Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach. www.thalesgroup.com/security-services



Similar documents
Oil and Gas Industry A Comprehensive Security Risk Management Approach.

Airport Infrastructure Security Towards Global Security. A Holistic Security Risk Management Approach.

TEXAS HOMELAND SECURITY STRATEGIC PLAN : PRIORITY ACTIONS

Security Guidelines. for the Petroleum Industry. Third Edition. Petroleum Refineries. Liquid Petroleum Pipelines

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

Solutions and IT services for Oil-Gas & Energy markets

v. 03/03/2015 Page ii

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Security Vulnerability Assessment

Protecting Organizations from Cyber Attack

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

U.S. DoD Physical Security Market

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

Risk Management Handbook

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Subject: Critical Infrastructure Identification, Prioritization, and Protection

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Performs the Federal coordination role for supporting the energy requirements associated with National Special Security Events.

Cybersecurity Converged Resilience :

REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

CYBER SECURITY GUIDANCE

VULNERABILITY ASSESSMENT AND SURVEY PROGRAM. Overview of Assessment Methodology. U.S. Department of Energy Office of Energy Assurance

The Strategic Importance, Causes and Consequences of Terrorism

SCOPE. September 25, 2014, 0930 EDT

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Building more resilient and secure solutions for Water/Wastewater Industry

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

BUILDING DESIGN FOR HOMELAND SECURITY. Unit I Building Design for Homeland Security

DEVELOPMENT OF A RISK ASSESSMENT PROGRAM AGAINST TERRORISM IN REPUBLIC KOREA

Defending Against Data Beaches: Internal Controls for Cybersecurity

Preparedness in the Southwest

COJUMA s. Legal Considerations for Defense Support to Civil Authorities. U.S. Southern Command Miami, Florida Draft

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Common Threats and Vulnerabilities of Critical Infrastructures

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Relationship to National Response Plan Emergency Support Function (ESF)/Annex

OCR LEVEL 3 CAMBRIDGE TECHNICAL

White Paper. Information Security -- Network Assessment

Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries. May 2003

Prepared by Rod Davis, ABCP, MCSA November, 2011

National Infrastructure Protection Center

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Faculdade de Direito, Lisboa, 02-Jul The Competitive Advantage of Cybersecurity

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

SECURITY. Risk & Compliance Services

October Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012

U.S. Cyber Security Readiness

Cornell University PREVENTION AND MITIGATION PLAN

Cyber Security and Privacy - Program 183

Managing IT Security with Penetration Testing

Enterprise Risk Management taking on new dimensions

Five keys to a more secure data environment

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Secure networks are crucial for IT systems and their

How Secure is Your SCADA System?

ISACA rudens konference

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

Critical Infrastructure Security and Resilience

Microsoft s cybersecurity commitment

Update On Smart Grid Cyber Security

BUSINESS CONTINUITY PLANNING

Better secure IT equipment and systems

Cyber Security for SCADA/ICS Networks

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Enterprise Security Tactical Plan

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Building Economic Resilience to Disasters: Developing a Business Continuity Plan

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

(Instructor-led; 3 Days)

Industrial Security for Process Automation

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

National Surface Transport Security Strategy. September Transport and Infrastructure Senior Officials Committee. Transport Security Committee

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Nine Steps to Smart Security for Small Businesses

Information Security Policy

Ten Tips for Completing a Site Security Plan

Safety and security are simply good business.

Increasing the city s attractiveness

Business Continuity Management Framework

FACT SHEET: Ransomware and HIPAA

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture

Which cybersecurity standard is most relevant for a water utility?

Sytorus Information Security Assessment Overview

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Transcription:

Oil & Gas Industry Towards Global Security A Holistic Security Risk Management Approach www.thalesgroup.com/security-services

