These segments include, among others, supervisory control and data acquisition (SCADA) systems, safety and automation systems (SAS) and control systems with programmable logic controllers (PLCs): an attractive target for hackers (Figure 1 ). 

Managing cyber-threats to OT requires detailed domain knowledge beyond general IT security. This encompasses traditional oil and gas operational domain competence as well as automated, unmanned, integrated and remote operations, which are accessible online.  

Tailored guidance for oil and gas

Confronted by the OT/IT cyber security challenge, parties responsible for the safe and sustainable operation of oil and gas assets need to take a holistic approach. The International Electrotechnical Commission’s IEC 62443 standard covering security for industrial automation and control systems is the first stop for information on cyber security. 

DNV GL’s Recommended Practice (RP) DNVGL-RP-G108 ‘Cyber security in the oil and gas industry based on IEC 62443’ provides best practice on how to apply the IEC 62443 standard to the oil and gas industry, including pipelines. 

The globally-applicable, tailored guideline came out of a two-year joint industry project (JIP) in response to demand to address how operators, working with system integrators and vendors, can manage the emerging cyber threat. DNV GL initiated and led the JIP involving ABB, Emerson, Honeywell, Kongsberg Maritime, Lundin, Shell Norway, Siemens, Statoil (now Equinor), and Woodside Energy. The Norwegian Petroleum Safety Authority observed the work and exchanged experiences with the JIP group from a regulatory perspective.   

The RP is relevant for the whole oil and gas industry including the midstream and downstream sectors. It embraces international practices and experiences, and considers health, safety and environmental requirements, as well as the IEC 61511 standard for specification, design, installation, operation and maintenance of a safety-instrumented system. DNVGL-RP-G108 applies not only to new installations; existing and more mature assets may need to be updated to prevent and protect against cyber threats.

The RP is intended to include all elements – people, processes, technology – to ensure cyber security is addressed in industrial automation and control systems (Figure 2 ). This includes the asset owner/operator, system integrator, product supplier, service provider and compliance authority. The practice explains shared responsibilities and describes who performs activities, who should be involved, and the expected inputs and outputs. 

Simulating attacks to identify cyber vulnerability

Simulating a cyber attack on a pipeline system can demonstrate strengths and weaknesses within an organization and is a practical exercise to start building defences. Some companies, including DNV GL, recruit and develop ‘ethical hackers’ to perform testing and verification of OT, IT and linkages between them.² 

DNV GL’s ethical hackers combine hacking expertise with profound domain knowledge of OT. 

The ethical hacking process begins with passive and active reconnaissance of an asset or system’s cyber security. Remote metering of infrastructure scans for potential vulnerabilities, for example. If any are found, the next step is to try to gain access through ‘penetration testing’ to reveal actual vulnerabilities and help customers mitigate risk.

From the use of default system passwords and missing patching to unsecured WiFi providing a route into control systems, vulnerabilities can be simple. Ethical hackers also scan for weaknesses in customer OT and IT systems that could be used to enter and exploit the system to affect operations or access confidential information. Some of this scanning and testing can be carried out remotely. 

Ethical hacking for verification and technical qualification

Ethical hacking can also assist the verification and technical qualification of equipment and systems. Penetration testing is a relevant third-party verification step for any critical, cyber-enabled infrastructure, such as gas networks.

“Applied at the concept phase, it can then be used to validate the effectiveness of the barriers that were initially designed into the integrated system,” Myrvang said.

DNV GL’s Technical Assurance Laboratory offers tools and techniques to detect device flaws as part of a product security evaluation service currently being applied in the sector. This service includes applying ethical hacking techniques to products. 

Keeping up with standards

Cyber security is an ever-changing challenge, requiring continual updates to standards. IEC 62443 committees will likely issue a new standard for protection levels in the future, for example. Protection level is a methodology for evaluating protection of plants in operation. It includes combined evaluation of technical capabilities and related processes, and of technical and organizational measures.

The technical implementation and configuration in the industrial automation and control system, and how this system is operated, maintained, and deployed will be reflected in the protection level. DNV GL intends to update DNVGL-RP-G108 regularly to incorporate industry experience, new and updated standards, and fresh developments.

References

1. ‘Confidence and control: the outlook for the oil and gas industry in 2018’, DNV GL, dnvgl.com January 2018

2. ‘Ethical hacking: The white hats in DNV GL cyber security services’, K Ording, DNV GL, dnvgl.com

Disclaimer: 

DNV GL prides itself on providing accurate information but makes no claims or guarantees about the accuracy, completeness or adequacy of contents in this publication, and disclaims liability for any errors or omissions. The authors’ views here do not necessarily reflect DNV GL’s views.