EDITOR’S NOTE: While digital technologies will support cost efficiency in a growing gas industry, greater connectivity can raise cyber risk. Oil and gas quality assurance and risk management company, DNV GL, released a recommendation on how to manage cyber threats to the operational technology of gas networks.
The spread of digital technologies in the oil and gas industry is generating new opportunities to improve performance, profitability and sustainability, but it also brings new safety and security challenges in operations, including gas networks.
Gas transmission system operators are looking at artificial intelligence, the Industrial Internet of Things (IIoT), machine learning and augmented reality to see how they may improve operational efficiency and safety, for example.
Some are already integrating digital technologies into more sophisticated data gathering, analysis and visualization to maintain, repair and operate gas networks.
Along those lines, DNV GL’s 2018 Industry Outlook survey found 43 percent of more than 800 senior oil and gas professionals globally expect their organizations to increase spending on cybersecurity this year. Digitalization (75 percent) and cybersecurity (68 percent) are clear investment intentions over the next five years.
Attack Surface Increases
Greater connectivity between operational technology (OT) and information technology (IT), and the rise of the IIoT, can increase and even change the vulnerabilities of oil and gas assets to cyber attack.
Cybersecurity breaches can lead to lost production; raised health, safety and environmental risk; costly damages claims; breach of insurance conditions; negative reputational impacts; and loss of license to operate.
“The industry is guarded about the frequency and impact of such breaches, but we are certainly seeing cybersecurity move up the agenda for pipeline owners, operators, industry associations, and for governments and their agencies,” said Petter Myrvang, information risk manager, DNV GL — Digital Solutions. “Looked at in more detail, the risk arises as critical OT network segments that were once isolated are now being connected to IT networks.”
These segments include, among others, supervisory control and data acquisition (SCADA) systems, safety and automation systems (SAS) and control systems with programmable logic controllers (PLCs): An attractive target for hackers.
Managing cyber-threats to OT requires detailed domain knowledge beyond general IT security. This encompasses traditional oil and gas operational domain competence as well as automated, unmanned, integrated and remote operations, which are accessible online.
Confronted by the OT/IT cybersecurity challenge, parties responsible for the safe and sustainable operation of oil and gas assets need to take a holistic approach. The International Electrotechnical Commission’s IEC 62443 standard covering security for industrial automation and control systems is the first stop for information on cybersecurity.
DNV GL’s Recommended Practice (RP) DNVGL-RP-G108 “Cybersecurity in the oil and gas industry based on IEC 62443” provides best practice on how to apply the IEC 62443 standard to the oil and gas industry, including pipelines.
The globally-applicable, tailored guideline came out of a two-year joint industry project (JIP) in response to demand to address how operators, working with system integrators and vendors, can manage the emerging cyber threat.
DNV GL initiated and led the JIP involving ABB, Emerson, Honeywell, Kongsberg Maritime, Lundin, Shell Norway, Siemens, Statoil (now Equinor), and Woodside Energy. The Norwegian Petroleum Safety Authority observed the work and exchanged experiences with the JIP group from a regulatory perspective.
The recommended practice is relevant for the whole oil and gas industry including the midstream and downstream sectors. It embraces international practices and experiences, and considers health, safety and environmental requirements, as well as the IEC 61511 standard for specification, design, installation, operation and maintenance of a safety-instrumented system. DNVGL-RP-G108 applies not only to new installations; existing and more mature assets may need to be updated to prevent and protect against cyber threats.
The recommended practice is intended to include all elements – people, processes, technology – to ensure cybersecurity is addressed in industrial automation and control systems.
This includes the asset owner/operator, system integrator, product supplier, service provider and compliance authority. The practice explains shared responsibilities and describes who performs activities, who should be involved, and the expected inputs and outputs.
Simulating a cyber attack on a pipeline system can demonstrate strengths and weaknesses within an organization and is a practical exercise to start building defenses. Some companies recruit and develop “ethical hackers” to perform testing and verification of OT, IT and linkages between them.
These ethical hackers combine hacking expertise with profound domain knowledge of OT.
The ethical hacking process begins with passive and active reconnaissance of an asset or system’s cybersecurity. Remote metering of infrastructure scans for potential vulnerabilities, for example. If any are found, the next step is to try to gain access through penetration testing to reveal actual vulnerabilities and help customers mitigate risk.
From the use of default system passwords and missing patching to unsecured WiFi providing a route into control systems, vulnerabilities can be simple. Ethical hackers also scan for weaknesses in customer OT and IT systems that could be used to enter and exploit the system to affect operations or access confidential information. Some of this scanning and testing can be carried out remotely.
Ethical hacking can also assist the verification and technical qualification of equipment and systems. Penetration testing is a relevant third-party verification step for any critical, cyber-enabled infrastructure, such as gas networks.
“Applied at the concept phase, it can then be used to validate the effectiveness of the barriers that were initially designed into the integrated system,” Myrvang said.
Cybersecurity is an ever-changing challenge, requiring continual updates to standards. IEC 62443 committees will likely issue a new standard for protection levels in the future, for example. Protection level is a methodology for evaluating protection of plants in operation. It includes combined evaluation of technical capabilities and related processes, and of technical and organizational measures.
The technical implementation and configuration in the industrial automation and control system, and how this system is operated, maintained, and deployed will be reflected in the protection level.
Click here for more information on the DNV GL recommendations.