Security seeks parallel existence with safety

Gregory Hale highlights the importance of both safety and following proper security protocols.

The April Pemex blast on a dehydration and pumping platform in the Gulf of Mexico showed that incidents will happen in a dangerous environment. There were at least four fatalities in the incident and three workers missing, but it could have been worse. Photos from Pemex’s Flickr page. 

Safety, physical security, cyber security: Trends in the offshore environment show a similar pattern in terms of how each end up applied, except all are at different levels of application.

For safety, just look at the Pemex dehydration and pumping platform in the Gulf of Mexico that sustained an explosion and fire in early April. While investigators are still searching for the cause of the blast that killed four workers, left three missing and 45 injured, the end result could have been much worse.

Within a week after the fire, Pemex said it expected to restore 80% of production within a week or two after that, according to exploration and production director Gustavo Hernandez. Estimated production of 646,000 b/d of crude and 1.4 Bcf/d of gas in the region will not suffer from the blast and resulting fireball that hit the processing platform, he said.

One of the reasons the blast was not more severe was because workers could turn off the feeder lines. Safety planning and preparation paid off.

When it comes to safety, to contain a complex process, a manufacturer must understand the standards and design and implement management systems to:

  • Understand the risk, which involves predicting problems, including predicting the risk of possible accident/loss scenarios, establish the appropriate design and the right layers of protection to control risk to a tolerable level
  • Control risk factors every day, which involves controlling the original design by maintaining the established layers of protection and managing changes to the design using integrated management systems
  • Analyze actual problems and determine weaknesses in the system, which involves identifying weaknesses in design and management systems and weaknesses in risk understanding through root cause analysis of actual problems (losses and near-losses)

Cyber view

Pemex-Plataforma Abkatun A Permanente close-up.

When a user violates safety procedures on the platform, he or she clearly hears about it, but what about any breaks in security protocols?

Awareness about cyber security is growing, there is no doubt. But awareness and action are two different things. These days, it would be safe to say security is much like safety was 10-20 years ago. Security wags, however, want to accelerate that understanding to get the same level as safety, but that only comes with training and top management understanding the threat situation and being willing to pay.

Let’s face it, the attack environment has changed and is more sophisticated than it was even two years ago. An intruder’s goal is to steal intellectual property, pilfer key data and/or disrupt production.

Security, like safety, all boils down to four key factors:

  • Prevention
  • Preparation
  • Response
  • Recover

That all works and is a good baseline, but it also goes beyond just having technology and data points.

Technology will not fix a problem unless the right processes and the right best practices are in place. Technology will help enable people to make the right decision. But the security culture has to be on a par with the safety culture to protect against a cyber attack. Even with multiple technology protective layers, users need to enforce a strong security culture that reaches every level.

“The threat is continuously evolving,” said Eric Knapp, director of technology and solutions at HPS. “Stuxnet was really the beginning and the threat has been evolving ever since.”

The Stuxnet campaign, as ISSSource reported, ended up conducted by the US and Israel to disable the uranium enrichment plants outside Natanz, Iran, by causing the control system to run wildly out of control causing severe damage to centrifuges.

“Targeted attacks are becoming more complex and sophisticated,” Knapp said. “Awareness needs to take place not only in technology, but also with personnel.”

“Having data is not everything, there is the people aspect also,” said Alberto Matucci, general manager, Global Products & Quality at General Electric at the Oracle Industry Connect in Washington. “If we use the same approach we used in the 80s, we will not go anywhere. Industry today is working with the same mindset of 20 years ago.”

That means agility and the ability to understand the environment and what is happening remains paramount.

“The ability to pivot and change on a dime is incredibly important,” said Mike Sicilia, senior vice president and general manager for Oracle’s Primavera global business unit at the Oracle conference.

Understanding the environment and being able to change directions quicker than a seal not wanting to be dinner for a great white shark remains vital for users. But before they can make any decisions, they need to know what they don’t know.

“You have to understand the risk appetite; understand the baseline and how (the user) can get that to match up with the risk appetite,” said Mike Spear, global operations manager for industrial cyber security lifecycle solutions and services at Honeywell Process Solutions.

The first thing is to start with standards, but that ends up being a good starting point. Talking about security standards, Scott Aaronson, senior director of National Security Policy at the Edison Electric Institute, said at the Oracle Industry Connect, “If you require a 10ft fence, all an adversary needs to do is bring a 12ft ladder.”

Standards can only take the user so far. However, once an operator understands the cyber risk scenario, they can then develop a plan they can follow and that works across the entire enterprise. They have to understand:

  • Managing risk is a shared responsibility.
  • Security requires cross functional cooperation.
  • Risk management is a continuous process.
  • Secure manufacturing and development practices are essential.
  • Security must be built into systems.

Physical security link

Physical security has always been linked to cyber security, which also hooks up with safety to ensure a smooth running operation on any offshore platform. All areas keep machines safe against man and man safe against machines. It is a given you can’t have any one without any of the others. A tightly knit triumvirate.

When talking about security threats as they appear to utilities, it was easy to connect the same thing to offshore platforms.

“Physical security and cyber security: It is not just about cyber anymore,” said David Batz, director of Cyber & Infrastructure Security at the Edison Electric Institute. Physical security attacks came to light two years ago when an electric substation fell under attack where intruders came in and shot out 17 giant transformers that funnel power to California’s Silicon Valley.

In safety, it is clear manufacturers will invest in higher safety compliant systems.

In the end, manufacturers’ main goal is to make product and not deal with anything that throws them off track. Security remains the ever-changing, fly in the ointment for engineers on the platform. It evolves and does not sit still and you may never realize how much it really saved your organization.

“Security is a process,” Knapp said. “The more awareness you have, the more gaps you realize you have.”

Safety has proven time and time again that it works and it saves time, money and lives. So does security.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com) and is the contributing automation editor at Offshore Engineer.

Current News

Oil Rises on China Stimulus Hopes, US Inventory Drop

Oil Rises on China Stimulus Ho

Flare Gas Recovery Meets the Future

Flare Gas Recovery Meets the F

Pharos Energy Extends Licenses for Two Vietnamese Gas Fields

Pharos Energy Extends Licenses

Brazil Lifts Ban on Saipem's Business Units

Brazil Lifts Ban on Saipem's B

Subscribe for OE Digital E‑News

Offshore Engineer Magazine