Oil & Gas Industry Towards Global Security This white paper discusses current security issues in oil and gas industry and suggests a holistic security risk management approach to manage security risks to an acceptable level whilst optimizing financial investment. Threats In The Oil And Gas Field Safe and reliable energy is a vital link in the nation s critical infrastructure. Oil and gas products play an important role in national economy, national security and are integral to the way of life. As such, security has always been and continues to be a priority across the oil and gas industry. Reports from many international government agencies confirm that various terrorism groups target the oil and gas industry. The petroleum industry is in all probability generally subject to these threats due to several factors: The physical and chemical properties of the materials processed, stored and handled at these facilities may create attractive targets for an adversary to cause malicious release with the intent to harm a neighboring population. The critical importance of the products produced by companies, to the domestic and international infrastructures and to other businesses and individuals, may make disruption of operations of the petroleum industry an attractive option. The risks from terrorist attacks to the energy supply vary by segment of the industry, which is broadly defined as exploration and production, refining, pipeline transportation (liquids), marine transportation, products distribution and marketing. Nowadays, with the emergence of new kind of conflicts, asymmetric threats using unconventional warfare tactics are the primary threats to critical infrastructures. This is especially true for oil and gas industry now involved in asymmetric conflicts. Oil and gas private security forces are facing now new unconventional opponents such as terrorists (international and national), activists, pressure groups, single issue zealots, disgruntled employees, or criminals, whether white collar, cyber hackers, organized or opportunists. These threats may come from insider activity, external action, or insiders colluding with external adversaries. These opponents use different attacks including car suicide bombing, mortar rain, rocket propelled grenade, improvised explosive devices (IED), ambushes, hostages, hijacking, kidnapping, computer hacking, information warfare, and so on. The attacks can be complex and coordinated and can exploit a combination of physical, logical (information technology), environmental, organizational and human weaknesses. 3

> Oil And Gas Critical Infrastructures The potential threats are directed against the whole oil and gas infrastructures but could target their critical and strategic assets such as: Oil and gas specific segments: Reservoirs, wells, offshore production facilities, pipeline systems, mass storage facilities and oil refineries. Buildings: Administration offices, corporate offices, command and control rooms. Equipment: Process units and associated control systems, product storage tanks, surge vessels, boilers, turbines, process heaters, sewer systems. Support systems: Utilities such as natural gas lines, electrical power grid and facilities (including back-up power systems), water-supply systems, wastewater treatment facilities. Transportation interface: Railroad lines and railcars, product loading racks and vehicles, pipelines entering and leaving facility, marine vessels and dock area, off site storage areas. Cyber systems and information technology: SCADA systems, computer systems, networks, devices with remote maintenance ports, laptops, PDAs. Therefore, to protect those assets, the security measures should be inline with the threat level and adapted to the security risk level. Security Risks To address this issue the security needs to be evaluated in order to fully analyze the major security risks: a risk is a combination between the probability of the threat and the potential impact on a critical asset. This is a complex task and therefore a holistic security risk management methodology is required that enables all security risks levels to be identified, whilst also evaluating the existing technology (which should cover logical, physical and environmental issues), organization and human factors security solutions. The evaluation of the security risks starts with the identification of the threats, the critical assets and the vulnerabilities. Then for each security risk that needs to be mitigated security objectives are defined. Security solutions are then implemented. Loss of human life (killed, injured) Economic impact of destruction or disruption Business impact Political consequences on public confidence Potential for loss of energy supply to civilian areas Potential impacts for environment Extended time needed to repair Potential for interdependency effects 4

Security Risk Management The objective is to define a security program based on a collective effort that seeks to reduce the likelihood that industry personnel, their families, facilities and materials shall be subject to any kind of attack, and to prepare to respond to the consequences of such attacks should they occur. This section describes the security management process to mitigate the risks and to develop a security program. Based on interviews, site surveys and documentation, the following areas have to be addressed: Threat Assessment i.e. Define alert levels, identify the threats and evaluate probability. Criticality Assessment i.e. Identify critical assets and define asset criticality levels. Vulnerability Assessment i.e. identify vulnerabilities and evaluate criticality. This includes manpower and security force protection assessments. Risk Assessment i.e. identify and evaluate the risks based on previous assessments conclusions. Consequently for each risks identified, the management decides whether the risk should be controlled, ignored, insured or accepted. The first step is to set up the internal organization to pilot the risk management process and to define the scope and objectives of the Security Committee and the Security Working Groups. The organization should be based on: Security Committee, the SC includes top management that develops security strategy, provides guidance, direction and cooperation. Security Working Groups, the SWG take actions, provide inputs and feedbacks. They develop and recommend policy, prepare planning documents, conduct risk assessments. One of the SWG is the Threat WG, which consists on Counterintelligence representative, Law Enforcement representative, Information Operations representative and the Chemical, Biological, Radiological, Nuclear and High Yield Explosive (CBRNE) representative. Larger installations may include additional personnel as assigned by the SC. If the decision is to control the risk, security objectives are defined. Then the security solutions (based on technology, organization or human factors) should be provided (based on risk priority and objectives). Those solutions are categorized as prevention, detection, response and recovery. As a result, conclusions are formalized in the Security Master Plan (SMP). 5

