Oil and gas companies have two alternatives for conducting business with the help of industrial controls:
1) a self-assessment or
2) a facilitated session
It is recommended that you seek out a professional assessor to answer all of your questions. In addition, most companies should contact a competent third party to assist their IT and OT teams with a self-assessment before engaging DHS representatives for GE industrial controls.
Using an outside consultant to conduct a cybersecurity evaluation of the corporate network environment may help you identify many elements. And suggest risk-reduction strategies based on your company goals.
After assessing your current state of organizational resilience, the training in industrial control will help provide you with a gap analysis. The recommendations for improvements based on recognized best practices will also be provided.
Asset Management for industrial controls
The most important action to protecting any environment is knowing what you have in it. How might you watch something that you don’t know anything about? An accurate asset inventory that consists of hardware and software should be your first goal if you don’t already have one.
Maintaining this inventory over time is critical to your cybersecurity strategy. Your automation technology will continue to develop, as will the threats against it. The initial list we’ve created will be a guide for you as you build your cybersecurity program.
Once you’ve completed the other essential industrial controls, you can use them to establish a practical security framework for those assets.
What to expect:
An engineer in charge of an oil refinery might know that their most important asset is the system that keeps the oil at a safe temperature.
A hacker gains access to an email server via a connected device on the Internet. How did the hacker get from the email server to their intended target? They must travel a route from IT to OT, utilizing insecure devices as stepping stones to gain access.
ICS operators need a precise network map that displays each device’s configuration and known security flaws. This information may assist your employees in determining whether or not there is a defense mechanism in place to obstruct the hacker’s access to your most sensitive areas.
Configuration and Change Management
As per CISA, configuration and change management (CCM) maintains the hardware, software, firmware, and documentation associated with the configuration and change management process.
The data analytics process embraces a set of procedures for monitoring, analyzing, and controlling information or technology assets or infrastructure that support an organization’s critical services. This procedure includes the introduction of new investments, asset modifications, and the removal of purchases.
Consider the metaphor of a “burning platform.” Although this is most likely the last thing anyone in the oil and gas business wants to see, it’s a helpful strategy for introducing organizational change.
-
What is a burning platform?
The term “burning platform” has its origins in the Piper Alpha catastrophe of 1988, when an explosion sparked an oil and gas fire that destroyed the Piper Alpha platform on July 6, 1988. The primary reason for the disaster was a leak in condensates due to maintenance work done on one of the high-pressure condensate pumps.
When one of the gas condensate pump pressure safety valves remove for maintenance, the condensate pipe remains temporarily closed with a blind flange as the job is not complete during the day shift.
A night crew turns on an alternate pump after being unaware of any repairs being done to one of the pumps. The collapse of the blind flange and surrounding firewalls could not withstand the pressure, resulting in multiple explosions.
The inferno grew worse due to a fault in closing gas flow from the Tartan platform. As a result, the automatic fire-fighting system switched off as divers worked underwater just before the disaster.
Incident Management for industrial controls
Incident Management is reducing the negative consequences of incidents by restoring regular service operations as soon as possible. Any condition that can cause a breach or service loss must be considered immediately.
-
How to establish command & control?
Establishing command and control is an essential element of any incident management system. Put another way, it transfers the management of the response from a first-response mode to one where the scope of the problem is understandable. Appropriate reaction procedures are being use in coordination with response plans. And a set of objectives drives the episode’s result to protect people.
Responders to major events confront numerous obstacles in performing their duties effectively. For example, weather, site access, resource restrictions, poor coordination, lack of preapprovals for response techniques, or poor communications can cause a delay in responding and efficiency.
Even though actions must be taken without fail, many governments and businesses are slow to react when an emergency strikes. As a result, ongoing troubles with no quick resolution can result in irreversible damage and potential negative impacts on people, the environment, and property.
Vulnerabilities Management
Well-known vulnerabilities cause the majority of breaches. However, you can prevent most violations by using an enterprise solution that combines vulnerability management with service desk and asset management solutions.
It offers complete network visibility, on-premises and in the cloud, using up-to-date, accurate, and nonintrusive discovery signatures.
The application-centric vulnerability scanning and assessment technique looks for distinct flaws based on operating systems, applications, and services to ensure that only necessary signatures are executed to avoid unfavorable app interactions.
On the other hand, GE industrial controls incorporate risk assessment on a limitless, time-based scale. It helps make it easy to see where your most significant risks are located so you can focus on them and reduce them.
Managing the Convergence of IT and OT
Operational Technology (OT) is an “air-gapped” environment. Which means there was no link to any external Information Technology (IT) networks or digital devices.
In recent years, however, traditional OT has evolved alongside the rise of the Fourth Industrial Revolution. This is also know as “Industry 4.0.” Companies are implementing new digital technologies in their networks to stay ahead of the competition. These technologies
- boost automation
- provide “smart” devices
- make data more efficient and accessible, and
- link networks for convenience.
-
What are the issues?
The problem is, however, that these changes are coming too fast in terms of velocity, breadth, and impact. The pace at which contemporary discoveries are made is faster than any society has ever seen.
Compared to prior industrial revolutions, the Fourth is evolving at an exponential rather than a linear rate. It is also disrupting almost every sector in every nation it touches. The scale and complexity of these transformations necessitate the complete overhaul of the entire:
- manufacturing,
- management, and
- governance systems
The air gap lying between OT and IT widens. With this, OT components become more available, allowing staff to gather and analyze data about them. The shift is popular as “IT-OT Convergence.” This connecting operational and information technology opens a wide range of possibilities. But it also introduces many cybersecurity risks to an air-gapped network.
-
How industrial controls team tackle the issues?
The ways that IT and OT teams work face different risks and goals are all distinct. However, as digital systems continue to link to industrial controls systems, this oil and gas sector will see greater efficiency and productivity while exposing itself to cyber dangers.
According to industry experts, IT/OT is expected to converge increasingly. Therefore, OT administrators must know their IT environment as well as possible because it will make life easier for themselves and the OT staff.
The way to deal with organizational changes in response to IT/OT convergence is known as “IT/OT alignment.”
