1 May 2006

Oil and Gas Supply Chain Peril

Integration of process and security systems most feasible for oil platforms, pipelines, and terminals

By Jason Urso, John Colpo, and Nicholas Sheble

Recently 12 people died when a ship collided with an oil platform in the Bombay High oil field area, sparking a fire that gutted a rig that produced one sixth of India's oil.

The ship had no malicious intent; it was there to pick up a sick worker on the platform. This tragic case highlights the dangers facing workers on the oil and gas supply chain.

The Bombay High incident was an accident, but a raft not unlike the one that intentionally attacked the USS Cole in 2000 could have easily caused even more damage at that oil field.

Incidents like these illustrate the potential safety and security threats to the world's oil and gas supply chain, as well as the potential consequences. Those consequences range from loss of life to lost production and equipment damage. Clearly, comprehensive solutions that address both safety and security are required. Since safety and security are interrelated, a prudent strategy for oil and gas customers is to employ integrated safety and security solutions.

For the oil and gas industry, there is a lot of ground to cover with an integrated safety and security solution. The supply chain reaches from the mobile drilling rigs to the production platforms, pipelines, carriers and tankers, and seaside terminals.

The oil and gas supply chain can encompass several thousands of miles over water and land, and separate entities can be responsible for securing different links, making this supply chain exponentially more challenging to secure than a single processing plant.

Challenges along the chain

To guard against the effects of an attack on the supply chain, a comprehensive safety and security regimen is required. Many see the challenge as one of physical security. However, in reality, there are process control, physical and cyber security, as well as emergency response issues, which we must address.

Using an integrated safety and security strategy in the oil and gas supply chain can be very effective, albeit a bit complicated.

The oil and gas industry is subject to the same routine hazards and safety and security considerations that occur in any industrial facility. Oil and gas facilities, however, present specific safety and security considerations that are far beyond routine.

The oil and gas supply chain includes exploration facilities (drilling rigs), production platforms, pipe-lines, carriers and tankers, and terminals. Integration of process and security systems is most feasible for the platforms, pipelines, and terminals.

Points of attack

Production facilities: Floating and fixed-leg production platforms operate from 10 to 30 years to extract oil and gas from underground, and then purify and export to the next link via pipelines or oil tankers. There are about 6,000 offshore platforms around the globe and many onshore. Because of the interconnectedness of the platforms, a problem at one key platform may restrict an entire country's crude oil source by several percent, which makes platforms such as the one at Bombay High a strategic asset in the supply chain.

Pipelines: Pipelines are a unique feature of the oil and gas supply chain. Some transport crude oil from platforms to oil refineries and may be up to several thousand miles long. There are 180,000 miles of large diameter pipelines in North America.

Pipelines also work downstream in the chain to transport products from refineries to gasoline stations and other industrial plants/terminals. Addition-ally, they can distribute natural gas around most cities in the U.S., Europe and, increasingly, other countries.

Pipelines run over and under miles of public land and roads and are vulnerable to physical interference, deliberate or otherwise. In less developed economies, regulations may require specific safety and security measures. In more developed countries, a risk management-based approach is usually required. Pipeline safety tends to be more highly regulated because of the proximity of and risk to general public and public assets such as roads, houses, and businesses.

Terminals: Terminals are generally seaside-based facilities where ships tie up and offload oil or gas. The terminal stores one or more commodity and transfers them to other sites via pipe-lines, tanker trucks, or trains. Terminals are somewhat affected by marine regulations in addition to regulations affecting general industrial facilities/sites.


Oil and gas: Unique supply chain

In the oil and gas supply chain, process control has historically included safety solutions, such as fire detectors and high-integrity pressure protection systems, but not physical security, such as intrusion detection, access control, and video surveillance. Nor have these facilities employed considered abnormal situation management or cyber security. All of these elements of safety and security are important; each has unique business and technical challenges.

Generally, there are no industry standards or norms for an integrated safety and security solution applied within the oil and gas supply chain. For example, there is no standard for interfacing access control or perimeter intrusion alarms with process control systems.

Additionally, the systems in many facilities come from separate vendors and different business dynamics often apply. Security technology now applied in industrial sites, for example, originates from commercial building security technology, which may not be suitable for an industrial facility or geographically distributed pipeline.

There are also unique internal conditions that present challenges.

These conditions include lower staff ratios, unmanned installations, widely dispersed assets, significant use of unsecured public telecommunications infrastructure, exposable products, and low technology maturity.

Implementing best practices

In a world of heightened tensions due to terrorist activity, it is not sufficient to have disparate and non-integrated approach to safety and security. Instead, a holistic view is necessary. A holistic approach involves multiple layers or protection such that if any one layer goes down, there are other barriers or methods of protection. By linking the layers together into an integrated approach, greater levels of safety and security are possible.

Secure process control: A selection criteria for process control systems (i.e. SCADA, DCS, PLC, and RTU) is that the system has built-in cyber security measures including:

  • Secure segregation of users and their control over plant functions and system administration functions.
  • Firewalls at intersections between the process control network and other local networks and WANs.
  • Purpose-built control firewalls to protect embedded real-time devices from Windows-based viruses.
  • Rapid qualification of hot-fixes and antivirus software.
  • Documented design guidelines for secure process control.

