Abstract
In this chapter we have discussed vulnerabilities and mitigating actions to improve safety, security and continuity of the information and process infrastructure used in the oil, gas and petrochemical sector. An accident in the oil and gas industry can become a major disaster, and the suggested steps should help mitigate some of these hazards. This chapter consist of four parts, described in the following:
1. Background and Introduction – the Oil, Gas and Petrochemical Sector
2. Accidents, Threats and Resilience in the Oil, Gas and Petrochemical Sector
3. Risk Mitigation and Improvement of Resilience in the Sector
4. Conclusion and Suggestions for Further Exploration and Research
The introduction describes the general challenges to explore oil and gas reserves in difficult areas. The regulation philosophy and regulation strategy of the oil and gas sector is discussed. A description of process control systems (i.e. supervisory control and data acquisition - SCADA systems) and information and communication technology (ICT) is given. Challenges posed by integration of SCADA and ICT systems are discussed. Challenges raised by new technology used in the oilfields of the future are mentioned.
In the next section we are giving a theoretical description of how accidents are analysed and structured. Then we have described major accidents in the oil and gas sector. Next we have described specific vulnerabilities of integration of ICT and SCADA systems, based on an empirical survey. This is followed by a discussion of technical risks related to integration of ICT and SCADA systems.
In the third section we have described how the challenges and risks identified can be mitigated through rule compliance and risk management. We are suggesting a set of “best practices” to mitigate the risks, explored with success in Norway. Our perspective has been to include technology, organization and human factors in risk management. Due to the increased complexity and uncertainty in the sector we have suggested an improved risk assessment including resilience as a strategy. To expand the field of learning we are suggesting exploring successful recoveries in addition to accidents and incidents. Action research has been suggested as a method to improve safety based on a participatory and reflective discourse during risk assessment.
In the last section we have listed our conclusion and are suggesting areas of further exploration and research. The main conclusion is to design for resilience and safety and to establish common risk perceptions through scenario analysis.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
EIA, U.S. Energy Information Administration “International Energy Outlook”, report DOE/EIA-0484 (2010), www.eia.gov/oiaf/ieo/index.html (retrieved at August 01, 2010)
Holditch, S.A., Chianelli, R.R.: Factors That Will Influence Oil and Gas Supply and Demand in the 21st Century. MRS Bulletin 33 (April 2008), www.mrs.org/bulletin (retrieved at May 08, 2010)
Rollenhagen, C., Evenéus, P.: Development of a systemic MTO perspective on dam safety management. In: International Symposium on Modern Technology of Dams. The 4th EADAC Symposium, Chengdu, China, October 13-18 (2007)
Aas, A.L., Johnsen, S.O., Skramstad, T.: Experiences with Human Factors in Norwegian petroleum Control Centre Design and suggestions to handle an increasingly complex future. In: Reliability, Risk and Safety – Theory and Applications (Esrel 2009), pp. 285–291. CRC Press (2009) ISBN 978-0415555098
ISO/IEC Guide 51, Safety Aspects – Guidelines for their Inclusion in Standards (1999)
Hollnagel, E., Woods, D., Leveson, N.: Resilience Enginering. Ashgate (2006) ISBN 0-7546-4641-6
Hyne, J.N.: Nontechnical guide to petroleum geology, exploration, drilling and production, PenWell, Oklahoma, USA (2001)
Baker, S., Waterman, S., Ivanov, G.: In the crossfire – Critical Infrastructure in the Age of Cyber War (2010), http://csis.org/event/crossfire-critical-infrastructure-age-cyber-war (retrieved at July 01, 2010)
DNV, Det Norske Veritas - “OLF/NOFO – Summary of Differences Between Offshore Drilling Regulations in Norway and U.S. Gulf of Mexico” (2010), http://www.olf.no/news/dnv-report-solid-petroleum-regulations-in-norway-article19670-291.html (retrieved at September 01, 2010)
ISO 17776, Petroleum and natural gas industries — Offshore production installations —Guidelines on tools and techniques for hazard identification and risk assessment (2002)
