Good practice related to safety and security of integrated operations in the oil and gas industry.

Training - Look to https://www.sans.org/curricula/  or SCADA spesific https://portal.sans.org/scada06/

 
Suggested good practice documents and guidelines:

• US- Cert Standards & References - This page provides an extensive bibliography of references and standards associated with control system cyber topics. http://www.us-cert.gov/control_systems/csstandards.html
• Security blog with news at  http://www.digitalbond.com/
• at https://www.ncsc.gov.uk/
• NISCC "Good practice Guide on Firewall Deployment for SCADA and Process Control Networks"
• NISCC " Process Control and SCADA Security"
• 21 steps to improve Cyber Security of scada Networks:  http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf (3Mb)
• Testing and certification of SCADA systems see ISA Security Compliance Institute - http://www.isasecure.org/en-US/; Industry leaders from a number of major control system users and manufacturers have investigated the feasibility of creating an organization to establish a set of well-engineered specifications and processes for the testing and certification of critical control systems products.
• Textbook: "Industrial Network Security"  (Paperback)  by David J. Teumim, ISBN: 1556178743, 144 pages, Publisher: ISA - The Instrumentation, Systems and Automation Society (December 24, 2004)
• ISA-SP99 Manufacturing and Control Systems Security Standards: The ISA-SP99 Committee is establishing standards, recommended practices, technical reports that will define procedures for implementing electronically secure industrial automation and control systems and security practices and assessing electronic security performance.  The new standard, ANSI/ISA-99.00.01-2007, Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models, is the first in a series of ISA standards that addresses cyber security for industrial automation and control systems (IACS). See www.isa.org.
• "Computer Security Incident Handling Guide" -  Recommendations of the National Institute of Standards and Technology - NIST Special Publication 800-61. Tim Grance, Karen Kent, Brian Kim. http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
• NIST SP 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security. SP 800-82 provides guidance for establishing secure industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS). The document provides an overview of ICSs and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.  http://csrc.nist.gov/publications/drafts/800-82/2nd-Draft-SP800-82-clean.pdf
• Incident documentation and  reporting , ref: http://www.bcit.ca/files/appliedresearch/pdf/security/isid_form.pdf
• Measuring information security awareness - current practices and the measurement of success http://enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf
• Methodologies to perform Risk analyses of Integrated Operations in Oil and Gas industry, see RiskMAP. An explanation of the RiskMAP methodology is available on https://www.mitre.org/sites/default/files/pdf/09_2994.pdf.
• The standard of good practice for Information Security from ISF:  https://www.isfsecuritystandard.com
• Health, safety and environment research in the petroleum sector , see http://www.icrard.org/
• SCADA LINKS see: http://lemaymd.com/uiuc/main.php?frag=links&title=Links
  
  Examples of known vulnerabilities are found in documents published by:
  
  
• Sandia National Laboratories has assembled a list of vulnerabilities commonly found in critical infrastructure control systems. Stamp Jason, John Dillinger, William Young, and Jennifer DePoy. November 11, 2003. "Common Vulnerabilities in Critical Infrastructure Control Systems". Available at http://www.oe.netl.doe.gov/docs/prepare/vulnerabilities.pdf
• PlantData Technology has developed a list of Top 10 security issues in SAS/SCADA systems.  Pollet Jonathan. March 14, 2005. Risk Mitigation – Top Ten Security Issues with Securing Real-Time Control and SCADA Systems that Support Critical Infrastructure. Available from http://www.plantdata.com

Suggested good practice documents and guidelines developed in Norway:

• Incident Reporting - result from the IRMA project
• OLF Guideline No. 104: Information Security Baseline Requirements for Process Control, Safety and Support ICT Systems  at  http://www.olf.no/hms/retningslinjer/
• Verification and validation of eOperations in control centres, see www.criop.sintef.no  (Developed in collaboration with Hydro and STATOIL)
• Improvement of safety and security culture related to Information Technology, use CheckIT  - see https://www.researchgate.net/publication/255483499_CHECKIT-A_Program_to_Measure_and_Improve_Information_Security_and_Safety_Culture (Recommended by Nasjonal sikkerhetsmyndighet see http://www.nsm.stat.no/Pressemeldinger/pressemeldinger.htm)
• General Risk analysis at www.nsm.stat.no/Documents/Veiledninger/ROS_2004_veiledning.pdf
• Huskeregler for informasjonssikkerhet
• Seminar: HMS og IKT-sikkerhet i integrerte operasjoner arrangert 29/11-2006 for PTIL http://www.ptil.no/nyheter/seminar-hms-og-ikt-sikkerhet-i-integrerte-operasjoner-article2903-702.html