> Implement Solutions Appropriate security solutions defined in the Security Master Plan should be implemented through a series of actions including: Prioritization of recommended security solutions. Planning implementation and funding of security solutions. The quality of this security management process is maintained using the PDCA model: Plan: Establish or update the Security Master Plan to improve security. Do: Implement and operate the actions defined in the SMP. Check: Monitor, review the actions and report the results to decision makers. Act: Maintain and improve the actions. The management of security risks includes evaluating risks, developing solutions, making decisions, implementing solutions, supervising, reviewing and improving security level. These are essential follow-through actions of the risk management process. After identifying and implementing additional countermeasures or mitigation efforts, it is essential to recalculate the risks. A risk management scorecard is appreciated. A yearly complete risk assessment is recommended. Best Practices In Security Management With decades of experience in the oil and gas industry and significant depth of knowledge of security systems from its core competencies in defense and civil businesses, Thales has identified some best practices of security management: Risk management: Integrate holistic security risk management into the corporate risk management process. Security organization: Create senior level security committee, Security Working Groups, corporate security risk manager and local security officers (IT, safety, facility, etc.). Coordination: Develop coordination with government and stakeholders (customers, suppliers, infrastructure providers). Security Master Plan: Define the security doctrine, the operational concept and the means to achieve an efficient level of security. Resilience management: As global security is impossible to achieve, resilient system designs and procedures should be adaptable to the unpredictable. Contingency plans (business continuity and emergency response and disaster plans) should be formalized, tested and updated for rapid recovery from disruptions. Interdependencies: Evaluate contingency plans from an infrastructure interdependencies perspectives and enhance coordination with other infrastructure providers (e.g. electric power, telecommunications, water, transportation). Human resource: Background investigations for new hires and periodic updates for current employees, define a hiring policy, implement structured security requirements for critical suppliers and partners. Formalized security policies and procedures. Raise employee awareness and education to be proactive on security matters. Physical security: Identify and restrict access to sensitive areas, implement access control list and badge program. Increase security checkpoints, manned facilities, video surveillance, badge identification, tracking of people and vehicles, escorted visitors and flyovers. Information System and Network architecture: Define LAN/WAN network perimeter, minimize external connections, keep up to date mapping of network, enhance security of mission critical systems, write and communicate an IT security policy. Enhance traffic filtering, authentication controls, encryption, and access controls, minimize or disable all unnecessary services and software, filter emails, control viruses. The Scope of Work that is proposed in this white paper details the development of a security strategy, which includes those best practices. 6

