Cyber security of oil and gas pipelines - Perspective, predicaments, and protection - Tata Consultancy ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber security of oil and gas pipelines Perspective, predicaments, and protection
Abstract
The world has over 6.2 million kilometers of pipeline constructed by operators in
124 nations¹. To apportion figures, the US alone accounts for about 4 million
kilometers of pipeline to transport and distribute oil, natural gas, and other hazardous
products. These pipelines are literally the lifelines for nations, and their inhabitants’
livelihoods and are valuable assets that need to be protected from rising threats and
attacks – both physical and cyber.
Although disruptions have many precedents, as recently as May 7, 2021, Colonial
Pipeline, one of the biggest networks in the US shut down its 5,550 mile gasoline
pipeline following a cyber-attack on the company’s computer systems². This led to
a temporary disruption in the delivery of gasoline and other petroleum products
across much of the southeast US. Similar attacks are expected in the future as well.
In fact, the Cybersecurity Research Group found that 69% of companies expected
their industrial control systems (ICS) systems to be manipulated in next two years³.
This paper looks into some of the cyber-security challenges faced by the oil and gas
(O&G) pipeline industry and explores some of the measures organizations can take to
mitigate these threats and attacks.
Challenges to the oil and gas
pipeline industry
Regardless of why and how pipeline disruptions occur, they have a cascading effect across the
energy sector. Across the globe, adhering to organizational risk management policies. which place
the wellbeing and safety of people at the top - along with rising environmental concerns, are key
concerns for O&G companies. Listed below are some key challenges faced by the industry at present.
Pipeline operations are complex as their networks help transport multiple products, which need
to be scheduled sequentially and tracked for their precise location at all times along the pipeline.
Knowing both the product and its exact location in the pipeline at all points of time is critical in order
[1] https://Global Oil & Gas Pipeline Projects in 2021 & Beyond; 26 May, 2021; https://en.wikipedia.org/wiki/List_of_countries_by_total_
length_of_pipelines; Accessed 29 July, 2021
[2] https://What We Know About the Colonial Pipeline Shutdown; 16 May, 2021; nymag.com/intelligencer/article/what-we-know-about-the-
colonial-pipeline-shutdown-updates.html; Accessed 29 July, 2021.
[3] https://www.iaasiaonline.com/cybersecurity-for-industrial-control-systems-a-new-approach/
2 Tata Consultancy Services
to appropriately address ownership responsibilities, including safety, contractual, commercial, and
financial issues, in case of a mishap. To address these issues, pipelines are interconnected to both the
suppliers’ and customers’ control systems.
Such two-way interactions help control the flow across and ensure better control of product
variables for various processes to meet stringent quality and quantity requirements. However, such
interconnectivity provides leeway for cyber attackers to take control of variable frequency drives
(VFDs) to operate them beyond critical speeds with the intent to cause serious damage to machines.
As a result, such cyber-attacks can result in pipeline ruptures leading to explosions, fires, toxic fluid
release, and spills, resulting in severe repercussions to human and environmental safety.
Additionally, pipeline operations are dependent on equipment and storage status, maintenance
activities, contractual, and transactional data. With the advent of information technology (IT)
in the last few decades, digitization and storage of static engineering data, dynamic process
data, transactional and commercial data have been a boon to the pipeline industry. Hence, the
requirement of interconnectivity does not end solely with control systems. On the contrary, such
advancements in tech extend to transactional IT systems such as issuance of product transfer orders,
measurement corrections, and invoicing.
Inherent vulnerabilities in legacy
pipeline systems
Legacy systems
Back in the 1960s, supervisory control and data acquisition (SCADA) became popular in efficiently
monitoring and controlling remote equipment wherein data security and data encryption were not
a concern. Today, SCADA has evolved to deploy systems that utilize open standards and protocols
to enable functionality across wide area network, and connections to third party peripheral devices
and applications. While this is an added advantage, such networked SCADA systems have opened up
more avenues for potential vulnerability.
Any connection with the internet, either directly or indirectly, can be exploited. As the size and
complexity of the SCADA system varies depending on its application across systems, they provide
even more opportunities for hackers to exploit potential weaknesses over a large pipeline network.