Asset management: With less staff to perform periodic inspections, a modern approach is required for monitoring the actual condition of an operating plant. Knowing the true condition of the plant allows for operating within safe limits and often results in costs savings from not "over maintaining" equipment. Asset management technology can also help prevent unplanned shutdowns. Accomplishing this in an effective manner requires:

  • Implementation of conventional sensors (e.g. filter DP) and special sensors (e.g. on-line corrosion monitoring or vibration monitoring).
  • Implementation of software solutions that manage the sensed or manually entered measurements and have an equipment and symptom knowledge base to calculate if a breach of normal conditions is approaching or has occurred.
  • Integration of the asset management system to the process control system for intelligent sensor data collection, remote calibration, etc.
  • Integration with the corporate Computerized Maintenance Management System for workflow management.

Abnormal situation management and boundary management: Remote and low staffed facilities such as oil platforms are likely over time to have many manual overrides forced onto the process control and safeguard systems, preventing those systems from operating effectively.

As oil fields age and deplete, the production characteristics change, and if the control system settings remain unchanged, those systems will have more false alerts, further encouraging the staff to tamper with limits. The solution includes:

  • Rationalizing alarms, subsequent alarms, and alarm limits to their most simple and effective form with the goal of minimizing alarm noise during normal operation and avoiding overwhelming alarm floods during plant and security upsets.
  • Detecting operator tampering with alarms, alarm limits, and safety limits, which allows facility engineers to reconsider and reset safety limits back to safe settings.
  • Simplifying operator HMI displays and operations so plant and security upsets are handled more reliably by operators.
  • Allowing the resetting of operating parameters from reservoir, well bore, plant, pipeline models to suit current flowing conditions.

Emergency shutdown systems: Hazardous operations studies typically result in implementation of several shutdown systems with sensors, actors, and logic solvers working together to detect a range of unsafe conditions and sequence plant equipment into a safe state.

For example, if a fire occurs in a section of pipeline and is fueled by gas and oil from the pipeline, then a sudden drop in pressure signals to the Emergency Shutdown System to shut down the pipeline. Isolation block valves will close in and limit the fuel to the fire.

Physical protection: Multiple physical protection measures are available for platforms, pipelines, and facilities.

Perimeter protection using advanced intrusion detection sensors can help alert both security and process personnel to an attempted breach. When integrated, a coordinated response can work such that security personnel can dispatch an intervention team while process personnel isolate the area under attack to reduce potential impact.

Integrating video surveillance such that a perimeter intrusion automatically activates a camera and positions it to monitor the area of intrusion is an excellent strategy. Additionally, integrated systems allow process operations personnel to share the video feed with security personnel.

Radar technology can also serve to identify and track approaching maritime vessels. This is particularly applicable for offshore platforms and LNG terminals.

Access control can provide two benefits. First, it can restrict access to structure and facilities. This is particularly applicable for remote instrument enclosures, control rooms, private quarters, and other areas. Second, access control can determine an individual's last known location in the event of an emergency.

By applying these capabilities and integrating them with the control system, greater levels of collaboration between security and process operations staffs are feasible, all of which leads to faster identification of issues and more proactive mitigation steps.


What's in your wallet?

In an ideal world, all elements of the oil and gas supply chain would have a risk management program that specifies regular risk assessment reviews performed by domain specialists. At a minimum, most facilities attempt to record/log safety, security and health, and environment incidents.

All operators of oil and gas supply facilities should, at a minimum, review their incident logs to look for trends in security practices and breaches. They also should look around their facilities and ask questions like:

  • Can an unauthorized vehicle or small craft accidentally or deliberately access my facility? Moreover, if successful, can it enter with enough force to strike my plant and trigger an explosion?
  • Can someone secretly survey my facility?
  • Can visitors move around unaccompanied and/or without identification?
  • Can my video identify an approaching vessel? Can it do so in inclement weather?
  • Can my radar surveillance detect friendly and non-friendly craft, or do I need AIS-Automated Identification System, a global system using GPS to track and identify subscribed vessels-integration?
  • Is it possible for a virus or malicious user to disrupt my control system?
  • Can I detect and prevent a malicious individual from approaching the plant?
  • What and where are the benchmark facilities? What are they doing?
  • Has an independent assessment of risk taken place or not?

Today's standard is all job roles, equipment designs, and plant installations go through both safety assessments at inception and on a periodic basis thereafter. In short, everyone has realized safety is dependent on all systems within a business.

However, what needs more discussion is safety is interrelated with security, abnormal situation management, and emergency response. Integrated solutions can help ensure risks dwindle by enabling a faster and more proactive response to incidents. Without taking the step towards integrated solutions, the integrated supply chain remains at risk.

About the authors

Jason Urso (jason.urso@honeywell.com) is the director of migrations and expansions responsible for Honeywell's installed base of control system equipment and applications. He is also responsible for the company's safety and security campaign, which includes both physical and cyber security. John Colpo (john.colpo@honeywell.com) is an industrial process automation engineer working as an industry consultant within Honeywell's oil and gas segment.

Fast Forward

  • There is no standard for interfacing access control or perimeter intrusion alarms with process control systems.
  • In a world of heightened tensions due to terrorist activity, it is not sufficient to have a disparate and non-integrated approach to safety and security.
  • Knowing the true condition of the plant allows for operating within safe limits and often results in costs savings from not "over maintaining" equipment.
  • As oil fields age and deplete, the production characteristics change, and if the control system settings remain unchanged, those systems will have more false alerts encouraging the staff to tamper with limits.