Safety instrumented systems (SIS), utilised throughout the oil and gas industry and within other critical environments, are considered to be a plant’s last layer of protection by providing the assurance that processes are being maintained within safe operating limits. The SIS market is growing at a rapid pace and is expected to be worth US$3.76 billion by 2020. However, the increasing use of standard networking technologies by these systems is resulting in the possibility of SIS becoming prone to many of the cyber risks and vulnerabilities that are associated with connected systems. The numerous cyber security challenges linked to these systems must be overcome to prevent severe incidents at plants that could impact human life, assets, production, the environment and asset owner reputation.
Industrial environments are growing in complexity
The industrial landscape is evolving and, according to new research, increasing Industrial Internet of Things (IIoT) and Big Data adoption within industrial settings is anticipated to lead to substantial growth in the number of interconnected industrial control devices during the next five years. With the vast majority of industrial components now communicating with one another via networks that must be carefully controlled, SIS have a crucial role to play in ensuring that a fail-safe state is achieved in critical conditions (trips) by safeguarding the process against hazards including gas leakages and oil fires. The Piper Alpha explosion in 1998, which resulted in a high number of fatalities, was an influential event in terms of the deployment of SIS within oil and gas environments.
Today’s safety-related automation and control systems must provide safety throughout the plant lifecycle, however the majority of safety-related systems are now interconnected with Ethernet-based business networks and rely on commercial off the shelf technologies that have common vulnerability surfaces. Security is generally provided via firewalls and network segmentation within the system design, however many SIS are integrated with Basic Process Control Systems (BPCS) including controllers, process sensing and input/output from the BPCS local-area network. This can make SIS prime targets for attackers seeking to disrupt process production and cause significant collateral damage.
The once-isolated SIS now faces multiple potential cyber threat paths. As a result, organisations should fully consider the risks and implications before deciding to share the same networks and equipment for SIS and BPCS. Any analysis must consider the numerous security risks that are associated with safety engineering workstation, controllers and communication protocol vulnerabilities.
Continuous security assessment is vital
Some vendors and consultants are leaving it to the end-user to decide whether to interconnect or isolate the SIS from the BPCS. Regardless, the oil and gas industry must, as standard, ensure that continuous security assessments are undertaken and that control systems staff are provided with the security training necessary to effectively protect critical environments against attack.
With cyber security incidents continuing to target industrial control systems, investing in cyber security measures should not be seen as a burden, but rather as an enabler that can save lives, increase productivity and protect organisations and the industry from significant reputational damage.
There have already been numerous cases where control systems have been affected, both intentionally and unintentionally, by cyber conditions such as last year’s BlackEnergy malware campaign. As heightened levels of interconnectivity, driven by business requirements, leave the oil and gas industry increasingly exposed to cyber attacks, it has never been more important to ensure that appropriate measures are taken to safeguard SIS against threats that could lead to equipment damage and fatalities in order to maintain the last layer of defence.
Written by Jalal Bouhdada, Founder and Principal Industrial Control Systems Security Consultant at Applied Risk. Edited by Callum O'Reilly