Peter Beales discusses the dangers of neglecting software integrity
What constitutes an “asset” in the oil and gas industry? The obvious spring to mind: vessels, pipelines, and generators, for example. Few of us, however, would immediately think of invisible assets, like the software code, files and data stored in tiny silicon chips. Yet, without that information, the entire industry could collapse.
The need to protect physical assets is clear. However, with electronic information, it’s usually out of sight, out of mind. A recent study found that an astonishing 90% of UK production companies lack secure systems to protect all of their process control software. Yet, Britain is hardly an anomaly; this neglect is worldwide.
Software is fundamental to production processes, product quality and safety. To minimize the effects of process system failure, operators must protect the integrity of their process control system software. This necessity is manifested in four key areas: security, disaster recovery, change management and compliance.
Cyber threats are constantly in the news, yet oil and gas operators have been slow to recognize the risks to their process control systems. While external infiltration from hackers or malware is undoubtedly a problem, insiders who have access to process control software perpetrate nearly half of security incidents. Granted, some of these breaches are innocent and accidental, but in too many cases employees, subcontractors or third parties deliberately infiltrate systems to steal data or sabotage a system.
The Global State of Information Security Survey 2014 revealed that, compared with 2013, organizations reporting financial hits of $20 million or more increased 92%, and financial losses caused by security breaches jumped 34%. Losses are not exclusively monetary. Respondents also expressed concern about theft of intellectual property, damage to company reputation and declining share value. These concerns demonstrate the imperative need for stricter control over access to critical systems.
Every operator understands the immense cost associated with unplanned shutdowns. Few, however, stop to think about how important software is to the running of a system. When something goes wrong with process control software, costly delays are often prolonged because of the company’s reliance on ineffective back-up solutions for dealing with the problem. Panic ensues. Where are the backup disks? Do we have the correct version of software? How do we know the software isn’t obsolete?
Backup software can often be corrupted. Or it can be misplaced. Or it might not exist. Software essential to the smooth running of remote assets might be stored hundreds of miles away. Yet when it fails, so does the asset. In an industry renowned for disaster preparedness, this particular form of potential failure is often neglected. The best time to buy insurance is before a fire.
In Asset Guardian Solutions’ (AGSL) experience, many corporate MOC management systems are ill-suited to managing changes to process control software configuration code. An area where problems occur is “Parallel Software Changes,” when alterations to software configurations are made simultaneously by different parts of the organization, resulting in multiple versions of a single piece of software. The resultant damage can be time-consuming and expensive and, at worst, threaten installation safety.
The solution is to implement an integrated management of change process, designed specifically for software configuration code. To avoid Parallel Software Changes, the system adopted should, as a minimum, include software “check in – check out” capability.
The offshore industry is obliged to comply with a myriad of regulations, standards and codes of practice, requiring the effective management of process control software, information security and data management. To comply with these, companies must provide evidence of secure backups of codes and documents, configuration management systems, password administration, and audit trails.
Take control and control change
These four risks demonstrate that the integrity of ‘hidden’ assets is just as important as that of physical assets.
No company would ever think of neglecting the physical infrastructure or security of an FPSO, drilling rig or pipeline. Why, then, are so many prepared to ignore the costly and dangerous problems that can easily result when process control systems are left unprotected?
Peter Beales is business development manager for Asset Guardian Solutions Ltd. He is responsible for the sales and marketing of the company’s range of “Configuration Change Management” software tools that serve the global oil and gas, marine and utilities industries. An electrical and instrumentation engineer with over 30 years in the instrument and control sector, Beales has held a number of senior management positions with ABB, TYCO, IMES Engineering Services, and 3Sun Control and Instrumentation.