Johnsen, S., Ask, R., Røisli, R.: Reducing Risk in Oil and Gas production. In: Goetz, E., Shenoi, S. (eds.) Critical Infrastructure Protection, ch. 7. Springer, Heidelberg (2008)
Victorian Auditor-General, Security of Infrastructure Control Systems for Water and transport (2010), http://download.audit.vic.gov.au/files/20100610_ICT_report.pdf (retrieved at October 01, 2010)
ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements, ISO (2005)
ISO/IEC 27002, former ISO/IEC 17799 – Information Technology - Code of practice for information security managemen, ISO (2005)
Johnsen, S.O., Skramstad, T., Hagen, J.: Enhancing the Safety, Security and Resilience of ICT and SCADA systems Using Action Research. In: Palmer, C., Shenoi, S. (eds.) Critical Infrastructure Protection III, pp. 113–123. Springer, Berlin (2009)
Stoufer, K., Falco, J., Kent, K.: Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security. NIST Special Publication 800-82, National Institute of Standards and Technology, Maryland, USA (2008)
US. Code Title 44, ch. 35, Subchapter III, § 3542, Uscode.House.Gov/Download/Pls/44c35.Txt (retrieved at December 31, 2010)
IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC (2010)
IEC 62443, Security for industrial process measurement and control - Network and system security. ISO/IEC 2008 (2008)
ANSI/ISA-99.02.01, International Society for Automation, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program, ANSI/ISA, Research Triangle Park, North Carolina (2009)
ISO 11064, Ergonomic design of control centres, ISO (2000)
EEMUA Publication No.191, Alarm systems: A guide to Design, Management and Procurement (2007)
ISO 9241, Ergonomics of Human System Interaction
Ask, R., Røisli, R., Johnsen, S., Line, M., Ueland, A., Hovland, B., Groteide, L., Birkeland, B., Steinbakk, A., Hagelsteen, E., Rong, C., Losnedahl, T.: Information Security Baseline Requirements for Process Control, Safety and Support ICT Systems. ISBR, OLF104 (2006), www.olf.no/en/Publica/Guidelines/Integrerte-operasjonerIntegrated-operations/104/ (retrieved at January 01, 2010)
Luders S.: CERN tests reveal security flaws with industrial networked devices. The Industrial Ethernet Book, GGH Marketing Communications, Titchfield, United Kingdom, pp. 12–23 (November 2006), www.iebmedia.com (retrieved on December 05, 2009)
Oljeindustriens Landsforening (OLF - Norwegian Oil Industry Association). Integrated Work Processes (2005), www.olf.no/getfile.php/zKonvertert/www.olf.no/Rapporter/Dokumenter/051101%20Integrerte%20arbeidsprosesser%2C%20rapport.pdf (retrieved at February 01, 2010)
Stortingsmelding 38 (2004), www.regjeringen.no/nb/dep/oed/dok/regpubl/stmeld/20032004/Stmeld-nr-38-2003-2004-.html?id=404848 (retrieved at December 03, 2009)
Perrow, C.: Normal Accidents: Living with High-Risk Technologies. Basic Books, NY (1984)
Jaatun, M.G., Johnsen, S.O., Line, M.B., Longva, O.H., Tøndel, I.A., Albrechtsen, E., Wærø, I.: Incident Response Management in the oil and gas industry – SINTEF report A4086 (2007)
Reason, J.: Managing the risks of Organizational Accidents. Ashgate, Aldershot (1997)
Hollnagel, E.: Barriers and Accident Prevention. Ashgate, Aldershot (2004)
Roberts, K.H.: Some characteristics of one type of high reliability in organization. Organization Science 1(2), 160–176 (1990)
Roberts, K.H.: New challenges in Organizational research: high reliability organizations. Industrial Crisis Quarterly 3, 111–125 (1989)
Yule, S.: Safety culture and safety climate: a review of the literature, pp. 1 – 26. Industrial Psychology Research Centre (2003)
Hudson, P., van der Graaf, G.C.: Hearts and Minds: The status after 15 years Research. In: Society of Petroleum Engineers (SPE 73941) International Conference on HSE in Oil and Gas Exploration and production, Kuala Lumpur (2002)
LaPorte, Consolini: Working in Practice But Not in Theory: Theoretical Challenges of "High-Reliability organizations”. J. Public Adm. Res. Theory 1, 19–48 (1991)
Qian, Y., Fang, Y., Jaatun, M.G., Johnsen, S.O., Gonzalez, J.J.: Managing emerging information security risks during transitions to Integrated Operations. In: 43rd Hawaii International Conference on System Sciences, Koloa, Kauai, Hawaii (2010) ISBN: 978-0-7695-3869-3
Leveson, N.: Safeware – system safety. Addison-Wesley (1995)
Bogart, W.: The Bhopal Tragedy. Westview Press, Boulder (1989)
Cullen, W.D.: The Public Inquiry into the Piper Alpha Disaster. Stationery Office Books (1990)
Dept of the Interior (DOI), Increased safety measure for energy development on the Outer Continental Shelf’, Salazar report (2010), http://www.doi.gov/deepwaterhorizon/loader.cfm?csModule=security/getfile&PageID=33598 (retrieved at July 31, 2010)
