Cybersecurity A Growing Safety Issue for Oil, Gas Industrial Plants



Cybersecurity A Growing Safety Issue for Oil, Gas Industrial Plants
Cybersecurity is increasingly being thought of as a safety issue for oil and gas industry industrial plants, Honeywell officials tell Rigzone.

The oil and gas industry is increasingly thinking about cybersecurity as a safety issue for industrial plants, officials with Honeywell told Rigzone on the sidelines of the IHS CERAWeek Conference this week in Houston.

Just a few years ago, cybersecurity was viewed as an expense and an intangible problem; that thinking is changing. Growing interest by the hacker community in industrial control systems has made them a target for cyberthreats.

"What you're seeing in the public corporate sector is a rising number of and severity of attacks; we're seeing the same type of things in the industrial environment," said Jeff Zindel, global business leader Cyber Security at Honeywell Process Solutions (HPS), in an interview with Rigzone. Last year was a noisy year for cyberattacks against industry, with cyber-risks for a host of industries, including oil and gas, expected to keep growing.

The market for cybersecurity solutions for the industrial environment is nascent, but people are becoming more aware of the issues they face here and are starting to act. The lack of visibility into cyber-risks makes it difficult for oil and gas companies to answer the question of what risks they face and how to address them. Companies may do an annual site assessment on an annual basis, which provides a level of understanding on insight on a point basis.

“Security risks are evolving and changing by the minute, which makes the question of the cybersecurity threats a company faces difficult to answer,” said Zindel.

Greater automation and use of digital technologies in industrial sites such as production sites and refineries means that oil and gas companies face greater risk of cyberattacks. According to the findings of a study conducted by Ipsos Public Affairs in September 2014 for Honeywell, three-quarters of 5,000 adults in 10 countries feared that cyber criminals could hack into and control major sectors and elements of the economy. Two-thirds of those surveyed thought that the oil and gas, chemicals and power industries were particularly vulnerable to cyberattacks.

To give oil and gas companies more visibility into their cybersecurity posture and how to address risks, Honeywell released a new cybersecurity tool April 21 for industrial facilities in the upstream, midstream and downstream oil and gas industries, the Honeywell Industrial Cyber Security Risk Manager. Zindel said the Honeywell Industrial Cyber Security Risk Manager is aimed at helping customers proactively identify, monitor, measure and provide understanding about cyber-risks for industrial plants and environments.

The company applies Big Data capture and analytics and approaches with the company’s great depth of understanding for process control and technology, as well as industrial process control, Zindel told Rigzone. Unlike cyber IT solutions, which work in the corporate environment, Honeywell works in plants to provide protection, defenses, cybersecurity technology solutions and training, processes, policies and procedures needed for robust cybersecurity program.

Honeywell’s software program tracks and captures on a real-time basis data from across process control networks/systems looking at status and events. It then takes all of these data points and rolls them through hundreds of proprietary algorithms, to put massive amounts of data into simple, useable, easy-to-understand key performance indicators. Rolling all of the data points and risk indicators into one system and showing the level of risk by zone and the type of threat, said Zindel.

The technology available for industry cybersecurity is fantastic, but assumes the user has dedicated their life and career to cybersecurity alone, Eric Knapp, director of cyber security technology and solutions at HPS, told Rigzone. Typically, cybersecurity is one responsibility being added to a long list of responsibilities. Very few people in the world have industrial control expertise, cybersecurity expertise, and no other job responsibility other than security. Keeping track of cybersecurity threats is difficult, even for industries such as banks and health care organizations that have dedicated cybersecurity staff. Honeywell seeks to provide this insight for people who are not experts in cybersecurity.

Risk Manager monitors plant assets within and across all security zones of a plant, including third-party systems. Risk Manager’s interface allows users to protect against vulnerabilities and threats such as insecure network and system configurations, rogue devices, intrusion attempts, malware and other threats.



WHAT DO YOU THINK?


Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.

Byron Angel  |  April 27, 2015
Interesting. Bolting the gate after the horses have run out...typical. The state of IT services provided for operations by the oil majors is a joke. Friends make sure their pals have access to anything they want, while restricting others to the point of hindering their ability to perform their job. Time the industry took a close look at the new breed of cronyism rampant in its field and office environments, let alone any worry of outside attacks.
Cris DeWitt  |  April 27, 2015
Excellent article! Im glad you and other authors are highlighting the need for cyber security management in the oilfield, and in particular, rigs. I took a look at the Demo of the Honeywell software on their website - most of the screenshots included IT security elements - windows systems that needed patching, antivirus scan results, border security metrics - all important, but not really the Big Data approach to the control systems I was hoping for. Control systems are mostly custom, and therefore generic software is hard to build that provides sufficient awareness of the cyber health of the network. Its great that Honeywell is attacking that issue. For rigs, and specifically complex rigs (ultra deepwater), we need to start with architectures that are protective in design, but resilient in nature. From my experience, the control systems rely on isolation as the best defense, but more and more, holes are poked in the network to allow for increased monitoring. Software Management of Change doesnt happen consistently so changes made today may not cause problems tomorrow - a ticking time-bomb from my perspective. Some standards are relevant (NIST 800-53, 82, IEC 62443. . .) to measure against. I would hope an automated tool will be brought forth that can perform real-time regression testing of the software, and monitoring of the control network from a control protocol and configuration perspective (as opposed to adapting an IT model). Hats off to Honeywell for making their tool Risk Based though.