Moscow, March 5 – IA OilGasPlant.net. At the national information security forum “Infoforum-2020” held at the end of January, the representative of the Ministry of Energy of the Russian Federation noted in his speech that at present, in the light of the implementation of 187-ФЗ for the enterprises of the fuel and energy complex as a whole, the stage of categorizing critical information infrastructure has ended, and the stage has begun creation of systems for the protection of significant objects in accordance with the requirements of regulators – FSTEC of Russia and the FSB of Russia.
When creating these protection systems, a certain problem is that earlier at the enterprises there already existed in one form or another information security systems for industrial and business processes. Investments in these existing systems, which are largely inadequate to meet new regulatory requirements, are ineffective. In order to make optimal decisions on the creation of protection systems, it seems appropriate to take into account a number of emerging trends, which, in our opinion, will help increase the efficiency of capital investments.
At the moment, oil refining remains one of the most innovative industries in terms of the introduction of new technologies for business management and technological processes. At the same time, on the one hand, the rate of digitalization, which makes it possible to increase the efficiency of production in the oil and gas industry, is significantly ahead of the rate of implementation of information security systems, on the other hand, the statistics of identified incidents indicates an increase in threats.
I would like to note some trends affecting the safety of an oil refinery:
Centralization of process control
Historically, the technological segment of oil refineries is built on a modular basis from conditionally isolated units operating in a single technological chain. In accordance with this concept, each installation had its own maintenance personnel for instrumentation and automation, process control systems, dispatching, etc. Now, the tendency towards centralization of technological process control is clearly expressed: the creation of generalized dispatching rooms at the enterprise level, the rejection of local maintenance services. All these factors entail a blurring of the boundaries of installations, and often of the enterprise (if, for example, the installation is located outside the controlled area). In this regard, gaps in the controlled area appear, which must be closed both by physical security methods (ACS, SOT), and by the complication of already existing control methods: providing a pass to the room on request, access to automation cabinets according to the level of clearance, etc.
On the other hand, the centralization of technological process control leads to the emergence of more and more complex control objects and, accordingly, control systems. The result is economies of scale, which should be explained in more detail. Previously, at oil and gas enterprises, the automation of production processes affected individual processes, while a failure in these systems led mainly to the suspension of the process. The implementation of the protection system was regarded as an event, the costs of which were significantly higher in comparison with the possible losses. With an increase in the number of processes monitored from one point, the “cost” of failure increases, at which the implementation of protection systems becomes economically justified.
This directly affects the approaches used to ensure information security. So, at present, the most promising is the transition from the parrying of threats from the list specified by the threat model to a risk-oriented approach, in which a possible negative impact on the protected object is allowed within the framework of acceptable risks, assessed in monetary terms. At the same time, this approach implies that for each threat there is a fault tree, the dimension of which seems to be in power-law dependence on the dimension of the control object. As a result, at least, the calculation of risks in relation to a given list of threats becomes much more complicated.
Improving the efficiency and depth of refining of petroleum products
Due to the ubiquitous use of such systems as SUPS (advanced process control system), complicating the technical process in order to increase the depth of processing, it became possible to implement hard-to-detect threats aimed at causing financial losses associated with a decrease in the yield of the finished product, deterioration of its quality characteristics, disruption supplies, etc. Thus, often, the risks associated with the implementation of small-scale systems must be considered together with the risks of the entire technological process.
Growing depth of integration of manufacturing control systems and process control systems
As part of the integration of process control systems and business systems, a significant amount of information from technological units appears in conventionally external IT systems, which can disclose the activities of the enterprise and be available to third parties. At the same time, despite the already adopted legislation (the law of December 2, 2019 No. 425-FZ on the prohibition of the sale of devices without Russian software from July 1, 2020, as well as the law of December 2, 2019 No. 405-FZ, which introduces into the Administrative Code a norm on fines for those violators who have repeatedly refused to store the data of Russians on servers located in Russia), at the moment there are no developed complex solutions that could ensure information security in this area.
Development of “digital twins” of technological processes and installations
At the moment, the concept of “digital twins” of real technological objects is gaining wide popularity, which are used to simulate the physical properties of processes and units in order to optimize technological processes, increase the level of industrial safety. However, the “digital twins” themselves, due to their complexity, are subject to a new type of security threat in the form of a model inconsistency with its prototype in reality. This type of attack can lead to incorrect strategic management of technological facilities and colossal financial losses. In the next few years, the first attempts to form unified approaches to ensuring information security of “digital twins” of oil refineries should appear, but even now it is worth thinking about the risks of introducing such systems.
Using mobile devices for production control
Oil refineries are spatially distributed objects. As a result, the personnel on them actively use mobile devices. Recent trends are such that mobile devices can be used for:
- submission of applications, interaction with personnel services;
- study of documents, interaction with labor protection units;
- immediate receipt of reference information about the equipment in use;
- interaction with the Bureau of Invention and Innovation;
- control over the movement of employees in order to comply with the access regime, safety measures, etc.
This ubiquitous use of mobile technologies carries a high potential for enterprise security threats and must necessarily be regulated either by technical means of protection or by strict organizational measures.
Implementation of cloud-based APCS, as well as the emergence of “SCADA as a Service”
Automated process control systems do not stand still, and although they do not evolve as quickly as traditional IT systems, most manufacturers are ready to provide ICS infrastructure in the form of a cloud service or executed in a virtualization environment. This is a huge evolutionary step for management technologies, and although the time frame for its testing and implementation is at least five years, it is necessary to prepare for this step in order to avoid major security risks when migrating to new platforms.
But despite the obvious advances in technology, there are still many ongoing unresolved issues:
- Various aspects of security are perceived separately from each other: information, physical, functional and other types of security should be considered together in the form of integrated security. Currently, ontological models are being drawn up to streamline security areas, academic research is underway, which can subsequently be used in the framework of standardizing the regulatory framework.
- Insufficient coverage of this topic by standards and contradictions with the international regulatory framework. For example, cybersecurity specialists actively use the 62443 series of standards when building protection systems at industrial enterprises. It should be noted that this standard uses risk management at the enterprise level. At the same time, the existing regulatory framework in the Russian Federation, based on the orders of the FSTEC, at the enterprise level allows only the fulfillment of the established requirements, which was emphasized by representatives of the FSTEC of Russia at various public speeches. As a result, standard 62443 can be used to the extent that it does not contradict the orders of the regulator.
- In addition to equipment control systems, enterprises have systems for monitoring and diagnosing the state of units (for example, vibration diagnostics systems) that do not carry out a control action, but play a huge role in supporting the technological process). At the same time, there are no information security requirements for these systems.
- Lack of readiness of enterprises to detect and fend off attacks from potential attackers. Cybersecurity is not only a set of technical means of protection, but also the ability to process, store, respond and investigate processes at the expense of internal labor resources or contractors. At the moment, there is a strong staff shortage of analysts, which does not allow for a proper response to security incidents.
- Greater difficulty in responding to new, previously unseen threats. In view of this, machine learning technologies become meaningful, capable of distinguishing anomalies in the course of a technological process.
Karpenko Alexander Igorevich
Head of ACS TP
Angara Technologies Group
Dmitry I. Pravikov
Candidate of Technical Sciences,
Head of the Scientific and Educational Center
new information and analytical technologies
Russian State University of Oil and Gas (NRU) named after I.M. Gubkina