Sector-Specific Information Infrastructure Issues in the Oil, Gas, and Petrochemical Sector

In this chapter we have discussed vulnerabilities and mitigating actions to improve safety, security and continuity of the information and process infrastructure used in the oil, gas and petrochemical sector. An accident in the oil and gas industry can become a major disaster, and the suggested steps should help mitigate some of these hazards. This chapter consist of four parts, described in the following: 1. Background and Introduction --- the Oil, Gas and Petrochemical Sector 2. Accidents, Threats and Resilience in the Oil, Gas and Petrochemical Sector 3. Risk Mitigation and Improvement of Resilience in the Sector 4. Conclusion and Suggestions for Further Exploration and Research The introduction describes the general challenges to explore oil and gas reserves in difficult areas. The regulation philosophy and regulation strategy of the oil and gas sector is discussed. A description of process control systems (i.e. supervisory control and data acquisition - SCADA systems) and information and communication technology (ICT) is given. Challenges posed by integration of SCADA and ICT systems are discussed. Challenges raised by new technology used in the oilfields of the future are mentioned. In the next section we are giving a theoretical description of how accidents are analysed and structured. Then we have described major accidents in the oil and gas sector. Next we have described specific vulnerabilities of integration of ICT and SCADA systems, based on an empirical survey. This is followed by a discussion of technical risks related to integration of ICT and SCADA systems. In the third section we have described how the challenges and risks identified can be mitigated through rule compliance and risk management. We are suggesting a set of "best practices" to mitigate the risks, explored with success in Norway. Our perspective has been to include technology, organization and human factors in risk management. Due to the increased complexity and uncertainty in the sector we have suggested an improved risk assessment including resilience as a strategy. To expand the field of learning we are suggesting exploring successful recoveries in addition to accidents and incidents. Action research has been suggested as a method to improve safety based on a participatory and reflective discourse during risk assessment. In the last section we have listed our conclusion and are suggesting areas of further exploration and research. The main conclusion is to design for resilience and safety and to establish common risk perceptions through scenario analysis.

[1]  Thomas C. Reed At the Abyss: An Insider's History of the Cold War , 2004 .

[2]  Erik Hollnagel,et al.  Barriers And Accident Prevention , 2004 .

[3]  Eduardo Salas,et al.  Team Effectiveness in Complex Organizations: Cross-Disciplinary Perspectives and Approaches , 2008 .

[4]  Rhona Flin,et al.  Managerial Resilience and Safety: VASA to NASA , 2006 .

[5]  Janne Merete Hagen,et al.  Critical Information Infrastructure Protection in Norway , 2003, GI Jahrestagung.

[6]  Nassim Nicholas Taleb,et al.  The Black Swan: The Impact of the Highly Improbable , 2007 .

[7]  Anne Richter,et al.  New Ways of Managing Prevention - A cultural and participative approach , 2003 .

[8]  Stephen A. Holditch,et al.  Factors That Will Influence Oil and Gas Supply and Demand in the 21st Century , 2008 .

[9]  Andrew Hopkins,et al.  Lessons from Longford: The ESSO Gas Plant Explosion , 2000 .

[10]  Stig Ole Johnsen,et al.  CRIOP: A Human Factors Verification and Validation Methodology That Works in an Industrial Setting , 2009, SAFECOMP.

[11]  D. Greenwood,et al.  Introduction to Action Research: Social Research for Social Change , 1998 .

[12]  David Clark,et al.  Safety and Security Analysis of Object-Oriented Models , 2002, SAFECOMP.

[13]  Martin Gilje Jaatun,et al.  Managing Emerging Information Security Risks during Transitions to Integrated Operations , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[14]  Steven Yule,et al.  Safety culture and safety climate: A review of the literature , 2008 .

[15]  J. Noyes,et al.  Alarm systems: a guide to design, management and procurement , 1999 .

[16]  D. Greenwood,et al.  Introduction to Action Research , 2007 .

