The business networks and technological systems that make up data-driven oil fields are susceptible to outside attacks and potential failures. As cyberattackers find ways to exploit the vulnerabilities in present security systems, the industry continues to develop more robust cybersecurity controls to protect its assets. It is important to implement these controls early in the project life cycle, an expert said.
During a Society of Petroleum Engineers webinar, “Protecting the Digital Oil Field from Emerging Cyber Threats,” Ayman al-Issa outlined various controls companies may insert into the designs of their digital infrastructures. Al-Issa is the chief technologist of industrial cybersecurity at Booz Allen Hamilton.
Al-Issa said the nature of the cybersecurity threat has expanded beyond the spread of viruses and stealing data. Hackers now possess the capability to, among other things, increase pressure in a pipeline, change the parameter settings of field devices, close and open motorized valves, and cause a denial service attack within an incident command system. An effective process control security system could be critical to preventing a disaster.
Companies help open the doors for potential attacks by incorrectly assuming a low security risk. Al-Issa said that, among other things, some companies presume they are not likely targets, or that their business is not interesting enough to attract attention from hackers. They believe that having a proprietary production system, or isolating that system from other systems provides an extra layer of security. However, as some sectors in the industry develop a more technologically integrated ecosystem, al-Issa said the risk of attacks will continue to increase.
“We need to realize that these attacks are not science fiction. They are realistic. Companies have started to realize the concern with critical infrastructures. We do have to take things more seriously, and we have to find ways to secure those critical infrastructures,” he said.
Al-Issa said security should be built into the full life cycle of a project’s industrial control systems whenever possible. Cybersecurity requirements should be defined during the conceptual design phase of the project. This process includes the selection of vendors and engineering staff, as well as the evaluation of system and network architecture designs. After the initial security design is configured, the architecture can be filled in along with the network security requirements.
In the detailed engineering phase, cybersecurity considerations should be refined and applied to overall design of the security system. This involves establishing security requirements, evaluating the system against those requirements, and finding alternatives if the system fails to meet those requirements.
Procurement of the overall system and subsystems must take security into account. Al-Issa said procurement requires interaction with multiple vendors because of the complexities of most systems. In addition, it is important for vendors to commit to compliance with security requirements.
“Procurement is a critical phase, and at this stage you must decide what you are going to procure, what you need, and develop the list of materials you need for those control systems. But, at the same time, we need to identify the solutions we need to implement in these critical infrastructures, and we have to be sure that we have the list of subsystems that we want to have within those security systems,” he said.
The first security technical testing should take place during the factory acceptance testing phase. Since most industrial automation and control systems (IACSs) are inherently insecure, al-Issa said the focus during this testing should be on communication paths in and out of the IACSs. Traditional security concerns must also be studied, such as the hardening of operating software, access rights and account management, and backup procedures.
A second round of testing should take place before commissioning. Al-Issa said it was important to pay attention to the network components during this phase, since the security systems will be installed on-site. The security focus during the handover phase should be on end user awareness training, specifying roles for staffers and embedding security practices in daily routines. Once the system is commissioned, the security team should begin continuous monitoring.
This webinar is available here.