July 18, 2016
The oil and gas industry might want to keep its operations shut off from the outside world because of ever-escalating concerns about cybersecurity, especially for such critical infrastructures. But the gains of connected assets are just too vital to ignore; optimization of enterprises is the key motivator and remote access is an important consideration. Chevron maintains that its critical systems are air gapped, but just about any discussion around cybersecurity these days includes the point that isolating your operations 100 percent is nigh impossible (you might want to check that new printer that was just installed to see if you need to disable its web connection).
The inevitability of transferring data from an industrial automation and control system (IACS) to the outside world—and the importance of keeping that data, network and core environment secure—has led the Linking Oil and Gas Industry to Improve Cybersecurity (LOGIIC) to commission a report detailing the factors that should be considered with real-time data transfer (RTDT) products.
It’s no secret that legacy control systems were not built with cybersecurity in mind. Automation vendors have been making progress over the past few years, advising clients on how best to secure their networks through strong defense-in-depth practices. More recently, some of them have even begun to talk more about making their industrial automation and control systems secure by design. There is still room for improvement, however, and plenty that oil and gas companies need to be concerned about to protect their security.
On LOGIIC’s behalf, the Automation Federation has released a public report that details the technical, security and operational factors that should be evaluated prior to the selection and implementation of commercially available RTDT products. Although the report identified some positive security steps that automation vendors have taken to improve their products, it also detailed areas that could create threat vectors and compromise the integrity of the data.
Because RTDT technologies transfer real-time data outside of IACS environments, they must meet rigorous standards to ensure the protection of those core assets, data and operational stability. The objective of LOGIIC’s Real-Time Data Transfer Project report was to highlight the vital factors that should be weighed when considering an RTDT project, and to help critical infrastructure operators understand what they should be asking their automation vendors.
Through a series of research surveys and studies, LOGIIC specifically looked at the applicability and cybersecurity capabilities of available products that collect and move data from Level 2 and 3 to Level 3.5, 4 and beyond (including data collection systems that reside in the core IACS architecture, and servers and clients that manipulate those data sets). They were particularly interested in RTDT used for health and monitoring, trending analysis, decision support and situational awareness, and data sharing with strategic partner systems, and they conducted hands-on studies of RTDT offerings in an IACS laboratory environment to test various scenarios.