Safety and reliability of Pipeline Management Systems are paramount and have to be the top priority of all hours, every day. However, as the Oil and Gas sector develops with the Industrial Internet of Things (IIoT), systems are increasingly at risk of cyberattacks. Traditional security has been intent on keeping potential attackers out, but today’s leading security experts expect attacks, so they can take a defense-in-depth approach to minimize damage. This involves thinking about security as a lifecycle as opposed to a collection of one-off incidents. Different steps of prevention, defending and learning need to take place before, during and after an attack.
Due to new technologies, O&G segments are a constantly evolving landscape. Standalone systems and networks are often moving to standardized IP protocols and Ethernet-based wired or wireless networks. Commercial off the shelf (COTS) technology has been replacing older devices and IT and OT teams have begun to converge. The Internet of Things has seen many devices connect to systems to streamline processes and increase efficiency. Yet this increased connectivity has led to increased vulnerability.
Not only Technology
The NIST Cyber Security Framework has, in recent times, emphasized the human aspect of security. Technology plays a part in organizations’ defenses, but people are just as important. Issuing guidelines and establishing standard practices provide a foundation of education for employees and contractors. The IEC-62443 uses a tier system that shows how technology, people and processes come together to form a cohesive defense.
The three hallmarks required of a pipeline management system are: availability, integrity and confidentiality. IEC-62443 outlines 7 Foundational Requirements (FR) to help applications, infrastructures and devices meet these 3 hallmarks. These include: identification and authentication control, use control, system integrity, data confidentiality, restricted dataflow, timely response to events, and resources availability.
Schneider Electric deploys Secure Development Lifecycle (SDLC) programs for their products. This ensures that a solution has end-to-end security, from training and security requirements that ensure that employees are carrying out best practice, to delivering secure, rigorously tested architectures and designs. Even deployment and services teams are directly involved in managing the cyber security aspects of the solution.
In the process of deploying a security solution, O&G executives may consider an Intrusion Prevention System (IPS) or an Intrusion Detection System (IDS), as well as other protocols. An IPS or IDS can be used in a variety of ways, but their connectivity, availability and security should always be carefully considered.
Cryptography and data encryption are methods of protecting data, making it harder to manipulate. In encryption, symmetric or asymmetric keys are used, usually across any public access WAN infrastructure or stored data. Message authentication ensures that the pipeline management system receives only accurate data, so decisions can be made reliably.
All these aspects form layers of security which are always innovating to meet the new demands of cyber security in the O&G sector.