Unresolved issues with new tech
The new trend of shifting from CapEx to OpEx models for expensive equipment necessitates the
deployment of operational technology (OT) systems. Although quite prevalent in business operations
today, IT and OT, coupled with digital transformation, have further opened up avenues for system
security vulnerabilities. Some examples include - increased instances of malware actively acquiring
critical control systems data and inadequate defenses such as existing firewalls - especially against
insiders who already have privileged access to such systems.
Tata Consultancy Services 3
Figure 1 below depicts the interconnectivity and dependencies of a typical order-to-cash cycle for a
pipeline and identifies areas of potential vulnerabilities for cyber-attacks.
Billing
Portal Generate
Shipper
Shipper Portal Nomination invoice
quantity &
schedule
Customer
External entities
schedule and
nominations & Contractual Calculate Calculate Calculate
confirmation Supplier/ confirmation for transport transport schedule
nominated volume imbalance imbalance
Nomination Customer charges
penalty penalty
changes P/L operator Assent maint.
management
Power rates
Maintenance
schedule
Contract Outage status
SCADA management
Business 1. Contractual rates
Equipment
status
confirmation 2. Delivery schedule Inventory
for nominated
Outages volume
3. Rescheduling management
4. Product availability
Storage tank
status & level 5. Storage Calculate Calculate
requirements transport schedule
Delivered
6. Over-under imbalances imbalances
quantity Point wise supply/drawl
Delivery aggregation 7. Discounts/
pressure, of volume penalties
flowrate 8. Terms of payment
Tank farm data 9. Operational
constraints
Apportionment
10. Losses
Delivery
Validated by & technicalc
shippers confirmation 11. Reports
Quality
of aggregated 12.Quality Generate ticket
Engineering volume for allocated magmt.
13.Quality rules
quantity Product quality
data 14. Other conditions
Batch quality
management data
Scheduling
Pipeline Schedule the Interphase
Configurational nominated/ quality and
Transportation Metering/ quantity
data adjusted Allocation
of confirmed measurement
Machine capacity volume volumes
Operations, scheduling,
balancing
Figure 1: Interconnectivity and dependencies requirement for a pipeline
Loopholes targeted by
cyber attackers
Cyber-attacks can take place through local area networks (LAN), or wide area network (WAN) or,
even from simple point-to-point serial links with another system or device. Such attacks can be
launched locally, by attackers with physical access to systems, or by connecting an infected media
or device. In pipeline networks running on legacy systems, which are often interconnected, data
is communicated from old or unsecured equipment, sans any security protection. In such cases,
computer viruses and other cyber-attacks exploit security gaps related with removable media or
arising from simple human errors. Furthermore, any employee in a pipeline organization clicking
on an innocuous looking attachment that contains malicious code could cause a problem of the
magnitude like with Colonial Pipelines.
4 Tata Consultancy Services
Although ICS systems are designed to be interoperable and resilient to ensure smooth operations,
they are not easy to secure. The pipeline Industry’s increasing reliance for real time data and
analytics has also introduced new risks. The use of a virtual private network (VPN) does not provide
adequate protection, as this can be bypassed with physical access to network switches. Remote
access requirements from vendors and suppliers also leave ample room for elevated levels of risk.
Since the 1980s, as the IT world has provided innovative solutions across industries, it has also
spawned a new industry – cyber-terrorism. Cyber-attacks are on the rise and once unleashed on
critical assets, the consequences can be catastrophic.
Tackling cyber terrorism
Following are some mitigatory measures that can be deployed by oil and gas pipelines to
counter cyber-attacks.
• Modernize systems: Old and non-updated software invites trouble from hackers. Therefore,
periodic and mandatory review of existing segmentation and controls, incorporation of network
monitoring across OT networks to provide continual visibility into cross IT/OT connections,
and ingress and egress monitoring are all must-dos. Devices must also implement end-to-end
encryption and include embedded security in their processes.
• Deploy robust physical security at remote sites: Remote terminal units (RTUs) and other
hardware should be in locked enclosures with biometric access to authorized personnel only.
• Use network identification: Identify systems on the IT side that could allow deployment of
ransomware to the OT side, including shared active directory or insecure protocols server
message block, file transfer protocol, remote desk protocol, and virtual network computing.
• Ensure data flows: Review and document dataflows of business system applications with
OT for risk assessment, to ensure business continuity and to develop disaster management
and recovery plans.
• Provide backup: All critical OT systems data from SCADA servers and their databases including
PLC/RTU project files must be backed up with an offline copy. Data necessary for operations
should not reside on an IT network, as blocking any attack on the IT network should not affect
pipeline operations or safety.
