Acquisition) systems, which will inevitably be used to a greater extent when increased automation occurs. The threats the sector faces are increasingly similar to the general threat environment in cyberspace. As more SCADA systems are using the internet as a carrier of information ( mainly through VPN functionality), the threat actors that operate on the internet become more interested in attacking these systems. Security by obscurity, which for a long time has been the main line of defence for companies, is ineffective. One key example of this is the Stuxnet and Flame malware infections, targeting vulnerabilities in operating software that is only found on SCADA systems. By infecting production networks, hackers can both collect information stored on those networks and affect the production itself. In both cases, there are substantial economic assets at risk.
There is also, of course, the aspect of physical and cyber terrorism. Several times over the recent years, there have been instances where terrorist groups have seized physical control over production facilities and their respective SCADA systems.
There are several ways to ensure that physical control does not mean logical control, but these measures need to be implemented before a breach event. Encryption protocols, security technology and a well built ISMS ( Information Security Management System) can be an organisation’s best allies when operating in such a threat environment. The key is in understanding that it is too late to do anything once the facility has been taken over, or when the malware infection is a fact.
To sum up, automation comes at a cost in terms of information security assurance, and it needs to play a role when making decisions in today’s cost cutting frenzy.
Can we legally not have manually monitored production processes?
Several countries have very rigid requirements when it comes to the safety and security aspects of information systems handling and supporting production processes within the oil and gas sector.
Is the availability aspect of the system well balanced with the need for confidentiality and integrity?
It is theoretically and technically possible to monitor and run an oil well in the North Sea from a tablet device while snugly located in the user’s own living room? Or rather the question should be on whether it is a wise thing to do.
Is the risk connected to automation properly assessed before a decision is made to rely increasingly on automated systems?
Far too often, we see a gut feeling analysis applied, and the definition of risk appetite and implementation of risk remediation overlooked when the financial projections are being discussed. Sadly, some companies rarely discuss the impact of a severe security breach on the bottom line.
There is no doubt that it is possible to protect the networks on which SCADA systems run, but it may be costly. And, the higher the consequence of a security breach, the more a company needs to consider implementing security measures. This is common sense, and applies to all walks of production and business. In the oil and gas industry, the consequences may be higher in terms of interrupted production, environmental impact and legal liability.
Automation comes at a cost in terms of information security assurance