Refining and petrochemical manufacturing facilities cannot afford uncertainty and risk. These facilities must prevent and mitigate cyber security threats that endanger their production operations, including risks to plant infrastructure, assets, personnel and environment. These units must take steps to protect the critical assets. Having knowledge of current and future cyber security risks, past incidents in process facilities and understanding of ever-changing security challenges make taking those steps easier.
It is a fact that cyber-attacks on plant automation systems have not only increased in recent years, but also have become more sophisticated. These attacks represent a real and present danger to process plant productivity, reliability and safety. In the connected plant environment, which is adopted by most of the modern refining and petrochemical units, a cyber-attack on a facility may involve only the cyber elements, but its impact can spread to other elements like human, environmental, physical and business because of the connected nature of its operations.
The lack of skilful resources and time to implement state-of-the-art security technology is becoming a serious concern in the refining and petrochemical industry. Cyber-attacks on downstream sector have gained worldwide attention from senior executives of major companies.
The latest advances in process control and automation systems used by the refining and petrochemical business for enhanced efficiency and yield have the potential to bring in major cyber security risks to the operating plants.
The challenge of cyber risk associated with smarter and integrated automation systems has repercussions on the plant operations. The risks include damage to capital assets, personnel safety issues and lost production. The first positive step to minimise cyber security risks would be clearly understanding the possible causes behind a cyber-breach.
It is a known factor that majority of the big organisations in the refining and petrochemical landscape have faced cyber-attacks – in some cases, the breaches are undetected, while in others, the organisations have failed to recognise the attack when it happened.
It is interesting to note that in certain cases in which the attack has been noticed, the following forensic investigation was able to find out that the incident occurred many months before and that the risk elements had probably probed the entire plant systems to obtain specific information from specific assets. Most of the time an enterprise notices cyber-breach and responds to it is when critical data is removed from the system.
In the case of refining and petrochemical industry, there are additional factors to address along with the cyber risks – bigger demand for data accessibility to drive aggressive business goals, the need for maximum uptime, stringent regulations from the industry and authorities, and inadequate human resources to deal with security issues.
Even after the increasing number of cyber-attacks on refining and petrochemical plants worldwide and the increasing awareness of these breaches, it is shocking to realise that the budgets for training the staff responsible for implementing cyber security policies have fallen considerably in most of the organisations.
Our Knowledge Partner for this special report on cyber security – (ISC)² – is an international, non-profit membership association for information security leaders. In his column in this report (pages 38-39), Dr Adrian Davis, managing director, EMEA, (ISC)², notes that the senior management and the boards of directors of most of the major organisations have yet to appreciate the impact of cyber risk as it can be very hard to quantify from a financial perspective.
In order to protect industrial control assets, the refining and petrochemical plants require a vibrant security strategy, continuous risk assessment and clear security policies. This demands a mind-set of continuous vigilance from the senior management and boards of directors of major companies to strengthen the downstream industry cyber defences. As pointed out by Dr Davis, in the prevailing scenario, the refining and petrochemical industry must anticipate attacks from cyber criminals and build the capability to keep the lights on, customers served and essential activities going.