OTC: Risk-Based Cybersecurity Critical for Offshore Automation
Automation is playing an increasingly vital role in oil and gas operations, including offshore assets. Operating companies can use automated systems to augment and replace human effort in dangerous locations, increasing on-site safety. However, an expert said that automated systems bring additional vulnerabilities with potential safety impacts, thus requiring an updated risk-handling approach that allows companies to better understand these risks.
At a presentation at the 2017 Offshore Technology Conference, John Jorgensen discussed the merits of risk-based security. Jorgensen is director of cybersecurity and software at the American Bureau of Shipping.
A risk-based approach is one where companies make a conscious effort to understand the variables that could affect assets, people, and outcomes. It involves a risk assessment that provides the basis for the prioritized application of cyber protective applications and measures.
When performing a risk assessment, Jorgensen said companies should determine which functions of an asset are mission-critical (essential to the operational performance of the asset), business-critical (essential to the financial performance), and safety-critical. This requires an understanding of the collective requirements that link systems together into the process flows that provide input and output.
Managing assets in a risk-based security system requires a catalogue that examines the cyber complexity and business attributes of each asset along with relevant cybersecurity documentation. Jorgensen said some of the biggest vulnerabilities can be found in the interfaces between one system and another.
“We have to look very carefully to understand where those interfaces are so that we know what happens between the two,” he said. “Performance monitoring that we put on individual systems is valuable, but that only tells us so much. We learn much more when we look at the interfaces between systems and then monitor the traffic that goes between and among systems as they operate.”
Risk-based security often involves the installation of automated systems that can interface with safety-critical manual systems. Jorgensen said these converged systems present new challenges for companies to consider beyond the basic priorities—confidentiality, integrity, and availability—associated with information technology (IT). He said that, in many cases, process control systems have confidentiality as a lower priority than an IT system.
“When we start talking about operational systems and control systems, we have a different ordering that we have to be concerned about. We have to understand and maintain positive control of these production systems at all times. We have to know exactly what they’re doing and what the stake is,” he said.
Jorgensen outlined three components to risk-based security: people, processes, and procedures. He said that strong security systems require smart decision making from a company’s leadership that stems from the knowledge of how to use technology to optimize the processes that enable production. Building a security infrastructure may be difficult in this regard, because companies with steady production outputs may prefer to maintain a stable, somewhat static, technology base in order to avoid the disruption that sometimes comes with significant hardware and software upgrades. Jorgensen said a static technology base is more vulnerable to attack.
“We have to secure the organization because the bad guys learn and improve our procedures faster than we can,” he said. “That’s because they don’t have to worry about things like change management. They don’t have to be concerned about configuration control. They have a faster turnaround cycle because, while we have the capability to learn, we have to maintain production while we’re doing it.”
Jorgensen said that the proper management of operated systems requires a different level of thinking, as companies must continually prioritize risk conditions in their security architectures. He suggested the formation of an industrial controls office designed to run automated systems and control systems, as well as manage the trusted processes for performing the software upgrades and other system upgrades necessary for maintaining a safe operation.
Jorgensen warned that a risk-based approach is not a guaranteed fail-safe against security breaches. It does, however, help companies handle the growing role of automated systems in their operations.
“There will, inevitably be something that gets past you and that’s where, when we do our risk assessments, we give our probabilities,” he said. “We can tolerate this once every 10,000 years. We can tolerate this once every 100 years. The difference between the two is that the one every 10,000 years takes a lower priority than the one every 100 years for where we put resources, but we still have to understand that things can break, things can go wrong.”
Rising US Natural Gas Prices During Pandemic Erode LNG Competitiveness
Shale-based associated gas production is behind the phenomenon. When oil prices do not support production, associated natural gas production also stops, with little to no consideration of natural gas prices.
Rystad Sees Global E&P Players Investing $380 Billion in 2021, Says About 20% Is at Risk
Of the total $380 billion of projected investments, about 60% ($234 billion) is likely to come from producing assets, which have two main spending channels: facility and well capital expenditures.
Wood and Cognite Form AI-Solutions Partnership
The AI partnership combines Wood’s optimization platforms with Cognite’s Data Fusion product to develop solutions for the energy transition and free up data from fragmented and legacy systems.
Don't miss out on the latest technology delivered to your email every two weeks. Sign up for the OGF newsletter. If you are not logged in, you will receive a confirmation email that you will need to click on to confirm you want to receive the newsletter.
05 January 2021
05 January 2021
08 January 2021
12 January 2021