CREDC to develop secure, resilient cyber systems for oil and gas industry

Between Corpus Christi and Port Arthur, the Texas coastline is more than 100 miles of almost continuous refineries. When Hurricane Harvey struck the area this summer, it flooded this epicenter of Texas’ oil and gas industry, shutting down 22 percent of the United States’ refining capacity and closing all ports in the region, according to Forbes.

Major storms can damage not only the conventional physical elements of the oil and gas delivery systems — such as the actual pipelines — but also the hardware that supports the cyber systems used to control those delivery systems. When cyber operations shut down, it can have far-reaching consequences, says researcher Art Conklin.

“Getting these systems back online quickly is critical to ensuring the nation’s economic stability,” says Conklin, an associate professor of information system security at the University of Houston.

Conklin is heading up a team with the Cyber Resilience Energy Delivery Consortium, led by the University of Illinois at Urbana-Champaign, who are looking to create more secure and resilient cyber systems for the oil and gas industry. A resilient cyber system is able to prevent, respond, and recover more quickly after a natural disaster, equipment failure, or attack.

Cyber networks form the backbone of the energy delivery systems that are responsible for moving natural gas, oil, and hazardous liquids through the nation’s 2.9 million miles of pipeline. The natural gas transmission pipelines connect to about 1,400 distribution systems that service more than 67 million customers, according to the U.S. Dept. of Energy, which funds CREDC’s research with support from the Dept. of Homeland Security.

In addition to natural disasters like Hurricane Harvey, malicious attacks against the energy sector have grown in frequency and severity. While the electric grid has faced the majority of these threats, there is concern that the growing connectivity of pipeline systems to the Internet, to other communications systems, and to the electric grid itself make it increasingly vulnerable to attack. In 2011, a DHS report indicated that terrorist groups have discussed attacking certain pipeline systems.

“Most of the pipeline’s infrastructure has been isolated until the past five years or so, when people realized that network connectivity helped automate processes and improve efficiencies,” Conklin said. “It’s just that at the same time, it also introduced new risks.”

Unlike the power grid, which operates at the speed of light but whose local failures have relatively minor repercussions, pipelines move products through much slower, but with the potential for catastrophic failures due to the combustible properties of the chemicals. A case in point: The 2012 pipeline explosion in a residential neighborhood in San Bruno, Calif., which killed eight people.

To help mitigate those risks, Conklin’s team is creating technology and methodology that provides better security and access controls for processes, equipment, and data. The biggest challenge, he says, is the sheer size of the oil and gas industry’s footprint. The industry, which is involved in everything from to refining to shipping, has thousands of systems worldwide and is in the early stages of upgrading its legacy systems to state-of the-art.

Another challenge are the number of employees and contractors who might have access to these huge, often-global systems.

“The number of people that can touch these systems is greatly larger than what we see with the power grid,” said Tim Yardley, associate director for technology in Illinois’ Information Trust Institute. “Managing remote access and access control in these companies is a far more challenging task.”

Still, Conklin believes that the oil and gas sector — which he says has been proactive in addressing the changing risk environment — is uniquely poised to contribute to more secure and resilient cyber systems, ultimately benefitting the nation.

“These companies are looking at this problem holistically, even though their business structure is very complex,” Conklin said. “It’s not unthinkable that as we solve resilience problems for oil and gas, we could be developing solutions that have applications for other industries as well.”

Source: Information Trust Institute