Homepage » Instrumentation & Automation »

How to get prepared for the risks

Cybersecurity in the oil and gas industry
How to get prepared for the risks

Today’s industrial Ethernet and wireless technologies have made it easy for oil and gas professionals to share data faster and more efficiently – regardless of whether they are on an offshore platform or in the main office. All of these far-flung locations, spread throughout the globe, are connected via complex, enterprise-wide networks transferring critical data. Connecting control systems with the business world helps optimise operations. However, these intricate communication networks are increasing the risk of cyber threats.

Cybersecurity in the oil and gas industry

How to get prepared for the risks
Today’s industrial Ethernet and wireless technologies have made it easy for oil and gas professionals to share data faster and more efficiently – regardless of whether they are on an offshore platform or in the main office. All of these far-flung locations, spread throughout the globe, are connected via complex, enterprise-wide networks transferring critical data. Connecting control systems with the business world helps optimise operations. However, these intricate communication networks are increasing the risk of cyber threats.
One of the challenges facing the oil and gas industry is the growing risk of cyber threats. An accidental virus infection could shut down production, costing millions of dollars in lost revenue. The vulnerability of the communication path begins at the wellhead and ends at the distribution point at the other end of the supply chain. Hackers have a long route along which to find a small back door that allows them entry to inflict potential damage. According to a news release from Tripwire, Inc., 82 % of oil and gas industry respondents said their organisations have seen an increase in successful cyberattacks over the past 12 months. The study, conducted by Dimensional Research in November 2015, included more than 150 IT professionals in the energy, utilities and oil and gas industries. The study also found that 69 % of oil and gas respondents are apparently “not confident” their organisations are able to detect all cyberattacks. Unfortunately, there are numerous examples of cyber risks and threats to the oil and gas industry. One of the biggest appeared in 2012, when the Shamoon virus attacked Saudi Aramco, the world’s leading oil and gas production company. The virus erased data in at least 30,000 of Aramco’s corporate computers. Aramco reported that the objective of the attack was to stop the company’s production, which represents more than 10 % of the global oil supply. Other well-known malware includes Stuxnet, Flame and Duqu, but there are plenty more instances likely to be lurking undetected.
How can an owner-operator develop, implement and maintain an enterprise-wide, global-yet-local cybersecurity strategy of this magnitude? In the new cyber world order, everyone should be involved in the design and engineering of cybersecurity guidelines for existing systems. Owners and operators need to locate and map out the entire supply chain network and determine what technologies, best practices and programs are suited for their specific system without any interruptions to production. Meanwhile, they must meet the cybersecurity guidelines that government agencies have imposed for individual industries.
Interdisciplinary cooperation
Network security is the highest priority of IT staff, but it is low on the radar for most control engineers or plant managers. The discovery of the Stuxnet worm, however, forced industrial plant management to devote a higher level of attention to the operational risks confronting chemical, oil and gas and other critical plants. Since then, control engineers have realised that they need to take an active role in security rather than leave it entirely in the hands of IT.
To create a secure network, control engineers and plant managers must work together with the IT department and the technology it uses. They face the difficult task of placing protective measures around and within existing systems while still maintaining the flexibility of multiple protocols and technologies. A good first step is to completely know and draw the existing network plant and if needed, to be placed behind the current IT infrastructure. Recommended best practices include:
  • Insulate and isolate communication between the corporate and plant networks with a router
  • Filter data coming in and out with a firewall; this also promotes network segmentation
  • Avoid accidental or unauthorised access by blocking and managing access controls
  • Mitigate viruses and malware that get into the systems with integrity monitoring scans and detection tools
  • Use virtual private network (VPN) technology to send and receive encrypted data from remote locations
  • Security devices
  • When the Internet started growing, control systems evolved from isolated islands to highly interconnected systems. The concept of “security by obscurity” as a tool to protect control systems from cyberattacks is not realistic. However, network architectures can be protected and guarded by specific devices coded with the same IT secure technology, yet still be designed to meet the rugged, hazardous conditions that may be present in a hydrocarbon plant. Today, there are security devices with industrialised hardware and advanced configuration options which can provide a defence-in-depth option for critical applications, such as the mGuard router from Phoenix Contact. These devices have sophisticated security capabilities including firewalls with an integrated router and VPN. The Common Internet File System (CIFS) is the standard method for computer users to share files across corporate intranets and the Internet. Some industrial security devices include CIFS Integrity Monitoring, an antimalware tool used in industrial PCs to scan Windows based systems for files that have been manipulated by malware without having to update the signature database. Industrial devices can also save and store logs from data packets as well as information coming in and out of the network for audits with the relevant federal regulatory agency.
Cloud based portals
A defence-in-depth approach to cybersecurity incorporates multiple layers of protection to keep unwanted traffic off the industrial network. It has been proven that diverse layers of protection within industrial networks are a better approach than a single, monolithic layer. This defence-in-depth method of protection delays, rather than prevents, access from unwanted users. These measures not only connect and protect, but can also be easily integrated into production environments and industrial systems.
No matter what security measures the owner of a hydrocarbon plant takes, there is always a possibility of a breach, so a disaster recovery plan is still critical. This plan should be tested and rehearsed. Defensive strategies must be monitored and active at all levels of possible attacks: detection, isolation, containment and elimination. Taking this protection one step further, there are now secure, cloud based portals that can integrate industrial devices and automated systems directly into the network without modification or planning.
The mGuard Secure Cloud offers a complete, turnkey VPN solution for companies that build machines and manufacture systems. Service personnel connect quickly and securely to machines, industrial PCs and controllers via a simple web interface. In addition, secure remote maintenance can be performed at any location and any time without requiring specialist IT knowledge. The virtual private networks used for this are based on the proven IPsec security protocol, ensuring the confidentiality, authenticity and integrity of all information and data transmitted between all devices connected via the mGuard Secure Cloud. Furthermore, the mGuard Secure Cloud is operated at a high-availability computer centre in Germany in accordance with the most stringent data protection standards.
www.cpp-net.com search: cpp0316phoenixcontact

