Significance and Challenges of Physical Security in Oil & Gas

Objective The objective of this paper is to provide a general understanding and awareness of the physical security requirement in Oil & Gas Industry, explore various Physical security solutions and how the same is different from Network Security and highlight its importance followed by explaining how same can be achieved in industrial environment by implementing different layers of security measures.

Cyber Physical Systems Security for Maritime Assets

The integration of IT, OT, and human factor elements in maritime assets is critical for their efficient and safe operation and performance. This integration defines cyber physical systems and involves a number of IT and OT components, systems, and functions that involve multiple and diverse communication paths that are technologically and operationally evolving along with credible cyber security threats. These cyber security threats and risks as well as a number of known security breach scenarios are described in this paper to highlight the evolution of cyber physical systems in the maritime domain and their emerging cyber vulnerabilities. Current industry and governmental standards and directives related to cyber security in the maritime domain attempt to enforce the regulatory compliance and reinforce asset cyber security integrity for optimum and safe performance with limited focus, however, in the existing OT infrastructure and systems. The use of outside-of-the-maritime industry security risk assessment tools and processes, such the API STD 780 Security Risk Assessment (SRA) and the Bow Tie Analysis methodologies, can assist the asset owner to assess its IT and OT infrastructure for cyber and physical security vulnerabilities and allocate proper mitigation measures assuming their similarities to ICS infrastructure. The application of cyber security controls deriving from the adaptation of the NIST CSF and the MITRE ATT&CK Threat Model can further increase the cyber security integrity of maritime assets, assuming they are periodically evaluated for their effectiveness and applicability. Finally, the improvement in communication among stakeholders, the increase in operational and technical cyber and physical security resiliency, and the increase in operational cyber security awareness would be further increased for maritime assets by the convergence of the distinct physical and cyber security functions as well as onshore- and offshore-based cyber infrastructure of maritime companies and asset owners.

Representing Uncertainty in Physical Security Risk Assessment

The importance of (physical) security is increasingly acknowledged by society and the scientific community. In light of increasing terrorist threat levels, numerous security assessments of critical infrastructures are conducted in practice and researchers propose new approaches continuously. While practical security risk assessments (SRA) use mostly qualitative methods, most of the lately proposed approaches are based on quantitative metrics. Due to little evidence of actual attacks, both qualitative and quantitative approaches suffer from the fundamental problem of inherent uncertainties regarding threats and capabilities of security measures as a result from vague data or the usage of expert knowledge. In quantitative analysis, such uncertainties may be represented by, e.g., probability distributions to reflect the knowledge on security measure performance available. This paper focuses on the impact of these uncertainties in security assessment and their consideration in system design. We show this influence by comparing the results of a scalar evaluation that does not take into account uncertainties and another evaluation based on distributed input values. In addition, we show that the influence is concentrated on certain barriers of the security system. Specifically, we discuss the robustness of the system by conducting quantitative vulnerability assessment as part of the SRA process of an airport structure example. Based on these results, we propose the concept of a security margin. This concept accounts for the uncertain knowledge of the input parameters in the design of the security system and minimizes the influence of these uncertainties on the actual system performance. We show how this approach can be used for vulnerability assessment by applying it to the initially assessed configuration of the airport structure. The results of this case study support our assumptions that the security margin can help in targeted uncertainty consideration leading to reduced system vulnerability.