DNVGL.com

Breadcrumbs

Countering cyber threats to gas networks

Contact us:

Petter Myrvang Petter Myrvang
Information risk manager
SHARE:
PRINT:
Cyber security
  • The gas industry is accelerating adoption of digitalization and data analytics

  • Greater connectivity can change and increase cyber vulnerabilities of some gas networks

  • Managing cyber threats to operational technology requires domain knowledge beyond general IT security

  • A DNV GL guideline helps operators tailor IEC cyber security standards to gas networks 

The spread of digital technologies in the oil and gas industry is generating exciting new opportunities to improve performance, profitability and sustainability, but brings new safety and security challenges in operations, including gas networks. 

Gas transmission system operators are looking at artificial intelligence, the Industrial Internet of Things (IIoT), machine learning and augmented reality to see how they may improve operational efficiency and safety, for example. Some are already integrating digital technologies into more sophisticated data gathering, analysis and visualization to maintain, repair and operate gas networks. 

DNV GL’s 2018 Industry Outlook survey found nearly half (43%) of more than 800 senior oil and gas professionals globally expect their organizations to increase spending on cyber security this year.1 Digitalization (75%) and cyber security (68%) are clear investment intentions over the next five years.  

Greater connectivity impacts on cyber vulnerabilities

Greater connectivity between operational technology (OT) and information technology (IT), and the rise of the IIoT, can increase and even change the vulnerabilities of oil and gas assets to cyber attack.   

Cyber security breaches can lead to lost production; raised health, safety and environmental risk; costly damages claims; breach of insurance conditions; negative reputational impacts; and loss of licence to operate.   

“The industry is guarded about the frequency and impact of such breaches, but we are certainly seeing cyber security move up the agenda for pipeline owners, operators, industry associations, and for governments and their agencies,” said Petter Myrvang, information risk manager, DNV GL - Digital Solutions. “Looked at in more detail, the risk arises as critical OT network segments that were once isolated are now being connected to IT networks.”

These segments include, among others, supervisory control and data acquisition (SCADA) systems, safety and automation systems (SAS) and control systems with programmable logic controllers (PLCs): an attractive target for hackers (Figure 1 ). 

Managing cyber-threats to OT requires detailed domain knowledge beyond general IT security. This encompasses traditional oil and gas operational domain competence as well as automated, unmanned, integrated and remote operations, which are accessible online.  

Tailored guidance for oil and gas

Confronted by the OT/IT cyber security challenge, parties responsible for the safe and sustainable operation of oil and gas assets need to take a holistic approach. The International Electrotechnical Commission’s IEC 62443 standard covering security for industrial automation and control systems is the first stop for information on cyber security. 

DNV GL’s Recommended Practice (RP) DNVGL-RP-G108 ‘Cyber security in the oil and gas industry based on IEC 62443’ provides best practice on how to apply the IEC 62443 standard to the oil and gas industry, including pipelines. 

The globally-applicable, tailored guideline came out of a two-year joint industry project (JIP) in response to demand to address how operators, working with system integrators and vendors, can manage the emerging cyber threat. DNV GL initiated and led the JIP involving ABB, Emerson, Honeywell, Kongsberg Maritime, Lundin, Shell Norway, Siemens, Statoil (now Equinor), and Woodside Energy. The Norwegian Petroleum Safety Authority observed the work and exchanged experiences with the JIP group from a regulatory perspective.   

The RP is relevant for the whole oil and gas industry including the midstream and downstream sectors. It embraces international practices and experiences, and considers health, safety and environmental requirements, as well as the IEC 61511 standard for specification, design, installation, operation and maintenance of a safety-instrumented system. DNVGL-RP-G108 applies not only to new installations; existing and more mature assets may need to be updated to prevent and protect against cyber threats.

Figure 1: Managing cyber risk across OT and IT
Figure 1: Managing cyber risk across IT and OT

The RP is intended to include all elements – people, processes, technology – to ensure cyber security is addressed in industrial automation and control systems (Figure 2 ). This includes the asset owner/operator, system integrator, product supplier, service provider and compliance authority. The practice explains shared responsibilities and describes who performs activities, who should be involved, and the expected inputs and outputs. 

Simulating attacks to identify cyber vulnerability

Simulating a cyber attack on a pipeline system can demonstrate strengths and weaknesses within an organization and is a practical exercise to start building defences. Some companies, including DNV GL, recruit and develop ‘ethical hackers’ to perform testing and verification of OT, IT and linkages between them.2 

DNV GL’s ethical hackers combine hacking expertise with profound domain knowledge of OT. 

Figure 2: Three key targets for cyber security assessment
Figure 2: Three key targets for cyber security assessment

The ethical hacking process begins with passive and active reconnaissance of an asset or system’s cyber security. Remote metering of infrastructure scans for potential vulnerabilities, for example. If any are found, the next step is to try to gain access through ‘penetration testing’ to reveal actual vulnerabilities and help customers mitigate risk.

From the use of default system passwords and missing patching to unsecured WiFi providing a route into control systems, vulnerabilities can be simple. Ethical hackers also scan for weaknesses in customer OT and IT systems that could be used to enter and exploit the system to affect operations or access confidential information. Some of this scanning and testing can be carried out remotely. 

Ethical hacking for verification and technical qualification

Ethical hacking can also assist the verification and technical qualification of equipment and systems. Penetration testing is a relevant third-party verification step for any critical, cyber-enabled infrastructure, such as gas networks.

“Applied at the concept phase, it can then be used to validate the effectiveness of the barriers that were initially designed into the integrated system,” Myrvang said.

DNV GL’s Technical Assurance Laboratory offers tools and techniques to detect device flaws as part of a product security evaluation service currently being applied in the sector. This service includes applying ethical hacking techniques to products. 

Keeping up with standards

Cyber security is an ever-changing challenge, requiring continual updates to standards. IEC 62443 committees will likely issue a new standard for protection levels in the future, for example. Protection level is a methodology for evaluating protection of plants in operation. It includes combined evaluation of technical capabilities and related processes, and of technical and organizational measures.

The technical implementation and configuration in the industrial automation and control system, and how this system is operated, maintained, and deployed will be reflected in the protection level. DNV GL intends to update DNVGL-RP-G108 regularly to incorporate industry experience, new and updated standards, and fresh developments.

References

1. ‘Confidence and control: the outlook for the oil and gas industry in 2018’, DNV GL, dnvgl.com January 2018

2. ‘Ethical hacking: The white hats in DNV GL cyber security services’, K Ording, DNV GL, dnvgl.com

Disclaimer: 

DNV GL prides itself on providing accurate information but makes no claims or guarantees about the accuracy, completeness or adequacy of contents in this publication, and disclaims liability for any errors or omissions. The authors’ views here do not necessarily reflect DNV GL’s views.