<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2233467260228916&amp;ev=PageView&amp;noscript=1">

Why Asset and Plant Security is More Important Than Ever

Henrik Skandsen Henrik Skandsen has 15 years’ experience from the technology industry, and more than 10 years within information technology in oil and gas. With a MSc in Advanced Networking and a diverse background working as a consultant, advisor, project- and program manager and business- and product developer, he has built his competence within technology and trends for the exploration and production (E&P) industry. He currently holds the role of Cloud Portfolio Manager within Cegal, where his main technology verticals are focused around cyber-security, operational technology, infrastructure and cloud.
12/31/2019 |

In a time with a focus on increased productivity and reduced cost, more and more industrial and critical infrastructure are being exposed. IT and OT become increasingly interconnected, exposing critical infrastructure for new security threats and potential breaches.

Operational technology (OT) and industrial control systems (ICS) have long been isolated, disconnected, and separated from the organization’s traditional information systems, open networks, and information technology (IT). However, with the advent of Industry 4.0 and the Industrial Internet of Things (IoT), IT and OT become increasingly interconnected. With this convergence, new security threats emerge.

 

Converging IT and OT: New Security Threats

Traditionally, IT and OT have played different roles within an organization. The IT department worked on the enterprise side of the organization and covered all technologies related to information processing. The OT department represented the part of the organization that was responsible for industrial systems and operational technologies. The two departments rarely crossed paths.

Today, IT and OT are combining forces to unlock the opportunities inherent in IIoT, the idea of connecting industrial equipment to the network. Modern sensors and industrial equipment often hold important information that can be transferred from the plant floor to key stakeholders in the organization for improved insights, enhanced automation capabilities, and advanced analytics. The convergence of IT and OT is an integral part of this operation and a prerequisite for seamless information flow.

However, the increasing dependence on digital technology in OT and the convergence of IT and OT makes asset and plant security more critical than ever. The Sans 2019 State of OT/ICS Cyber security Survey reveals that slightly more than 50 percent of the surveyed respondents perceive the level of OT/ICS cyber risk to their company’s overall risk profile as either severe, critical, or high.

 

People Pose the Biggest Risk for OT Security Breaches

According to the Sans survey, the three pillars for successful IT/OT convergence strategies, people, processes, and technology, are also the most widely known security risks. The survey reveals that people present the greatest risk for compromise to an organization’s operational technology and control systems – not surprising because the human element often lies at the heart of cyber security incidents and breaches.

Typical attack vectors, the survey reports, are physical access through USB sticks or direct access to equipment, remote access either through or bypassing intended architecture, and service maintenance consulting.

 

Laying the Foundation for Plant Security with Cyber security Standards

In light of the emerging cyber security threats, E&P and industrial companies will benefit greatly from implementing optimal cyber security strategies, policies, and routines. Familiarizing oneself with cyber security standards is a good place to start. These standards aim to improve the security of IT and OT systems, industrial networks, and critical infrastructures.

The following three cyber security standards are particularly relevant for industrial environments.

 

IEC 62443

IEC 62443 is the standard for OT security and defines the necessary elements to implement cyber security systems for industrial automation and control systems. The standard aims to improve the safety, availability, integrity, and confidentiality of the components and systems used for industrial automation and control systems.

 

ISO 27000

While the IEC 62443 is concerned with OT security, the ISO 27000 family of standards focus on IT security. The series explains how to implement information security management systems and includes a set of best practices on how to improve information security within organizations. The ISO 27000 family consists of 46 different standards, with specific standards covering everything from implementation requirements for information security management systems to information protection in the cloud and the GDPR.

 

NIST Cyber Security Framework

The NIST Cyber Security Framework provides a set of standards, guidelines, and practices for organizations to better manage and reduce cyber security risks. The framework consists of three components:

  • The Core: Provides a set of desired cyber security activities and outcomes. The Core aims to guide your organization in managing and reducing their cyber security risks in a way that complements your existing cyber security and risk management processes.
  • Implementation Tiers: Provides context on how your organization views cyber security risk management. The Implementation Tiers can be helpful as a guide to consider the appropriate level of rigor for your cyber security program and as a communication tool in discussions on mission priority and budgets.
  • Profiles: Provides an overview of your unique alignment of organizational requirements and objectives, risk appetite, and resources against the Framework Core. Profiles can be used to identify and prioritize opportunities for improving your organization’s cyber security.

 

Initiatives for Improved Cyber Security

The Sans 2019 survey reveals a growing maturity in identifying potential risk and detecting and remediating actual events. The survey lists six important initiatives for increasing OT, industrial control system, and network security. The following six initiatives can be used as a guide to steer your own cyber security implementation efforts:

  • Increase the visibility into control system cyber assets and configurations.
  • Perform security assessments or control system and network audits.
  • Invest in general cyber security awareness programs for employees across IT and OT departments.
  • Invest in cyber security education and training for employees across IT and OT departments.
  • Implement anomaly and intrusion detection tools on control system networks.
  • Bridge IT and OT initiatives.

 

Connect@Plant

Secure access to critical IT systems and ICT infrastructure operations at offshore and onshore installations have become a necessity. Cegal’s security platform Connect@Plant can help.

Connect@Plant is a complete security solution to control, protect, and log all access to onshore and offshore installations and plants. It reduces the need to rely on general IT operations to approve access to critical systems through automated tools for granting and terminating access, delegating approvers, and user management. Furthermore, it gives plant managers increased control over user access and permissions.

Connect@Plant can be implemented in a range of different plant environments, including offshore rigs, power plants, and other critical industrial systems.

 

Want to talk to us? We are ready to help you.

Related articles

Cloud
10 things to consider moving your petrotechnical apps to the...
Arve Osmundsen Arve Osmundsen holds a master’s degree...
arrow
Cloud
Developing a Cloud Strategy for E&P Companies
Editorial staff Cegal want to build a stellar nextgen...
arrow
Cloud
Access to G&G Applications from Anywhere with Cetegra
Editorial staff Cegal want to build a stellar nextgen...
arrow