OTC: Risk-Based Cybersecurity Critical for Offshore Automation
Automation is playing an increasingly vital role in oil and gas operations, including offshore assets. Operating companies can use automated systems to augment and replace human effort in dangerous locations, increasing on-site safety. However, an expert said that automated systems bring additional vulnerabilities with potential safety impacts, thus requiring an updated risk-handling approach that allows companies to better understand these risks.
At a presentation at the 2017 Offshore Technology Conference, John Jorgensen discussed the merits of risk-based security. Jorgensen is director of cybersecurity and software at the American Bureau of Shipping.
A risk-based approach is one where companies make a conscious effort to understand the variables that could affect assets, people, and outcomes. It involves a risk assessment that provides the basis for the prioritized application of cyber protective applications and measures.
When performing a risk assessment, Jorgensen said companies should determine which functions of an asset are mission-critical (essential to the operational performance of the asset), business-critical (essential to the financial performance), and safety-critical. This requires an understanding of the collective requirements that link systems together into the process flows that provide input and output.
Managing assets in a risk-based security system requires a catalogue that examines the cyber complexity and business attributes of each asset along with relevant cybersecurity documentation. Jorgensen said some of the biggest vulnerabilities can be found in the interfaces between one system and another.
“We have to look very carefully to understand where those interfaces are so that we know what happens between the two,” he said. “Performance monitoring that we put on individual systems is valuable, but that only tells us so much. We learn much more when we look at the interfaces between systems and then monitor the traffic that goes between and among systems as they operate.”
Risk-based security often involves the installation of automated systems that can interface with safety-critical manual systems. Jorgensen said these converged systems present new challenges for companies to consider beyond the basic priorities—confidentiality, integrity, and availability—associated with information technology (IT). He said that, in many cases, process control systems have confidentiality as a lower priority than an IT system.
“When we start talking about operational systems and control systems, we have a different ordering that we have to be concerned about. We have to understand and maintain positive control of these production systems at all times. We have to know exactly what they’re doing and what the stake is,” he said.
Jorgensen outlined three components to risk-based security: people, processes, and procedures. He said that strong security systems require smart decision making from a company’s leadership that stems from the knowledge of how to use technology to optimize the processes that enable production. Building a security infrastructure may be difficult in this regard, because companies with steady production outputs may prefer to maintain a stable, somewhat static, technology base in order to avoid the disruption that sometimes comes with significant hardware and software upgrades. Jorgensen said a static technology base is more vulnerable to attack.
“We have to secure the organization because the bad guys learn and improve our procedures faster than we can,” he said. “That’s because they don’t have to worry about things like change management. They don’t have to be concerned about configuration control. They have a faster turnaround cycle because, while we have the capability to learn, we have to maintain production while we’re doing it.”
Jorgensen said that the proper management of operated systems requires a different level of thinking, as companies must continually prioritize risk conditions in their security architectures. He suggested the formation of an industrial controls office designed to run automated systems and control systems, as well as manage the trusted processes for performing the software upgrades and other system upgrades necessary for maintaining a safe operation.
Jorgensen warned that a risk-based approach is not a guaranteed fail-safe against security breaches. It does, however, help companies handle the growing role of automated systems in their operations.
“There will, inevitably be something that gets past you and that’s where, when we do our risk assessments, we give our probabilities,” he said. “We can tolerate this once every 10,000 years. We can tolerate this once every 100 years. The difference between the two is that the one every 10,000 years takes a lower priority than the one every 100 years for where we put resources, but we still have to understand that things can break, things can go wrong.”
Williams, CPPIB To Form $3.8-Billion Appalachia Midstream JV
The combination will operate and share ownership of midstream gas assets in the Utica and Marcellus Shale plays. CPPIB financially backs operator Encino Energy, which last year acquired Chesapeake Energy’s Utica assets.
Are Deepwater Projects Due for a Revival?
The oil price downturn spawned a lull in deepwater enthusiasm, but better project execution and reduced project lead times have helped operators achieve lower costs and better returns. What does the landscape for deep water look like in the near term? Will operators get more involved?
Imperial Delays Canadian Oil Sands Project
The decision to ramp down production on the Aspen project comes months after the Alberta provincial government imposed production cuts to handle pipeline bottlenecks. Aspen is projected to produce 75,000 BOPD upon startup.
Don't miss out on the latest technology delivered to your email every two weeks. Sign up for the OGF newsletter. If you are not logged in, you will receive a confirmation email that you will need to click on to confirm you want to receive the newsletter.
26 February 2019
08 March 2019
15 March 2019
27 February 2019