Typical Thales Scope Of Work Thales can assist organizations in setting up a program to develop an efficient security risk management process. This program is scheduled in five steps, as described in the figure below: The original step is to define the scope of the Risk Management Program. Thales considers the following actions: Meet senior management. Understand the business objectives. Set up a Security Working Group. Define the scope of the System that will be concerned by the security risk management program i.e. one or more infrastructures. Outputs: Definition of the Security Working Group. Formalization of the scope of the System. Formalization of the planning of the security risk management program. The next step is to understand the organization and the System concerned by the scope. Thales considers the following actions: Understand the organization. Understand the relations with government agencies. Understand the System. Identify constraints such as business, industry, national and international regulations. Output: Understanding of the context. The next step is to analyze the security risks existing in the System. Thales considers the following actions: Visit the System. Undertake the threat assessment, the criticality assessment and the vulnerability assessment. Do the risk assessment. Select risks to accept, to ignore, to control or to insure. Propose security objectives. Recommend mitigation security solutions. Outputs: Security risk analysis results report. Based on the decisions of the Security Committee, a strategy is decided and a Security Master Plan is formalized to define the security doctrine and the operational concept. Thales considers the following actions: Define a security doctrine and an operational concept. Formalize the Security Master Plan. Plan implementation of security solutions. Calculate the return on security investment (ROSI). Propose a planning to implement the security solutions. Outputs: Security Risk Management Methodology document (adapted to the organization). Security Master Plan document. Security doctrine and operational concept document. Implementation plan report. Return on security investment report. The last step is the design and the implementation of the actions described in the Security Master Plan. Thales considers the following actions: Define a new security organization including the Security Committee and one or more Security Working Groups. Develop operational security procedures including crisis management, incident and antiterrorism responses. Design security control rooms. Define a training policy and develop a training program i.e. operational and technical. Implement physical security i.e. barriers, video surveillance, intrusion detection systems, access controls, etc. Implement information technology security i.e. LAN and WAN network, Information system architecture, server hardening, etc. Implement communications security i.e. confidentiality, anti-jamming, resilience, etc. Implement individual protective measures including personal protection for personnel and family members. Develop specific software to produce daily scorecard of the risk situation (option: with geographic information system support). Develop resilience solutions based on technology and organization. Maintain the solutions participating in the Do-Check-Act process. Outputs: Implementation and maintenance of the security solutions. To support this SOW, Thales has developed a specific software CASRIM i.e. Critical Asset Security RIsk Management. CASRIM helps Thales engineers to analyze the situation and produces graphical outputs of the risk analysis. 7

> Benefits Determining the risk is essential since the management must understand the threats, what assets are most important to protect, and which of those important assets are most vulnerable. Assessing security risk provides the value of an asset in relation to the threats and the vulnerabilities associated with it. This aids the management in balancing threats to vulnerabilities and the degree of risk that the management is willing to accept by not correcting, or perhaps being unable to correct, a vulnerability. For any vulnerability, the management shall manage risk by developing a strategy to deter incidents, employ countermeasures, mitigate the effects of an incident, and recover from an incident. The result of using a holistic methodology of this type ensures that minimum appropriate investments are directed into security solutions to reduce identified risks. In addition as there is integration between the security technology, the organizations objectives and processes, efficiencies can be gained whilst still remaining secure. Security features that have been factored into initial infrastructure facility design are more likely to be cost-effective, better integrated and more operationally useful than those superimposed on existing structures through add-ons or change orders. Likewise, security features which have been coordinated early in the planning and design process with the architects and other concerned regulatory bodies, as well as with end-users (employees, clients, law enforcement, public safety and regulatory agencies, and operations and maintenance personnel) are more likely to be well received and accepted, and thus more widely used and successful. 8

Oil & Gas Industry Towards Global Security Conclusion By implementing a holistic security risk management methodology, security solutions can be adapted to the changes in threats and security risks, and the levels of investment can be adjusted in accordance to the protection required. The oil and gas cycle from initial field exploration through production, transport and consumer retail operations is highly complex, with countless potential weak links that are subject to security breakdowns. The security should reflect the risk status and financial resources of the infrastructure. Smaller infrastructures have limited funding and have to plan their security projects with an eye toward simplicity and manageable cost. The methodology developed in this white paper is scalable and can cover from a single infrastructure to the entire oil and gas chain starting with exploration, development and production, then on through pipeline transport to refineries and processing plants to storage facilities and then on to distribution of refined products by land or sea, finishing at the retail outlets. Philippe Bouvier Security Consulting Thales - Security Solutions & Services Division Organizations from around the world are already benefiting from the use of this methodology including military organizations, national airport authorities, energy and water companies, financial institutions and transportation companies. Thales brings together decades of experience in the oil and gas industry and significant depth of knowledge of security systems from its core competencies in defense and civil businesses. Thales is an unrivalled systems integrator of physical and IT security solutions for the oil and gas industry. If your organization would also like to reduce overall security costs, improve the efficiency of security investment and measurably reduce security risks then please contact your local THALES representative for more information. 9

Thales Security Solutions & Services Division Security Systems 20-22 rue Grange Dame Rose CS 80518 78141 Vélizy Cedex - France Tel: +33 (0)1 73 32 00 00 November 2007 - Photos: Thales, GettyImages

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information