Dan McDougall on Process Control Security - Shell UpstreamHow Shell EP is responding to Global Threats"If you aren't aware that this is a problem, go to the cybercafe and google it."Outline:--The cybersecurity Challenge--Shell and the changing business engironmentYou must link security into the business needs of the company.From Concept to Action Plan"¦concerns about cyber security raised throuh the architecture development program for Smart FieldsWe did a risk assessment to determine the magnitutde of the risk profile using the existing Shell Risk Assessment modality.Actuion plan agreed with management to mitigate the ientified exposures: "Thanks so much for raising that, now you can go deal with it.""˜Why haven't you been on top of this already? Why do we have to make all these changes?"Well, this has sort of crept up on all of us. We have (like the fire triangle) Increasing threats, Open Systems, and high connectivity as a triange.We want to have connectivity for advanced optimization, use of Office tools, etc.We have a vision of a Smart Field. an asset or group of assets that can be optimised continuously through the application of integrated capabilities: skills worksflows and technology, with a potential of a 10% icrease in O&G production and 8% higher recovery."We can increase the world's oil supply about 8% by doing this. That's what that recovery number means. We don't have to find new oil, negotiate with new governments, or any of that."How do we best measure, model and control the reservoir?Clamp on and other sophisticated measurements, Integrated Modeling, collaborative Work environments, areal surveillance, smart wells, and looking at a "production universe". We want to measure what is happening at EACH well. Production Universe is an inhouse tool that allows us to model what is happening in the wells and advise when one of the wells has changed and we can bring that information into the decision point.There isn't anything new here, really, but we needed an architecture to begin pullling all of this together"¦a Smart Field Architecture: DACA, data acquisition and control architecture.. There are two components: security and smart fields. Process Control Security Remediation:Legacy Asset at risk is surrounded by the Technology, the Processes and the people."Hey, we're okay, we have a firewall, so everything's good!" But the firewall is configured to allow any connection.Step One: Define the Exposure:
- Risk assesssment held to assess the current business exposure
- Shell's standard Risk Assessment process used
- Representatives from assetts, IT, engineering, production, and industry experts
- Risk assessment performed against a theoretical asset with typical exposures
- Translated the technical risk into the appropriate business management terminology
- Porvided familiar ground to EP leadership teams
- Enabled a balanced approach to the Shell EP response
- Integrated into the Shell aproach to Technical Integrity (Process Safety) Management
- Risk based approach to be extended to each actual asset
- Defines the actual actions and risk exposure to each individual asset manager
- Mankes the problem relevant to each individual asset owner
- Creates ownership
- Requirement to define what "security compliant" means
- Developed a Process Control Security Standard
- Ensures common understanding of the measures required
- Obtain buy in on the plan from all stakeholders
- Find an appropriate mix of central vs local resources
- Central resources ensure consistency
- Local resources ensure sustainability and applicability to the operating unit
-
- Minimise changes but be adaptable
-
- Business and security requirements will change over time.