Closely tied to Shellās current Smart Field initiative--to continuously optimize oil and gas production and recovery--is the companyās drive to ensure security of its global assets, began Dan McDougall of
Shell Exploration and Production in his address this morning to the Honeywell User Group Americas 2007 Symposium.
āEnterprise IT security doesnāt work unless everybody follows the same rules from Brunei to the Gulf of Mexico to Europe,ā he said. āBut in the process control domain, we have more flexibility because we have that firewall between the process and the corporate environment.ā
In order to better communicate the relative importance of control system security to asset managers, Shell links its security assessments to the overall issue of technical integrity, McDougall explained, including risk assessment and management; defense-in-depth, with accountability at the asset level; and embedded audit and review processes.
āWe are talking about a different kind of integrity than the enterprise IT people are, so we have to explain what we mean, and then they get it,ā McDougall added. āThereās about an 80% overlap between what the IT guys have done and what weāve done, but that 20% difference is critical, and makes or breaks your process.ā
McDougallās recommendations for any control system security project start with getting management buy-in early. Translate the issue at hand into business language, using risk assessments for specifics and linking the project justification to technical integrity (process safety) processes. āWhen talking to management, highlight exposures, but donāt overstate, because emotion and fear leads to poor business decisions,ā McDougall said. āCompanies deal with risk everyday, and asset managers understand how to prioritize it.ā
Be explicit in security requirements, McDougall added, using external standards as a guide and making the scope of security requirements clear. āEngineering, IT and operations all need to be involved, and weāve found it essential to ensure all parties understand their responsibilities and boundaries.ā
āRemember that only about 20% of the scope is technologyāthe remainder is governance, people and procedures,ā McDougall concluded. Above all, link security to business value, and do it in stages. āIf you go for too much too fast, youāll scare them off.ā