Cybersecurity—Understanding the Threat Landscape

Automation provides many new and improved abilities for ships and offshore assets. Automation is more than the mere replacement of the functions of older (less optimal) systems; it requires system interoperability and integration. Interconnectivity of multiple systems adds new risk factors to the system as a whole. Two key risk factors are cybersecurity and system complexity.

At a high level, cybersecurity means understanding systems, processes, and personnel capabilities and limitations, as well as thoroughly evaluating the threat landscape. In other words, system owners must have a keen understanding that there will always be new threats to counter and new technologies to harness.

With improvements in cybersecurity systems, employees are now the preeminent target, thus making them a substantial vulnerability. Through negligence (human error) and malicious acts—including being the victim of phishing/whaling attacks, lost laptops, accidental disclosure of information, and actions of rogue employees account for up to two-thirds of all cyber-related breaches. Industry must be cognizant that added complexity (e.g., system design/arrangement, rules, policies, and procedures) can decrease an individual’s situational awareness and increase the likelihood of human error.

A key to effective systems-risk assessment and complexity management lies in understanding cybersafety system designs and how people interact with those systems. This paper discusses methods to engineer systems, to control system complexity, and to mitigate human error, with the goal of creating an efficient and effective cybersecurity environment.

Introduction
System integration enables automation efficiencies, and modern system designs encourage function consolidation within processes. Designers incorporate network links to provide system interoperability by way of connectivity and common protocol communications. However, intersystem connections often create unanticipated communications paths, which can introduce operation-related risks and, more specifically, cybersecurity risks. The more significant a system’s complexity is, the less likely it is that all risks will be identified and fully evaluated.

Operational risks associated with automation systems, no matter their operating domain, center on the engineered reliability of the individual subsystems or components and upon the overall integrity and robustness of the integrated system-of-systems form. Individual systems can be understood for performance, fault management, and expected behaviors from the manufacturer or integrator documentation, service support, or warranty terms. Integrated systems bring new and different conditions to their host ship, at-sea asset, or facility because communication functions and paths among individual subsystems can introduce unanticipated messages, commands, noise, or traffic. 

It is incumbent upon the crew who use these integrated automation systems to understand the performance and behaviors of the whole, for the ease and completeness of their own tasks and for the good of the host organization. Technical risks derive from an individual systems’ reliability, which means that factor (reliability) becomes a corporate-knowledge requirement and a key operational metric. Systemic risks, derived from an integrated systems’ connected robustness and resilience to unexpected conditions, similarly will require that those behaviors be verified and documented as part of system knowledge and personnel training. 

Knowledge of systems and functions, then, is integral to understanding the overall risk position of the system, organization, or installation. Complexity of systems, in the integrated whole, works against the operators and crew unless human factors are integrated with the systems, enabling operators to perform their duties better with machine assistance.  

Find the paper on the HSE Technical Discipline Page free for a limited time.

 

 

HSE Now is a source for news and technical information affecting the health, safety, security, environment, and social responsibility discipline of the upstream oil and gas industry.