Three current and highly interrelated trends in supervisory control and data acquisition (SCADA) systems present skill-set challenges to system administrators and managers. The first is a higher focus on security. The second is a move toward enterprise-wide SCADA platforms. And the third is an increased requirement for web access to the system’s end users. Finding the skills to meet these challenges will be the top priority for many executives and managers in 2011.

The conventional industry view of SCADA is that it is a software product built for a specific purpose. Most SCADA systems have been installed and hosted in the field they were monitoring and serve only that field. Those who continue to view and use SCADA in this way can expect some improvements in operational efficiency.

However, a greater advantage is found when operations and processes can be standardized across a region, country or continent. This requires installing SCADA at the enterprise level as a centrally hosted software system.

For a midstream oil and gas operator, using SCADA at the enterprise level provides several key benefits. Standardizing screen designs across locations helps reduce the training required for employees moving to new regions, and eases expansion of the SCADA system to new facilities. Standardizing data tagging across countries, regions or continents improves data accuracy and allows better data-path continuity as information travels from the wellhead to the executive office. Also, companies with enterprise-level systems can leverage larger economies of scale when purchasing software licenses and better standardize hardware tied to the SCADA system.

The security of data collected by midstream filed devices is a top concern for operators.

Inherent risks

However, these benefits don’t come without risks. A centrally hosted system presents several challenges, particularly in ensuring that the system is properly networked and can communicate with all of the desired end devices across disparate field locations. Drawing the line between functions that need to be monitored and controlled locally, such as alarm call-outs and operator notifications, and those that can be monitored at the home office, can also be difficult and must be carefully accounted for in the system planning and design stages. Attention must be paid to system architecture and network designs. This requires that system designers be part of the SCADA implementation team.

The move toward centrally hosted systems has also changed the role of the control room. End users in the field still need full access to alarm and operating data, as well as the ability to control devices attached to the system. In a growing number of instances, this means that the control room has moved away from being a physical location in the field and now goes virtual, with users accessing the SCADA system via laptops and smart phones. Web server add-on modules offered as an extra option in previous generations of SCADA software are now a critical component. This also forces the implementation team to make remote access a key part of the human-machine interface (HMI) design and changes how its operators are trained and how alarm notification is managed.

This SCADA evolution stands to be tremendously beneficial to the entire midstream oil and gas industry. Enterprise-level systems can help operators reduce downtime while also increasing production and revenue. However, these changes make data and control security a concern that cannot be overlooked.

Stuxnet virus

In June 2010, the Stuxnet computer virus made headlines around the world amidst reports that it had attacked nuclear facilities in Iran. Stuxnet is the first system-specific computer worm created to spy on and reprogram industrial systems. It is also the first worm to include a programmable logic controller (PLC) rootkit, giving it the unique capability to reprogram PLCs and immediately hide its changes.

The virus was transported over commonly used universal serial bus (USB) flash drives, and, once uploaded, had the capability to infect other computers in the network. News reports say the worm may have damaged Iran's nuclear facilities in Natanz and delayed the start-up of Iran's Bushehr nuclear power plant. Stuxnet accomplished this by taking over centrifuges that are used to purify the nuclear fuel and overworking them until they blew into pieces. It then hid its path by resetting the controls for the centrifuges.

The complexity of the Stuxnet software is what makes it unusual. The type of attack reported in Iran would require extensive knowledge of industrial processes and a decisive interest in targeting them. Further, its irregular programming language and large size suggest that a team of people and a significant amount of time would have been required to create and launch the virus.

The Stuxnet virus underscores a broader issue confronting midstream oil and gas operators today. SCADA systems provide access to data. The security of that data has been a concern for some time. However, concern for system control has not been widespread because most operators have installed SCADA systems with a heavy focus on data acquisition.

As systems have evolved, SCADA system designers are realizing the value of the control component, making concern for the security over control more pronounced. The Stuxnet worm infected PLC devices that caused over-speed of the centrifuges. It is foreseeable that compressor controls, system controls and remotely actuated (and automated) valve actions are at risk.

Regardless of the tactic taken, security should and will be taken more seriously, given the threat of a Stuxnet-like virus and the new role of SCADA in many midstream organizations.

Security challenge

Many operators use off-the-shelf equipment, software and protocols in their SCADA systems. These standard pieces are then integrated and configured in different ways for a variety of applications, but they introduce a challenge. The off-the-shelf approach can make it easier for malware programs, like Stuxnet, to bring down vulnerable systems, thus risking operational shutdowns and potentially having greater environmental and safety repercussions.

Based on the example seen in Iran, if a virus similar to Stuxnet were to infect a midstream operator’s SCADA system, it could over-pressurize lines or exceed limits on tanks, resulting in flooded fields, ruptured pipelines or the shutdown of an entire field.

However, Stuxnet should not deter the oil and gas industry from incorporating technology and automation that can help improve efficiency and positively impact the bottom line. What the Stuxnet example should do is emphasize the importance of carefully approaching the setup or upgrade and integration of a SCADA system. Management must pay attention to more than just the security of SCADA software. The entire system, including the communications network and enterprise-reporting structure, must be taken into account.

Virus prevention

Several approaches are being developed to combat and prevent viruses across a number of public and private organizations. Most providers recommend an evaluation of current control-system security levels to determine a starting point and to prioritize prevention measures. Most also recommend a multipronged prevention approach that includes companywide procedures and training, access-control measures, system hardening and physical-security methods, among other strategies.

Specifically, several strategies and tactics should be widely discussed and tested in the coming months. Some companies may consider a change in operating systems. Windows’ popularity makes it a target, while Linux and open-source operating systems could arguably be less susceptible. However, most current SCADA software versions are built around Windows, and a change in the operating system is not really an option.

Limiting or eliminating USB use in control systems is a possible tactic. Previously, security concern was largely focused on Internet access and firewall set up, and USB ports proved to be an open back door for virus attacks. Yet, USB use is widespread, so eliminating it could hinder the abilities of people using the system to do their jobs.
A more extreme measure is to attempt to hermetically seal all systems. While this may help prevent attacks, it will seriously hinder the functionality and utility of the system, potentially negating some of the benefits mentioned earlier. Also, it might not be practical with wide-area architecture network designs.

Regardless of the tactic taken, security should and will be taken more seriously, given the threat of a Stuxnet-like virus and the new role of SCADA in many midstream organizations. Although many employees are not aware of the security level of an individual computer, laptop or smartphone they are using, they will become the first line of defense to monitor for infection.

Going forward, midstream companies will continue to focus on the bottom line—increasing efficiency, reducing downtime and increasing productivity and profit. Security now stands to be a more critical element in achieving those goals. Previously, system security was a subset of the job titles on an average SCADA team roster. Now, it becomes a key role in any SCADA team and requires highly trained technical skills. Finding those skills should be the No. 1 priority for any executive with SCADA responsibilities. n

Jim Fererro is co-founder and vice president of Houston-based GlobaLogix. He has 30 years of experience in natural gas production and gas compression, including leading teams installing remote-monitoring operations for compression assets to improve field operations.