Digitisation creates many opportunities for plant operators to enhance efficiency, increase flexibility and make their plants future-proof. However, people often overlook the fact that there is also a downside: threats to plant security arising from digitisation, especially as a result of rapidly growing and increasingly sophisticated cyber criminality. This article explains why the downstream sector needs to switch from a passive to an active defence mode for cybersecurity and what it must do to ensure plant security in the digital era.
Modern control infrastructures, while bringing opportunities for increased efficiency through smarter systems management, also increase security risks through their connected systems.
These concerns are well-founded, as hackers have initiated hundreds of cybersecurity incidents targeting US O&G control systems, many with real-world impacts. A 2014 cyber-attack on a German steel mill is also noteworthy, because it affected furnace controls, which are like the systems that typically interface with equipment in many downstream operations. The attack led to loss of control of a blast furnace, causing significant damage to the plant.1
The concept of safety is changing
These incidents should serve as wake-up calls to heighten cybersecurity awareness in the industry. Future focus must be on the interaction of safety and security. Work processes and organisational deficiencies are still by far the most common targets for successful cyberattacks. Following the above cyberattacks, plant operators are strongly advised to not rely solely on cybersecure components, but instead to define an integral security concept for their own systems and consistently implement it in cooperation with manufacturers.
Good safety technology is not enough
The human factor is the most frequent source of cyber risks. This includes not only targeted cyberattacks aimed at disrupting production processes or stealing industrial secrets, but also disruptions that can arise from inattention. For safety-oriented systems, the usual cybersecurity rules are even more important because the SIS represents the last line of defence against a potential catastrophe. Protection against human penetration, whether intentional or unintentional, is therefore especially important. Consequently, a comprehensive security concept includes aspects such as specific access protection, physical safeguarding, or checking the plausibility of changes. Here technology can and must form the basis for taking the pressure off people.
Loss or damage that arises from an employee action should be considered a system issue. Such loss or damage should demonstrate the necessity to fill knowledge gaps and familiarise employees with threat scenarios such as known social engineering strategies. Extensive programmes for security training and increasing employee awareness are thus an essential component of a proactive safety concept.
1. Kim Zetter, “A cyberattack has caused confirmed physical damage for the second time ever,” Wired, January 8, 2015. View in article
Author: Dr. Alexander Horch, VP R&D and Product Management, HIMA
Read the article online at: https://www.hydrocarbonengineering.com/special-reports/03122018/proactive-security-concepts-instead-of-reactive-defence-safety-and-security-in-refining-and-processing-needs-rethinking/