IT and Cyber Security in Transmission and Distribution of Oil & Natural Gas

Natural Gas is the foundation fuel for a clean and secure energy future, providing benefits for the economy, our environment and our energy security. Alongside the economic and environmental opportunity natural gas offers our country, there comes great responsibility to protect its distribution pipeline systems from cyber-attacks.

Technological advances over the last 20 years have made natural gas utilities more cost-effective, safer, and better able to serve our customers via web-based programs and tools. Unfortunately, the opportunity cost of a more connected, more efficient industry is that we have become an attractive target for increasingly sophisticated cyber terrorists.

We are meeting the threats daily through our skilled personnel, robust cyber-security system protections, an industry commitment to security, and a successful ongoing cyber-security partnership with government and with up-stream and down-stream stakeholders.

Our natural gas delivery system is the safest, most reliable energy delivery system in the world. This said, all industry operators recognize there are inherent cyber vulnerabilities with employing web-based applications for industrial control and business operating systems. Because of this, gas utilities adhere to myriad cyber-security standards and participate in an array of government and industry cyber-security initiatives. However, the most important cyber-security mechanism is the existing cyber-security partnership between the central government and industry operators. This partnership fosters the exchange of vital cyber-security information which helps stakeholders adapt quickly to dynamic cyber-security risks.

Risk Factors for Pipeline Operators

Designing, operating, and maintaining a pipeline facility to meet essential availability, reliability, safety, and security needs as well as process control requirements requires careful evaluation and analysis of all the risk factors. Attacks on a cyber- system may involve only the cyber components and their operation, but those impacts can extend into the physical, business, human, and environmental systems to which they are connected.

Operating and maintaining a gas pipeline involves numerous safety concerns. Cyber security assessment is one of the solutions that helps to maintain safety parameters - especially when handling such explosive and flammable goods such as natural gas.

Securing Supervisory Control Systems

Today’s oil and natural gas transmission and distribution systems depend on computer technology and supervisory control and data acquisition (SCADA) systems to operate safely and efficiently. In India, there are nearly 17000 KMs of oil and natural gas transmission pipelines and by 2017 this will increase to 30,000 KMs.

The need to provide effective cyber security is similar to challenges faced by bulk electric system and local power distribution providers, except that natural gas systems transport molecules, not electrons, and are equipped with safety devices, which are, in most cases, manually operable as regulator’s requirement and global practice. But all of these groups depend on communications infrastructures, computer technologies, and people to safely and efficiently transport the energy product to the end user.

Many utilities have employed a series of measures to protect the critical computer systems and networks that control the flow of energy over geographically dispersed facilities. These measures include the use of technical and administrative controls.

Technical controls often used include, but are not limited to:

·    Firewalls to separate control systems from general corporate networks and the internet

·    Network intrusion-detection systems to alert operators of potential security events

·  Event-logging systems to capture and maintain information regarding the operational status of control networks

Administrative controls often used include, but are not limited to:

·    Overall cyber-security policy and procedures

·    Change-management and change-control practices

·    Disaster-recovery and business-continuity planning and exercises

One of the major challenges associated with providing cyber-security protection for energy system SCADA and process-control components is addressing legacy equipment.

Corporate computer equipment, such as desktop computers, is generally replaced every three to five years. In contrast, natural gas SCADA components are often designed and priced to operate for a decade or more. Legacy systems may not be able to be patched or be able to effectively communicate with systems that use current encryption techniques.

Addressing the Vulnerabilities:

The Operations, Safety, Security, and IT decision-makers of Key Infrastructures, especially oil & gas, power generation and transmission and nuclear energy are well advised to pay attention to following aspects -

Ø       More and more reliability on Local Area Network (LAN), Wide Area Network (WAN) and Broadband Global Area Network (BGAN) brings increased threats to operations of organizations using them.

Ø        The networks are susceptible to attacks aimed to disrupt and destroy them. Such an attack by viruses, worms or other forms of cyber-terrorism on oil and gas industry process control networks and related systems could destabilize energy industry supply capabilities and negatively impact the national economy.

