Belden: oil, gas security

Oil and gas continues to be a hotbed of activity when it comes to automation and that also means security is top of mind.

When it comes to designing a network diagram for any kind of oil and gas environment, everyone has to understand the main assets that need protection and they need a clear understanding of what they need to secure.

“In one greenfield offshore platform, control systems engineers developed a diagram and IT came in to design security and they found the PLCs were the critical assets,” says Scott Howard, commercial engineer at Belden Inc. during his talk on 23 September on security applications in the oil and gas market at the 2014 Industrial Ethernet Infrastructure Design Seminar, Houston, TX.

They also found that PCs were threats along with networks the control engineers could not control, and that included the business system. “The first rule in security is to not trust anything you can’t control,” says Howard.

After they made their first draft at a network diagram for the platform network, Howard said they went and analyzed the system. They then created zones for the critical assets. Zones for the junction boxes, the switch gear, subsea cabinets, the PLC cabinet and the enterprise network.

They also found they had an I/O server that was a shared asset between the enterprise and the control network, so they had to create a demilitarized zone (DMZ), which allows access to a shared network using a multiport device.

After they created the zones, which segmented the critical assets and created the DMZ, the network diagram became more understandable and more secure.

Another example Howard talked about was a refinery, which was running a parallel network.

“We did a risk assessment and looked at zones and conduits and we did a risk analysis and looked at the threats,” says Howard. “This was a very complex plant.”

According to Howard, art of a defense in depth model calls for segmentation via zones and conduits that is part of the IEC 62443 standard. This model helps lock down a network. Using this model, a user should only allow minimum required traffic into zones and when threats do come through alarms sound.

A conduit is a pathway of communications that exits and enters a zone. A zone is a specialized area on the network that needs protection.

The threats they understood for the refinery were a release of hazardous products, a process reactivity incident and a process shutdown.

They then created a chart that looked at the vulnerability, then the possible threat source, skill levels, potential consequence, severity, likelihood and the risk.

When they looked at the process shut down they found an interesting development.

“No one ever considered the safety system to be a security threat,” says Howard. “That ended up being a surprise. The safety system was so critical it needed its own zone separate from the control system zone.”

By creating a solid zones and conduits model, they were able to get a solid segmented security program up and running for the refinery.

“We could protect the entire plant with 14 (Tofino firewalls). We could do that entire refinery for less than $200,000,” says Howard.

One of the final projects Howard discussed was a pipeline installation in Alaska. Again, they found through a security diagram, the PLC was the critical asset. “This guy has to keep working no matter what,” says Howard.

One of the other issues they had was with a business scenario. Pipeline owners buy and sell oil as it enters the pipeline and as it exits at the refinery. To ensure the proper amount of oil ends up bought and sold, operators will use a flow meter to measure the amount of oil in the pipeline.

Because the flow meter connected to the system it ended up being a vulnerable asset. In this case, Howard says a partner called one day to tell the operator it appeared the PLC they were using was not operating properly.

It ended up being the flow meter had a connection to the network and the partner was able to look at the data from the PLC.

“The next day a firewall was put in there to not allow visibility to the network,” says Howard. “The flow meter ended up being a shared resource and they put in a DMZ around that device.”

Oil and gas are no different than any other industry; it is all about knowing and understanding your network.

Current News

Cadeler’s WTIV Newbuild Arrives to Rotterdam Ahead of Maiden Job

Cadeler’s WTIV Newbuild Arrive

LR and SHI Join Forces for Green Ammonia FPSO System

LR and SHI Join Forces for Gre

BP, Equinor, Shell and TotalEnergies Pledge $500M to Boost Energy Access

BP, Equinor, Shell and TotalEn

Seatrium Delivers Fifth Jack-Up to Borr Drilling

Seatrium Delivers Fifth Jack-U

Subscribe for OE Digital E‑News

Offshore Engineer Magazine