BP Deepwater Horizon Accident Investigation Report (September 8, 2010), http://www.bp.com/sectiongenericarticle.do?categoryId=9034902&contentId=7064891 (retrieved at September 15, 2010)
Hopkins, A.: Lessons from Longford – The Esso Gas Plant Explosion, CCH Australia (2000)
Victorian Coroner’s Report into the Longford Gas Explosion (1998), web.archive.org/web/20070622023036/coron (retrieved at June 03, 2010)
NRC, Nuclear Regulatory Commission, “The effects of Ethernet-based, nonsafety-related controls on the safe and continued operation of nuclear power stations”, NRC Information Notice 2007-15, Washington, DC (2007), http://www.nrc.gov/reading-rm/doc-collections/gen-comm/info-notices/2007/in200715.pdf (retrieved on January 01, 2010)
Baker, et al.: The BP U.S. Refineries Independent Safety Review Panel (2007), http://www.csb.gov/assets/document/Baker_panel_report1.pdf (retrieved at January 01, 2010)
Reed, T.: At the Abyss: An Insider’s History of the Cold War (2004) ISBN 0891418210
Byres, E., Howard, S.: White Paper - Analysis of the Siemens WinCC / PCS7 “Stuxnet” (October 14, 2010), http://www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware (retrieved at October 20, 2010)
NTSB, National Transportation Safety Board, “Pipeline Rupture and Subsequent Fire in Bellingham, Washington (June 10, 1999)”. Pipeline Accident Report NTSB/PAR-02/02, Washington, DC (2002)
NTSB, National Transportation Safety Board, “Safety Study – Supervisory Control and Data Acquisition (SCADA) in Liquid Pipelines”. Report NTSB/SS-05/02, Washington, DC (2005)
Johnsen, S.O.: Resilience in Risk Analysis and Risk Assessment. In: Moore, T., Shenoi, S. (eds.) Critical Infrastructure Protection IV. Springer, Berlin (2010) ISBN 978-3642168055
Johnsen, S.O., Okstad, E., Aas, A.L., Skramstad, T.: Proactive indicators of risk in remote operations of oil and gas fields. Presented at SPE International Conference on Health, Safety and Environment in Oil and Gas Exploration and Production (2010), doi:10.2118/126560-MS
Jackson, S., Madni, A.M.: A Practical Framework for the Architecting of Resilient Enterprises. In: Hollnagel, E., Pieri, F., Rigaud, E. (eds.) Proceedings of the third Resilience Engineering Symposium. Ecole des mines de Paris (2008)
Woods, D., Cook, R.: Incidents – Markers of Resilience or Brittleness. In: Hollnagel, E., et al. (eds.) Resilience Engineering. Ashgate (2006)
Sundstrøm, G.: Learning How to Create Resilience in Business Systems. In: Hollnagel, E., et al. (eds.) Resilience Engineering. Ashgate (2006)
Hale, A.: Defining resilience. In: Hollnagel, E., et al. (eds.) Resilience Engineering. Ashgate (2006)
Westrum, R.: A Typology of Resilience Situations. In: Hollnagel, E., et al. (eds.) Resilience Engineering. Ashgate (2006)
Rasmussen, J.: Risk Management in a Dynamic Society. Safety Science 27, 183–213 (1997)
Fleming, M., Flin, R., Mearns, K., Gordon, R.: Offshore workers perceptions of risk: Comparisons with quantitative data. Risk Analysis 18(1), 103–110 (1998)
Tripod, Ref Tripod Beta Foundation (2006). Incident Analysis Primer (2010), Source: www.tripodsolutions.net (retrieved at January 15, 2010)
Van Eynde, D., Bledsoe, J.: The changing practice of organizational development. Leadership and Organizational Development Journal 11(2), 25–30 (1999)
Davison, R., Martinsons, M., Kock, N.: Principles of canonical action research. Information Systems Journal 14(1), 65–86 (2004)
Smith, S., Jamieson, R., Winchester, D.: An action research program to improve information systems security compliance across government agencies. In: Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences, p. 99 (2007)
Armstrong, H.: Managing information security in healthcare - An action research experience. In: Qing, S., Elo, J. (eds.) Information Security for Global Information Infrastructures, pp. 19–28. Kluwer, Boston (2000)
Alteren, B., Sveen, J., Guttormsen, G., Madsen, B.E., Klev, R., Helgesen.: Smarter together in offshore drilling - A successful action research project? In: Proceedings of the Seventh International Conference on Probabilistic Safety Assessment and Management, pp. 1302–1308 (2004)
Greenwood, D., Levin, M.: Introduction to Action Research: Social Research for Social Change. Sage Publications, Thousand Oaks (2007)
Antonsen, S., Ramstad, L., Kongsvik, T.: Unlocking the organization: Action research as a means of improving organizational safety. Safety Science Monitor 11(1) (2007)
