Addressing and Managing Cyber Security Risks and Exposures in Process Control

Abstract

Abstract Management of cyber security risks and exposures in the industrial process control environment has emerged as an important and dynamic element in the operational safety, security, and reliability of the infrastructure in the oil & gas industry. In the last 10 years, the number and complexity of cyber security intrusions and malware infections has exponentially increased. In 2010, the entire threat landscape changed with the appearance of Stuxnet, which demonstrated that targeted attacks to control systems were not only possible, but very likely and very hard to defend. This has prompted the industrial and commercial sectors to develop and continuously improve cyber security policies, programs, and procedures to address and manage the risks and exposures associated with these threats. Similarly, government sectors have launched programs, enacted cyber security laws, and developed policies, procedures, and standards to address the steadily increasing threats and vulnerabilities in the industrial control systems area. The connected, digital oil field must include comprehensive and robust controls to protect against these risks and exposures. It requires continuously evolving and improving cyber security programs, and requires diligent, ongoing management to address evolving and advanced persistent threats. This paper will provide an oil and gas industry insight into cyber security programs and countermeasures, and will share ExxonMobil’s* approach to cyber security in the industrial process control environment.