80
FEATURE
and Europe, where the infrastructure is most mature. OT environments have traditionally focused on ensuring high availability at the expense of confidentiality and integrity, and are now very exposed to cyber security risks as a result of digitization and modernization, including connectivity to the internet. It is no longer practical or cost effective to maintain separate IT and OT environments. Indeed, to realize the maximum benefit from digitization and smart engineering, combining these environments is increasingly a necessity. These changes are being accelerated by the advent of new technologies such as IIoT and big data analytics.
Top cybersecurity questions a company must regularly ask itself: 1. Would you know if you were under attack right now? 2. What would you do if you were under attack? 3. How well do you know the scope of the IIoT/operational technology (OT) asset landscape you protect? 4. Is your business capable of running without IIoT/OT support? 5. How critical do you consider the IIoT environment in terms of business value creation? 6. What are the biggest cyber risks associated with your critical production environment? 7. How do you ensure security and resiliency in times of increased integration of data from multiple sources? 8. How well do you know the boundaries of the environment you need to protect? 9. Is configuration of your critical IIoT/OT devices safe (backup exists, tested, offsite storage is in place etc.)?
The convergence of the IT and OT environments has created new cyber-physical risks. As the US National Institute of Standards and Technology (NIST) says, “Cyber-Physical Systems or “smart” systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas.” New risks are being created where network connected endpoint devices such as UAVs, smart sensors, handheld engineer terminals and industrial routing equipment are being produced and deployed without a cybersecurity baseline implementation, and are open to remote compromise. As more and more devices are connected, the potential for infiltration rises exponentially. Today, cyber-physical risks are not being effectively identified, tracked or monitored – so how can such risks be appropriately mitigated? This, combined with the rate of new technology deployment and digitization of operational processes, means there is reason to act now. If cyber-physical systems are compromised they could lead to a hazardous event, which could result in loss of critical national infrastructure services to the public or, worse, loss of life due to safety failings. Examples have already been seen with UAVs (e.g., drones, autonomous and driverless vehicles etc.). Such attacks in the oil and gas industry can potentially go beyond damage to control systems, devices, equipment and the network. They can also pose risks to the entire supply chain and disrupt regional sector operations. This is the essence of cyber-physical risk. Oil and gas companies have to devote more focus to understanding the potential negative impacts new technologies can have on their business. They should continually assess, understand and manage risk exposure, both at an organisational level and for individual processes, functions, facilities, locations and technologies.
[Text courtesy: EY]
Operational safety and quality are cyber-dependent