• Instill work discipline: Social engineering is a proven and effective hacking tool. Hence,
employees should be made aware of the consequences and adequate restrictions must be put in
place. For example, no mail access in OT.
• Restrict access: Remote access requirements must be determined and implemented strictly.
User-initiated access must require multi-factor authentication with the system and biometric
controlled access drives should be mandatory.
• Post authentication: User-initiated remote access should follow a trusted path to OT and users
should reauthenticate using local identity with access management solution.
• Deploy central logging: Remote access communications must be mandatorily logged and
monitored with detection techniques to scan for cyber-attack attempts.
Tata Consultancy Services 5
Staying ahead of cyber attacks on
the path to growth
In recent years, the scale and robustness of cyber-attacks has increased rapidly, as observed by the
World Economic Forum in its 2018 report: “Offensive cyber capabilities are developing more rapidly
than our ability to deal with hostile incidents.”⁴
Post the ransomware attack on Colonial Pipelines, the US reacted strongly with a slew of measures to
prevent any such attacks in future. The Washington Post reported, “As per security directives from
Transportation Security Administration, a DHS unit, pipeline companies will require to report cyber
incidents to TSA and have a cyber-official with a 24/7 direct line to TSA and CISA to report an attack.
They are working on publishing a robust set of mandatory rules pipeline companies for safeguarding
their systems against cyberattacks and the steps in case they are hacked.”⁵
Cyber-attacks on a nation’s critical infrastructure such as control systems, oil and gas pipelines,
finance, energy resources, telecommunications, transportation, and water facilities has the potential
to literally bring a nation down to its knees. Hence, it is imperative that both the government and
companies must make cybersecurity their top priority to protect themselves from unforeseen cyber-
attacks if they are to ensure support for growth and connectivity.
[4] World Economic Forum (2018). “The Global Risks Report 2018 13th Edition”
[5] https://DHS to issue first cybersecurity regulations for pipelines after Colonial hack; 25 May, 2021; www.washingtonpost.com/
business/2021/05/25/colonial-hack-pipeline-dhs-cybersecurity/; Accessed 29 July, 2021.
6 Tata Consultancy ServicesAbout the authors
Santanu Sur
Santanu has over 35 years of experience in Oil & Gas, Petrochemical, and
IT industry. Prior to the current role in TCS, he has spent over two decades with
India’s largest pipeline operator and a petrochemical company. His functional
experiences encompass maintenance, marketing, operations, production and
transmission of natural gas, LPG, polymers, industrial chemicals, petrochemicals
and LPG. Currently he is involved in developing IT solutions as part of connected
worker and domain COE. He specializes in hydrocarbon pipelines. Santanu is a chemical engineer
from NIT with a master’s in business administration from FMS, Delhi.
He can be contacted at s.sur@tcs.com
Nitin Veda
Nitin Veda represents TCS as a digital consultant. He is passionate about immersive
experiences and is working to create a foundation for the next generation of
digital models. His educational background in computer science has given him a
broad base from where he approaches topics around technology. He is leading the
delivery of solutions/offerings in connected worker initiative as part of the energy
and resources unit. He is a seasoned professional with over 17 years of global
experience in various roles and capacities in managing technology operations.
He can be contacted at nitin.veda@tcs.com
Tata Consultancy Services 7Awards and accolades
NORT H
AMERICA GLOBAL
vices Ltd (T
TM
DISCLOSURE INSIGHT ACTION
AWARDED AWARDED
Contact
Visit the energy, resources & utilities page on www.tcs.com
Email: er.marketing@tcs.com
About Tata Consultancy Services Ltd (TCS)
Tata Consultancy Services is a purpose-led transformation partner to many of the world’s
largest businesses. For more than 50 years, it has been collaborating with clients and
Corporate Marketing | Design Services | M | 09 | 21
communities to build a greater future through innovation and collective knowledge.
TCS offers an integrated portfolio of cognitive powered business, technology, and
engineering services and solutions. The company’s 500,000 consultants in 46 countries
help empower individuals, enterprises, and societies to build on belief.
Visit www.tcs.com and follow TCS news @TCS.
All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information
contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded,
transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information
appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties.
Copyright © 2021 Tata Consultancy Services LimitedYou can also read
