Industrial assets are evolving, with cyber-physical systems monitoring physical processes, creating virtual copies of the physical world and making decentralised decisions, in a blend of IT and OT worlds. This mixture of old and new technologies creates new opportunities and insights for businesses, but it also increases cybersecurity concerns. And while no business is immune to cyber-attacks, critical industries such as Oil & Gas are ever more exposed, given their high profile. The threat is real, since older OT systems may not have been designed to withstand sophisticated cyber-attacks.

Beside economic damages due to the disruption of business continuity, cyber-attacks also threaten the safety of people, property and the environment, especially when they target the operational domain: damages to critical control systems can easily escalate to major accidents. Reputational damages and are also of concern. Cybersecurity should therefore be part of the overall risk management strategy of O&G organizations.

This paper presents a holistic approach to cybersecurity tailored for the O&G industry. This approach covers aspects related to technologies, people, and processes - the "three pillars" of cybersecurity. While holistic in nature, this approach has two branches: one addressing asset owners, and one manufacturers.

For asset-owners, the process starts with risk assessment, to build a concrete risk picture of the asset, looking at people, process, technology and data. A bowtie barrier management approach is used (see also 0), prioritizing the highest risk items, since not every risk has cost-effective mitigations. Security zones are identified and Security Level Targets defined, as per [2], [3]. A GAP analysis is then performed, and mitigation actions identified (personnel training, higher Security Level for devices, network segregation, etc.). Onsite testing is finally performed (penetration tests, phishing campaigns, etc.). A continuous cycle of assessment-training-improvement-verification/validation is envisioned, with a verification scheme monitoring the effectiveness of the implemented solutions.

For manufacturers, the focus is components/systems certification, as part of a product assurance process. Specific requirements and tests are defined to achieve a desired Security Level, e.g. by following [4], qualifying the component/system for use in O&G assets.

This holistic, double-branches approach is therefore designed to cover all the aspects related to ensuring cybersecurity resilience for Oil & Gas assets is achieved, from an organizational and an operational perspective.

This content is only available via PDF.
You can access this article if you purchase or spend a download.