Richter, A.: New ways of managing prevention: A cultural and participative approach. Safety Science Monitor 7(1) (2003)
Mayo, E.: The Human Problems of an Industrial Civilization. Macmillan, New York (1933)
HSE, Developing process safety indicators (2006), www.hse.gov.uk/pubns/books/hsg254.html (retrieved at January 01, 2010), ISBN 0 7176 6180 6
ENISA, Measuring information security awareness - current practices (2008), http://enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf (retrieved at January 01, 2010 )
SANS, The 2009 Top Cyber Risks Report (2009), http://www.sans.org/top-cyber-security-risks/
RiskMap (2008), www.thei3p.org/docs/research/riskmap200904.pdf (retrieved at January 01, 2010)
Johnsen, S.O., Bjørkli, C., Steiro, T., Fartum, H., Haukenes, H., Ramberg, J., Skriver, J.: CRIOP – A scenario method for Crisis Intervention and Operability analysis. SINTEF (2011), www.criop.sintef.no (retrieved at December 05, 2011)
Aas, A.L., Johnsen, S.O., Skramstad, T.: CRIOP: A Human Factors Verification and Validation Methodology that Works in an Industrial Setting. In: Buth, B., Rabe, G., Seyfarth, T. (eds.) SAFECOMP 2009. LNCS, vol. 5775, pp. 243–256. Springer, Heidelberg (2009)
ACSN, Third report of the Advisory Committee on the Safety of Nuclear Installations - Organizing for Safety - Health and Safety Commission (1993) ISBN 0-11-882104-0
Itoh, Andersen, Seki: Track maintenance train operators’ attitudes to job, organisation and management and their correlation with accident/incident rate. Cognition, Technology and Work 6(2), 63–78 (2004)
Schein, E.H.: Organisational Culture and Leadership. Jossey-Bass (1992)
Johnsen, S.O., Hansen, C.W., Line, M.B., Nordby, Y., Rich, E., Qian, Y.: CheckIT – A program to measure and improve information security and safety culture. International Journal of Performability Engineering 3(1 Part II), 174–186 (2007)
Westrum, R.J.: Cultures with Requisite Imagination. In: Wise, Stager, Hopkin (eds.) Verification and Validation of Complex Systems: Human Factors Issues. Springer, Heidelberg (1993)
Kotter, J.P.: Leading Change. Harvard Business School Press (1996)
Flin, R.: Erosion of Managerial Resilience: From Vasa to NASA. In: Hollnagel, E., et al. (eds.) Resilience Engineering. Ashgate (2006)
Hendrick, K., Brenner, L.: Investigating Accidents with STEP. Marcel Dekker, New York (1986)
Henderson, J., Wright, K., Brazier, A.: Human factors aspect of remote operation in process plants. Prepared by Human Reliability Associates for the Health and Safety Executive (2002), http://www.hse.gov.uk/research/crr_pdf/2002/crr02432.pdf (retrieved at March 01, 2008)
IEC 60812, Analysis techniques for system reliability – Procedure for failure mode and effects analysis (FMEA) (2006)
IEC 61025, Fault Three Analysis, IEC (1990)
IsaSecure - International Society for Automation, ISA Security Compliance Institute, Research Triangle Park, North Carolina (2010), www.isasecure.org/ (retrieved at February 01, 2010)
Redmill, F., Chudleigh, M., Catmur, J.: System Safety: HAZOP and Software HAZOP. Wiley (1999)
Salas, E., Goodwin, G.F., Burke, C.S.: Team Effectiveness in Complex Organizations: Cross-Disciplinary Perspectives and Approaches. Routledge (2009) ISBN-13: 978-0805858815
Taleb, N.: The Black Swan: The Impact of the Highly Improbable. Random House, New York (2007)
Westrum, R.J.: Removing latent pathogens. Presented at the Sixth International Australian Aviation Psychology Conference (2003)
Utne, I.B., Hokstad, P., Vatn, J.: A structured approach to modelling interdependencies in risk analysis of critical infrastructures. In: ESREL 2009, Prague - Czech Republic, September 7-10 (2009)
Nystuen, K.O., Hagen, J.M.: Critical Information Infrastructure Protection in Norway. In: The Critical Infrastructure Protection (CIP) Workshop (2003)
Keizer, G.: Stuxnet researchers cautious about Iran’s admission of centrifuge issues. Computerworld (November 30, 2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Johnsen, S.O., Aas, A., Qian, Y. (2012). Sector-Specific Information Infrastructure Issues in the Oil, Gas, and Petrochemical Sector. In: Lopez, J., Setola, R., Wolthusen, S.D. (eds) Critical Infrastructure Protection. Lecture Notes in Computer Science, vol 7130. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28920-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-28920-0_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28919-4
Online ISBN: 978-3-642-28920-0
eBook Packages: Computer ScienceComputer Science (R0)