Dan McDougall on how Shell does process security

June 13, 2007
Dan McDougall on Process Control Security - Shell Upstream  How Shell EP is responding to Global Threats  "If you aren't aware that this is...
Dan McDougall on Process Control Security - Shell UpstreamHow Shell EP is responding to Global Threats"If you aren't aware that this is a problem, go to the cybercafe and google it."Outline:--The cybersecurity Challenge--Shell and the changing business engironmentYou must link security into the business needs of the company.From Concept to Action Plan"¦concerns about cyber security raised throuh the architecture development program for Smart FieldsWe did a risk assessment to determine the magnitutde of the risk profile using the existing Shell Risk Assessment modality.Actuion plan agreed with management to mitigate the ientified exposures: "Thanks so much for raising that, now you can go deal with it.""˜Why haven't you been on top of this already? Why do we have to make all these changes?"Well, this has sort of crept up on all of us. We have (like the fire triangle) Increasing threats, Open Systems, and high connectivity as a triange.We want to have connectivity for advanced optimization, use of Office tools, etc.We have a vision of a Smart Field. an asset or group of assets that can be optimised continuously through the application of integrated capabilities: skills worksflows and technology, with a potential of a 10% icrease in O&G production and 8% higher recovery."We can increase the world's oil supply about 8% by doing this. That's what that recovery number means. We don't have to find new oil, negotiate with new governments, or any of that."How do we best measure, model and control the reservoir?Clamp on and other sophisticated measurements, Integrated Modeling, collaborative Work environments, areal surveillance, smart wells, and looking at a "production universe". We want to measure what is happening at EACH well.  Production Universe is an inhouse tool that allows us to model what is happening in the wells and advise when one of the wells has changed and we can bring that information into the decision point.There isn't anything new here, really, but we needed an architecture to begin pullling all of this together"¦a Smart Field Architecture: DACA, data acquisition and control architecture.. There are two components: security and smart fields. Process Control Security Remediation:Legacy Asset at risk is surrounded by the Technology, the Processes and the people."Hey, we're okay, we have a firewall, so everything's good!" But the firewall is configured to allow any connection.Step One: Define the Exposure:
  • Risk assesssment held to assess the current business exposure
  • Shell's standard Risk Assessment process used
  • Representatives from assetts, IT, engineering, production, and industry experts
  • Risk assessment performed against a theoretical asset with typical exposures
  • Translated the technical risk into the appropriate business management terminology
  • Porvided familiar ground to EP leadership teams
  • Enabled a balanced approach to the Shell EP response
  • Integrated into the Shell aproach to Technical Integrity (Process Safety) Management
Step Two"”Agree the plan"¦
  • Risk based approach to be extended to each actual asset
    • Defines the actual actions and risk exposure to each individual asset manager
    • Mankes the problem relevant to each individual asset owner
    • Creates ownership
  • Requirement to define what "security compliant" means
    • Developed a Process Control Security Standard
    • Ensures common understanding of the measures required
  • Obtain buy in on the plan from all stakeholders
Process Control Security Compliance: Policy (Why) Standard (What) Guideline (How)DACA Security StandardRoles and ResponsibilitiesProcedureal ControlsPhysical accessSystem SecurityTechnical ControlsAssuranceWhat's in our documents are substantially the same things as in SP99, and if you look at the standard committee's technical reports you'll pretty much see what you have to do."Hi, I'm from the Help Desk and I need your DCS password to do some troubleshooting," is probably not a question you should answer.Confidentially, Integrity , Availability provides the Technical Integrity, Production Continuation, and Information Integrity that you need to provide.We are talking about a different kind of integrity than the enterprise IT people are, so we have to explain what we mean, and then they get it."There's about an 80% overlap between what the IS guys have done and what we've done, but it is that 20% that is critical and makes or breaks your process."Everybody has to follow the same rules everywhere from Brunei to the Gulf of Mexico to Europe, or enterprise IT security doesn't work.In process control, we have a lot more flexibility because we have that firewall between the process and the corporate environment.We linked security to Technical Integrity. Technical integrity is managed through risk assessment/management; multiple barriers"”defense in depth, with accountability at the asset level, and embedded audit and review processes.You can't guarantee that any of these barriers will work, but you need multiple failures to get to a catastrophe. The process security system is key to so many of these barriers that an intelligent adversary can take out multiple barriers if we don't pay extra care to those defenses.Step Three"”Implement the Plan"¦.
  • Find an appropriate mix of central vs local resources
    • Central resources ensure consistency
    • Local resources ensure sustainability and applicability to the operating unit
·Learn from experiences and update standards and guidelines
    • Minimise changes but be adaptable
·Facilitate long term sustainability
    • Business and security requirements will change over time.
Priority AreasInitial focus was asset risk assessmentsGet awareness at the asset levelfind the common priorities and challengesIdentify key development needsKick off remediation projects within the assetsStage two focus: accellerated remediationSecure SIS interconnection and processesroles and responsibilitiesnetwork segregationOS Patching/Antivirus/backupWe have to have people who are accountable and who can be contacted if there is a problem. We have to segregate the office environment from the process control environment. It is very important not to just plug the network cable into the office LAN.It is also very important not to just keep adding these functions to resources who are already overstressed. We are talking to people like Honeywell to outsource these responsibilities to an outside provider.Lessons LearnedGet management buy in earlyTranslate to business language, using risk assessments for speciifcsLink to Technical Integrity (Process Safety) processesHighlight exposures, but don't overstateEmotion and rear leads to poor business decisionsCompanies deal with risk everydayBe explicit in security requirementsUse external standards as a guideMake the scope of security requirements clearResolve differences between Engineering and ITBoth use similar technology but in vastly different ways"¦Include all stateholders in the solutionEngineering IT and operations all need to be involvedEnsure all parties understand their responsibilities and boundariesTechology is not the whole solutionAbout 20% of the scope is technologyRemainder is governance, people, etc.Do it in stages. If you go for too much too fast, you'll scare off the asset managers.Above all, link security to business value.