Mariam Coladonato
Mariam Coladonato
Product Marketing Specialist Networking and Safety,
Phoenix Contact

Security router for process technology

40304454

Facts & Figures

Facts & Figures
Security router for process technology
The Phoenix Contact mGuard security router satisfies both the demanding hardware requirements of the process industry and the stringent IT specifications for security products. In terms of hardware, the extended temperature range from -40 to +70 °C, the IEC Ex and Atex approvals for hazardous areas and the corrosive gas test according to ISA-S71.04–1985 G3 Harsh Group A are just a few of its many advantages. On the software front, additional security blocks for the OPC Classic protocol, which is widely used in industry, have been integrated alongside the existing mGuard security functions. These blocks include DPI (Deep Package Inspection) and NAT (Network Address Translation) functions. DPI enables a high-quality OPC Classic firewall to be established within the production site, while NAT allows systems with the same IP addresses to be quickly and easily integrated into a higher-level production network without address conflicts.
The security router satisfies the high demands of the process industry
All Whitepaper

All whitepapers of our industry pages

Current Whitepaper

New filtration technology for highly corrosive media


Industrie.de Infoservice
Vielen Dank für Ihre Bestellung!
Sie erhalten in Kürze eine Bestätigung per E-Mail.
Von Ihnen ausgesucht:
Weitere Informationen gewünscht?
Einfach neue Dokumente auswählen
und zuletzt Adresse eingeben.
Wie funktioniert der Industrie.de Infoservice?
Zur Hilfeseite »
Ihre Adresse:














Die Konradin Verlag Robert Kohlhammer GmbH erhebt, verarbeitet und nutzt die Daten, die der Nutzer bei der Registrierung zum Industrie.de Infoservice freiwillig zur Verfügung stellt, zum Zwecke der Erfüllung dieses Nutzungsverhältnisses. Der Nutzer erhält damit Zugang zu den Dokumenten des Industrie.de Infoservice.
AGB
datenschutz-online@konradin.de