logo


Jul-2015

Cyber security in the refining world

Protection of industrial control assets requires ongoing risk assessment, well-defined security policies and an aggressive overall strategy

ERIC KNAPP
Honeywell Process Solutions

Viewed : 7646


Article Summary

Headlines about cyber breaches in the energy sector have gained the attention of senior executives and board members of companies around the world, resulting in greater scrutiny of their own risk management. For many petroleum companies, however, while technology and security demands continue to increase, skilled resources and time to apply critical security technology is often decreasing.

The same advances in process automation systems for oil refineries and petrochemical plants that bring higher efficiencies and increased output can also bring greater cyber security risks. These can include concerns about personnel safety, damage to expensive infrastructure, loss of production and negative impacts on company reputation.

By understanding what contributes to the risk of a cyber incident, petroleum facilities can work to minimise them and achieve a higher level of performance and predictability of process systems and networks. This approach includes preventing possible business outages, and diminishing the threat of lost revenue due to serious safety, environmental and personnel catastrophes.

Growing security threats

The evolution of cyber threats and exploitation of data vulnerability continues to advance at a rapid and increasing pace. Malware has become more sophisticated, harder to eliminate and better at evading detection. Newly engineered strains of malware continue to surface, and new variations of existing malware appear at an amazing rate, as many as six per second, or over a half a million per day.1 While there may be efforts by malicious parties to cause physical disruption to industrial operations, the sheer prevalence of malware creates an inherent risk to any interconnected system. Whether accidental or intentional, as automation technology advances and becomes more and more dependent upon digital communications, the exposure to a cyber threat has become a critical issue for petroleum refiners worldwide.

Information is a necessary ingredient to any successful modern business, and the need to collect and share information within all areas of the energy industry is only going to increase. The automation infrastructure for refineries and petrochemical plants is more advanced and complicated than ever before. Plant networks are converging with enterprise networks at an increasing rate. The unfortunate side effect of this is an increasingly large attack surface, with a growing number of potential attack vectors. It is now easier for a cyber threat to reach and penetrate an unprotected industrial system than ever before.

Information derived from the industrial automation and control system (IACS) at facilities in energy sectors is invaluable to plant managers to ensure efficient processes and safe operations. However, it can be just as valuable to ‘bad actors’, or those malicious individuals or groups that might pose a threat. Information can be ransomed for money. It can be used to replicate process knowledge and steal intellectual property. It can be used to alter or disrupt operations up to and including catastrophic damage and the loss of life. Just as information assists company executives in decision making to advance their profitability and gain an advantage in a competitive marketplace, information can be used by cyber criminals to craft even more sophisticated and targeted cyber threats, controlled by even more expansive and evasive command and control infrastructures.

In summary, the increasing dependence upon data acquisition coupled with the adoption of open architectures increases the exposure and vulnerability of a control network to a wide range of cyber threats. At the same time, the threats are increasing in both frequency and complexity, ranging from malware infections to targeted, sponsored attacks.

Increased vulnerability plus increased threat leads to much greater risk. This risk is significant and pressing, so understanding it needs to be a key part of any successful cyber security strategy. Understanding risk requires a knowledge of threats and vulnerabilities, which means additional resources will be required to collect cyber security information, make sense of it, and act.

When considering the refining, natural gas and petrochemical industries, the risks are compounded by additional factors: insufficient manpower to manage security efforts; a greater emphasis on uptime and reliability; tighter industry and government regulations; and, of course, an even greater need for more data accessibility, to drive more aggressive and demanding business goals.

Another challenge, perhaps one of the greatest challenges in improving cyber security practices for the IACS, is that while the threats facing the modern IACS are derived from a common computing platform shared by many industries, many of the practices and techniques used for general purpose cyber security are not entirely applicable to industrial use. While specialised cyber security products do exist for the protection of industrial control systems, the development of new tools still lags that of traditional enterprise cyber security development. In order to ensure that the available tools are used to their maximum potential, the tools must be thoroughly tested for efficacy, and special considerations must be made during deployment in order to ensure plant reliability.

Mitigating the root causes of cyber security risk
Despite the increasing sophistication of the cyber threat, the basic tenets of cyber security are still applicable. Risk is a function of threat, vulnerability and consequence, so when the threat level is high, risk can be reduced by the reduction of vulnerability and consequence.

Consequence is best mitigated through the design of robust industrial control systems. Vulnerability is best addressed through the implementation of strong access and authorisation controls. Strong passwords, network encryption, properly configured firewalls and role-based authentication are among the primary methods to protect against an exploit reaching its target. While specific software vulnerabilities might exist, such as an application or operation that is susceptible to remote code execution, there are additional layers of vulnerability to the software. For the typical refinery, cyber security issues can result from:
• Lack of defined security zones, and unsecure conduits/connections between zones
• Unsecured staff access for internal maintenance, retrieval of historian data, and so on.
• Remote third-party contractor and vendor access
• Removable media brought onto the site, including external hard drives and even smart phones
• Out of date malware signatures
• Obsolete or unpatched operating systems
• Poorly configured, inadequate or missing cyber security countermeasures.

Attacks on a facility may involve only the cyber components and their operation, but their impact can extend into the physical, business, human, and environmental systems to which they are connected. A cyber event, whether initiated externally, internally or due to inadequate policies and procedures, can lead to a loss of system control and the corresponding negative consequences.


Add your rating:

Current Rating: 3


Your rate: