Cybersecurity: a life cycle, not a destination

Traditional cybersecurity focuses on protecting the confidentiality and integrity of data and information systems, while industrial cybersecurity addresses the need for protection of critical process control and safety systems, such as those used in the oil and gas industry. The availability and integrity of systems that perform safety controls, alarms, and interlocks (SCAI), must have security at the core of their design and operating environments.

As operational technology (OT) and information technology (IT) systems converge, process control systems may be exposed to cyberthreats. A successful cyberattack on these systems could disrupt the normal functioning of critical processes, leading to equipment failure, environmental damage and the endangering of human lives.

Challenges

Many industrial facilities rely on legacy systems that were not originally designed with cybersecurity in mind. These ageing systems often lack any security features, which make them more vulnerable to cyberattacks.

The integration of OT and IT networks enables data exchange and real-time monitoring, but also creates potential entry points for malicious actors. This connectivity between OT and IT networks requires carefully considered security measures to prevent unauthorised access and protect critical assets. Malicious actors have knowledge of the inherent vulnerabilities in these systems and have access to increasingly sophisticated tools which can exploit those weaknesses. Newly discovered vulnerabilities and evolving technology make it difficult for asset owners to maintain security through patches or introduction of cybersecurity measures. Adversaries can now use artificial intelligence (AI) as a development tool to quickly exploit systems. A layered approach to security is required to deal with these risks.

Safety system security

The primary goal of cybersecurity, in the context of process safety, is to protect the availability of safety systems as a critical layer of protection against catastrophic events.

The most secure approach is to preserve the independence of basic process control systems and safety systems. Maintaining separate controllers, networks and engineering stations results in an environment that is far more difficult to compromise than an environment where a common network with a single engineering station for combined system engineering and maintenance is utilised.

Typically, the justification for combining the networks and engineering stations in a basic process control system and safety system design is to increase convenience and capital savings. Regarding convenience, proper engineering and configuration of the safety instrumented system (SIS) should eliminate frequent interaction with the code of the protection system. Nothing about the separated systems approach limits the ability to perform normal maintenance and/or provide appropriate proof test capabilities.

This article was originally published in the September 2023 issue of Hydrocarbon Engineering magazine. To read the full article, sign in or register for a free subscription.

Written by Tim Gale, 1898 & Co., USA.

Read the article online at: https://www.hydrocarbonengineering.com/special-reports/06092023/cybersecurity-a-life-cycle-not-a-destination/