Cybersecurity

OTC: Risk-Based Cybersecurity Critical for Offshore Automation

A cybersecurity director outlines the steps needed to adopt a risk-based cybersecurity program. He cautions that in many cases, process control systems’ confidentiality is mistakenly viewed as a lower priority than IT systems’.

ogf-2017-05-otccybersecurity-hero.jpg
Getty Images

Automation is playing an increasingly vital role in oil and gas operations, including offshore assets. Operating companies can use automated systems to augment and replace human effort in dangerous locations, increasing on-site safety. However, an expert said that automated systems bring additional vulnerabilities with potential safety impacts, thus requiring an updated risk-handling approach that allows companies to better understand these risks.

At a presentation at the 2017 Offshore Technology Conference, John Jorgensen discussed the merits of risk-based security. Jorgensen is director of cybersecurity and software at the American Bureau of Shipping.

A risk-based approach is one where companies make a conscious effort to understand the variables that could affect assets, people, and outcomes. It involves a risk assessment that provides the basis for the prioritized application of cyber protective applications and measures.

When performing a risk assessment, Jorgensen said companies should determine which functions of an asset are mission-critical (essential to the operational performance of the asset), business-critical (essential to the financial performance), and safety-critical. This requires an understanding of the collective requirements that link systems together into the process flows that provide input and output.

Managing assets in a risk-based security system requires a catalogue that examines the cyber complexity and business attributes of each asset along with relevant cybersecurity documentation. Jorgensen said some of the biggest vulnerabilities can be found in the interfaces between one system and another.

“We have to look very carefully to understand where those interfaces are so that we know what happens between the two,” he said. “Performance monitoring that we put on individual systems is valuable, but that only tells us so much. We learn much more when we look at the interfaces between systems and then monitor the traffic that goes between and among systems as they operate.”

Risk-based security often involves the installation of automated systems that can interface with safety-critical manual systems. Jorgensen said these converged systems present new challenges for companies to consider beyond the basic priorities—confidentiality, integrity, and availability—associated with information technology (IT). He said that, in many cases, process control systems have confidentiality as a lower priority than an IT system.

“When we start talking about operational systems and control systems, we have a different ordering that we have to be concerned about. We have to understand and maintain positive control of these production systems at all times. We have to know exactly what they’re doing and what the stake is,” he said.

Jorgensen outlined three components to risk-based security: people, processes, and procedures. He said that strong security systems require smart decision making from a company’s leadership that stems from the knowledge of how to use technology to optimize the processes that enable production. Building a security infrastructure may be difficult in this regard, because companies with steady production outputs may prefer to maintain a stable, somewhat static, technology base in order to avoid the disruption that sometimes comes with significant hardware and software upgrades. Jorgensen said a static technology base is more vulnerable to attack.  

“We have to secure the organization because the bad guys learn and improve our procedures faster than we can,” he said. “That’s because they don’t have to worry about things like change management. They don’t have to be concerned about configuration control. They have a faster turnaround cycle because, while we have the capability to learn, we have to maintain production while we’re doing it.”

Jorgensen said that the proper management of operated systems requires a different level of thinking, as companies must continually prioritize risk conditions in their security architectures. He suggested the formation of an industrial controls office designed to run automated systems and control systems, as well as manage the trusted processes for performing the software upgrades and other system upgrades necessary for maintaining a safe operation.

Jorgensen warned that a risk-based approach is not a guaranteed fail-safe against security breaches. It does, however, help companies handle the growing role of automated systems in their operations.

“There will, inevitably be something that gets past you and that’s where, when we do our risk assessments, we give our probabilities,” he said. “We can tolerate this once every 10,000 years. We can tolerate this once every 100 years. The difference between the two is that the one every 10,000 years takes a lower priority than the one every 100 years for where we put resources, but we still have to understand that things can break, things can go wrong.”