Ø         Need to keep control systems safe and secure, and to help minimize the chance that a cyber-attack could severely damage or cripple infrastructures. We need to identify ways to reduce cyber vulnerabilities in process control and SCADA (Supervisory Control and Data Acquisition) Systems: to identify new types of security sensors for process control networks.

Ø     Another challenge with protecting energy systems is that, to enhance operational efficiencies, many of the energy SCADA and process-control systems have become connected to corporate business systems.

Ø          Some of these connections have created a pathway for malicious computer programs or unauthorized users to potentially disrupt the transmission or distribution of natural gas, electricity or water.

Ø        There is real threat to SCADA from mischief mongers prowling in the web-world and the tech-savvy terrorist and Stuxnet is the most lethal combination! It is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. 

Ø         It is the first discovered worm that spies on and reprograms industrial systems, the first to include a PLC Rootkit, and the first to target critical industrial infrastructure. It was specifically written to attack SCADA systems used to control and monitor industrial processes.

Ø    Stuxnet includes the capability to reprogram the Programmable Logic Controllers (PLCs) and hide its changes.

Robust, Secure, Global Communication Solutions

This capability calls for seamlessly connecting all oil & gas installations of an organization and on more higher level, of the Nation by providing highly available, robust, secure, integrated communication networks for critical operational systems. 

A number of communication solutions are available which provide robust connectivity and communication helpful for protection of assets and personnel in environments where a high standard of inherent safety is a mandatory requirement. There are resilient telecommunications networks such as Broadband Global Area Network (BGAN), which allow for simultaneous voice & communication data communications and secure access to applications from almost anywhere in the world.

Taking The Risk out of Gas Operations – What to Consider

IT threats are mainly addressed by IT solutions. There are IT Solutions provide very effective predictions, diagnosis and prognosis. In many instances, they help assessing and remediating the cyber security vulnerabilities of their gas distribution pipelines and equipment. Their solutions for oil and gas pipelines promote safety, environmental responsibility, and efficient operations.

The cyber security vulnerability assessment is designed to examine the three core facets of an organization’s cyber security:

• ·   People: What is the cyber security awareness level in the organization? Are staff members following security policies and procedures? Have they been adequately trained to implement the security program?
• ·  Process: What are the cyber security policies and procedures in place in the organization? Do these policies and procedures meet key requirements?
• ·      Technology: What cyber security technologies are in use in the organization? How are these technologies configured and deployed?

Prognosis:

While above are the main strategies for securing the transmission and distribution of natural gas, constant improvement and improvisation is needed to be carried out to make security measures reliable as well as  cost effective, as in present phase of economic melt-down no organization will take decision without working out the ROI (Return on investment).

EU has set up a task force to explore what its 25 member states are doing to combat cyber-threats against critical infrastructure. As part of the EU’s Critical Information Infrastructure Research Coordination, CI2RCO project, task force aims to identify research groups and programs focused on IT security in critical infrastructures, such as telecommunications networks and power grids.

The scope of the cooperation goes beyond the EU; the task force also wants to include USA, Canada, Australia and Russia. India with its strong IT workforce, known world-over for its prowess must join such cooperative and collaborative efforts!

Off-shore Security Co-ordination Committee (OSCC) needs to be institutionalized. With the initiative of ONGC, it exists in many states where essentially ONGC operates. All other ONG PSUs having presence in the state are invited to be members. This forum discusses and seeks to address the security threat faced by the sector with the help and co-ordination of state administration and police. Haryana, where there is no presence of ONGC, similar initiative by other ONG PSUs made similar OSCC operational. Now is the time that its umbrella is spread to cover private sector operators and make it a true PPP model!

Similarly on the lines of Homeland Security Department in USA, the lead needs to be taken by the IB and Indian Computer Emergency Response Team (CERT In) to address cyber-vulnerabilities, the solutions and update preparedness so that security and integrity of the natural gas transmission and distribution is effectively addressed.

Dedicated manpower ready to face the disaster would always be central consideration for any security and disaster response plan. To keep them constantly motivated and updated is also another prime responsibility of the Management as otherwise even the best plans are doomed to fail. Only those will succeed in this sector who foresee and fore-plan and rehearse thereafter their security and emergency response plans!

                                                                                 ***