Articles and Reports:

• Knut Ivar Hjellestad: "New Work Processes Through Integrated Operations In Statoil - Function Allocation By Trial And Error?". (Integrated Operations On The Norwegian Continental Shelf; A Case Study Of Resource Use And Safety In The
  Light Of Increased Subcontractor Involvement). Master Thesis In Health, Safety And Environment, Spring 2006, NTNU, Trondheim
• Anne Kristine Solem: "Experience transfer as a contributor to increased HSE level in Integrated Operations". Master thesis in Safety, Health and Environment, Spring 2007, NTNU, Trondheim
• Synnøve Heitmann: "Sikkerhetsutfordringer i virtuelle team". Masteroppgave i Helse, Miljø og Sikkerhet, Våren 2007,NTNU, Trondheim
• Siri Andersen: "Improving Safety through Integrated Operations". MSc thesis in Safety, Health and Environment (HSE), Spring 2006, NTNU, Trondheim
• International Journal of Performability Engineering, Volume 3, Number 1, January 2007 Paper 15 - pp. 174-186 "CheckIT - A Program to Measure and Improve Information Security and Safety Culture" Stig O. Johnsen*, Christian Waale Hansen, Maria Bartnes Line, Yngve Nordby, Eliot Rich and Ying Qian.
• ICT and HSE conference arranged by the authorities in Norway (Ptil) at 29/11 2006
• On March 23, 2005, the BP Texas City refinery experienced a catastrophic process accident. It was one of the most serious U.S. workplace disasters of the past two decades, resulting in 15 deaths and more than 170 injuries. The report from the Baker panel can be found at  http://www.csb.gov/completed_investigations/docs/Baker_panel_report.pdf
• Technical Article: CERN tests reveal security flaws with industrial networked devices  see http://ethernet.industrial-networking.com/articles/articledisplay.asp?id=1490.
  PLCs from seven different vendors have been tested, after the Netwox DoS attack only 74% of the PLCs were still able to respond to an ICMP ping request, while the other PLCs stopped responding completely and had to be rebooted. The complete Nessus test was successfully passed by 66% of the PLCs. In 18% of the cases, communication to the PLC was completely lost during the tests.
• (Norwegian) Report from a workshop on ICT safety and security  in Integrated Operations. The workshop was arranged in Stavanger November 30th 2006, in cooperation with SINTEF, OLF, PTIL and OD. Around fifty ICT experts participated in the workshop, suggesting projects and activities  to increase ICT safety and security related to Integrated Operations in the North Sea.

Network:

• The PCSF is an open, collaborative, voluntary forum of international stakeholders from government; academia; industry users, owner/operators, and systems integrators; and the vendor community. It is an organization focused on PCS security issues.  See Process Control Systems Forum (PCSF) https://www.pcsforum.org/. There are participants from more than 300 organizations, including CERT: https://www.pcsforum.org/participants.php. The interest groups (https://www.pcsforum.org/groups/iglist.php) and working groups (https://www.pcsforum.org/groups/wglist.php).  The Control Systems Research Interest Group https://www.pcsforum.org/groups/65/. The chair of the group is Dr. Ann Miller.
• The American Petroleum Institute (http://www.api.org). A standing group is looking at infosec issues and the greater IT needs of the industry.
• The Journal of Process Control http://www.elsevier.com/wps/find/journaldescription.cws_home/30445/description#description

Other key references:

• Strategies - Roadmap to Secure Control Systems in the Energy Sector, see: www.controlsystemsroadmap.net
• Institute for Information Infrastructure Protection (I3P) - Securing Control Systems in the Oil and Gas Infrastruture see https://www.thei3p.org/projects/publications.html
• General information, see Process Control Systems Forum (PCSF): www.pcsforum.org/

Download CheckIT Poster

Responsible for CheckIT web pages: Stig Ole Johnsen