Cyberrisks: security of operating activities in an oil and gas sector
In May, 2017 the international network "Deloitte" published the new report "Integrated approach to management of cyberrisks: security of operating activities in an oil and gas sector". It is devoted to need of increasing the level of security of management systems for production processes (ICS) against the background of difficulties which create new technologies. The research contains analysis results, the assistance in providing not only material, but also information security of their ICS systems which is carried out during rendering to the different oil and gas companies.
In the report it is said that, despite large-scale distribution of the innovation methods of work, such as robotic systems, digital solutions and Internet of Things (IoT), in questions of cyber security the oil and gas sector still lags behind other industries. For security and flexibility of operational processes and their readiness for possible threats the oil and gas companies should combine efforts in two spheres — technical and information and technology and also to apply specialized technical solutions which are not always easy for protecting from cyber attacks.
Understanding of risks
During creation of ICS systems their further consolidation in network was not supposed, however today there is it. Digitalization of operational processes in an oil and gas sector led to the fact that before the companies new opportunities for performance improvement and cost reduction open. At the same time merge production and business processes also does the organizations vulnerable for new cyberrisks. In the report the following possible change scripts of a landscape of cyberrisks are considered.
- Use of the unprotected remote access for implementation of interaction allows cybercriminals to receive control over the system managing production processes and to cause its overload.
- Incorrect testing of information systems before their deployment leads to a total failure of systems and, as a result, to failures or a stop of production processes.
- The inefficient methods of security applied by third-party partners allow viruses to get into production software environment that leads to a stop of key supervisory control systems and data collection (SCADA).
- Acquisition of technology products without conducting full preliminary testing and error correction does the enterprise vulnerable and allows hostile persons to get remote access to systems. The companies should find a method to use the opposite points of view on information systems and operational processes. The analysis like bowtie — the popular concept which is widely used in technical area for assessment of hardware failures can become the useful tool for overcoming this misunderstanding. It is also possible to apply the following additional measures to protection of ICS systems.
- Assessment of a maturity of the existing means of ensuring of control. This measure assumes carrying out inventory of assets and the equipment and also assessment of their importance for the organization; determination of existence/absence in work of key assets and the equipment of in details studied vulnerabilities which can use; assessment of a maturity of means of ensuring of control for the purpose of anticipatory management of the specified threats.
- Development of the uniform program. The centralized program of ensuring cyber security in an oil and gas sector can be developed and implemented by carrying out the long-term work directed to complex conversion of ICS systems. At the same time at each stage of transformation it is necessary to remember the most important purpose — improvement of processes of management of operational processes for creation of the safe, ready to work and protected control environment.
- Implementation of key control procedures. In spite of the fact that indicators of readiness for risks differ from the company to the company, there are several fundamental means of ensuring of control of cyberrisks which practically any oil and gas company should have in the existence. Control of access, security of a communication network, restriction of use and check of figurative information media and also development of regulations of reaction in case of threats concern them carrying out information and explanatory work among employees.
- Providing effective mechanisms of management Implementation of programs of information security at management of operational processes is integrated to the additional difficulties connected with management of personnel resources. The organizations should develop the program of holding information and explanatory actions to overcome misunderstanding between IT specialists and ICS systems specialists and also to provide possibilities of career development for those employees who wish to specialize in information security field of ICS systems.