Athens Group Services

Rig Inspection

Rig Inspections

CyberSecurity: Use the Tools You Have

Cybersecurity gets talked about – a lot – in the oil and gas industry. It’s often discussed at two extremes:

  1. Equipment manufacturers look at cybersecurity and conclude, either — there’s a firewall and it works, or our equipment is on a closed system. In any case, we’re just fine.
  2. Operators now have it as a checklist item in their requests for proposal – “Do you have it, yes or no?” And, that’s where it stops.

Unfortunately, both of those extremes fail. Cybersecurity is all about software, and in our industry, software is too often given inadequate consideration.  Remember, once the asset is up and running it is too late!

A good starting point is utilizing the very tools that help provide us with a safely functioning system when applied at the front end: HAZOP, HAZID and FMECA. In this blog entry, these tools will be clearly defined. In the next blog entry, we’ll discuss how to apply them for CyberSecurity.

HAZOP – a structured and systematic technique for examining a defined system, with the objective of:

  • identifying potential hazards in the system. The hazards involved may include those relevant both to the immediate area of the system and those with a much wider sphere of influence, e.g. some environmental hazards;
  • identifying potential operability problems with the system and in particular identifying causes of operational disturbances and production deviations likely to lead to nonconformities.

An important benefit of HAZOP studies is that the resulting knowledge, obtained by identifying potential hazards and operability problems in a structured and systematic manner, is of great assistance in determining appropriate remedial measures. A characteristic feature of a HAZOP study is the “examination session” during which a multidisciplinary team under the guidance of a study leader systematically examines all relevant parts of a design or system. It identifies deviations from the system design intent utilizing a core set of guide words. The technique aims to stimulate the imagination of participants in a systematic way to identify hazards and operability problems.

HAZID – From our HSE Manual: Athens Group Services facilitates Hazards Identification (HAZID) workshops for our clients. The objectives of these HAZID workshops are to:

  • Identify potentially dangerous interactions or occurrences associated with the operation of drill floor machinery and tubular interlocking equipment.
  • Identify suitable means for prevention or mitigation and to categorize the risks.
  • Where practicable eliminate hazards by redesign. For example, relocate passive equipment that might intrude upon the path of machinery.
  • Assess the potential danger to people and plant and ensure that the safety preventative systems (both hardware and software) are robust and have the appropriate integrity to ensure risks are reduced to a level that is as low as is reasonably practicable (ALARP).
  • Ensure that there is a safe, reliable and accurate method for drill floor measurements required by protective systems (such as zone management software) to be input into the protective logic.
  • Ensure that there is a safe and sufficiently reliable means of verifying that each protective function operates as intended. It is likely that this will require redundancy of critical sensors.
  • Ensure that on loss of power or distorted power supply waveforms (e.g. harmonic distortion or voltage dips) the mechanized movement stops, and any raised/suspended items remain secure
  • Ensure that appropriate management controls are in place so that equipment interlocks are not defeated or overridden unless an appropriate job-specific risk assessment has been undertaken and the specified risk controls are in place, all other reasonable precautions have been taken, the assessments and overrides are properly authorized and recorded, the overrides are removed as soon as practicable and the number of machines moved with overrides in place is minimized.
  • Ensure that all safety-related messages and indications to the operators of machinery are clear and unambiguous.

FMECA – Failure Modes, Effects, and Criticality Analysis is a Process Hazard Analysis (PHA) methodology designed to identify potential failure modes for a system or process, to assess the risk associated with those failure modes, to rank the issues in terms of importance, and to identify and carry out corrective actions to address the most serious concerns.

Standard:ISO_15288 IEC:15288 (6.3.4) describes the requirement to manage risk throughout the lifecycle of a system. One critical component of risk management is risk assessment. IEC:15288 (6.3.4.3-c) defines the 4 steps of a risk assessment as:

  • Identifying all risks in the proper context
  • Estimating the probability of occurrence and the consequences of occurrence
  • Evaluating each risk against risk thresholds
  • Recommending treatment strategies for each risk above the risk threshold

These are three tools – tools you already use – that can also be used for CyberSecurity. We’ll look at how to best apply them in the next blog.

Read the blog entries on our website – www.athensgroupservices.com, join our LinkedIn Group, and subscribe to our newsletter.

Category: Tag: