Industrial Control Systems (ICS) were originally built on proprietary technology and primarily focused on “up-time” and “safety”. Being isolated from the business environment they were independent islands of networked devices. However, ongoing advancements in business technology, brought with it new possibilities, such as the ability to access data and systems located inside of the previously isolated ICS environments. At this point many Industrial Control Systems (ICS) moved from proprietary technologies, to using the same protocols as business IT systems. This paradigm shift has led to an evolving convergence of business and process control networks, which has generated the effect of increased efficiency and visibility to field operations, but also brought with it new cyber security challenges.
Modern technologies contain well known cyber exploits and vulnerabilities which are now inherited in the ICS environment. As a result, ICS environments find themselves directly in the crosshairs of cyber attackers. Effective management of these cyber security challenges and exposures in the ICS environment has emerged as an important and dynamic element in the operational safety, security, and reliability of the infrastructure in the oil & gas industry.
Many of the principles for protection and controls used in the enterprise environment should now be adapted to fit the ICS environment. However, requirements within the ICS differ significantly from the enterprise and should be considered.
This paper will provide an oil and gas industry insight into cyber security programs and countermeasures, and will explore the similarities and differences between IT and ICS protection and risk management.