[17]  V. David Hopkin,et al.  Verification and Validation of Complex Systems: Human Factors Issues , 1993 .

[18]  Norman J. Hyne,et al.  Nontechnical Guide to Petroleum Geology, Exploration, Drilling & Production , 1995 .

[19]  E. Mayo The Human Problems of an Industrial Civilization , 1934, Nature.

[20]  K. Roberts Some Characteristics of One Type of High Reliability Organization , 1990 .

[21]  E. Schein Organizational Culture and Leadership , 1991 .

[22]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[23]  Stig Ole Johnsen,et al.  Reducing Risk in Oil and Gas Production Operations , 2007, Critical Infrastructure Protection.

[24]  M. B. Line,et al.  CHECKIT – A Program to Measure and Improve Information Security and Safety Culture , 2007 .

[25]  Sujeet Shenoi,et al.  Critical Infrastructure Protection IV - Fourth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2010, Washington, DC, USA, March 15-17, 2010, Revised Selected Papers , 2010, Critical Infrastructure Protection.

[26]  Stig Ole Johnsen,et al.  Experiences with human factors in Norwegian petroleum control centre design and suggestions to handle an increasingly complex future , 2009 .

[27]  Per Hokstad,et al.  A structured approach to modeling interdependencies in risk analysis of critical infrastructures , 2009 .

[28]  Bodil Alteren,et al.  “Smarter Together” in Offshore Drilling -a Successful Action Research Project? , 2004 .

[29]  Stig Ole Johnsen,et al.  Enhancing the Safety, Security and Resilience of ICT and Scada Systems Using Action Research , 2009, Critical Infrastructure Protection.

[30]  Felix Redmill,et al.  System Safety: HAZOP and Software HAZOP , 1999 .

[31]  R. Bell,et al.  IEC 61508: functional safety of electrical/electronic/ programme electronic safety-related systems: overview , 1999 .

[32]  R. Westrum Cultures with Requisite Imagination , 1993 .

[33]  T. Laporte,et al.  Working in Practice But Not in Theory: Theoretical Challenges of “High-Reliability Organizations” , 1991 .

[34]  Kingsley Hendrick,et al.  Investigating Accidents with Step , 1986 .

[35]  Helen L. Armstrong Managing Information Security in Healthcare - an Action Research Experience , 2000, SEC.

[36]  James T. Reason,et al.  Managing the risks of organizational accidents , 1997 .

[37]  Karlene H. Roberts,et al.  New challenges in organizational research: high reliability organizations , 1989 .

[38]  Sujeet Shenoi,et al.  Critical Infrastructure Protection III , 2009 .

[39]  Rodger Jamieson,et al.  An Action Research Program to Improve Information Systems Security Compliance across Government Agencies , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[40]  C R Howard Launch of Eemua Publication 191 “Alarm Systems” Second Edition , 2007 .

[41]  Sihan Qing,et al.  Information Security for Global Information Infrastructures , 2000, IFIP — The International Federation for Information Processing.

[42]  Robert M. Davison,et al.  Principles of canonical action research , 2004, Inf. Syst. J..

[43]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[44]  Patrick T. W. Hudson,et al.  Hearts and Minds: The Status After 15 Years Research , 2002 .

[45]  E. Okstad,et al.  Proactive indicators of risk in remote operations of oil and gas fields , 2010 .

[46]  M Fleming,et al.  Risk Perceptions of Offshore Workers on UK Oil and Gas Platforms , 1998, Risk analysis : an official publication of the Society for Risk Analysis.

[47]  D. L. Simms,et al.  Normal Accidents: Living with High-Risk Technologies , 1986 .

[48]  L.W.D. Cullen,et al.  The public inquiry into the Piper Alpha disaster , 1993 .

[49]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[50]  Carl Rollenhagen,et al.  Development of a systemic MTO perspective on dam safety management , 2007 .

[51]  Donald F. Van Eynde,et al.  The Changing Practice of Organisation Development , 1990 .

[52]  Timothy Grance,et al.  Guide to Supervisory Control and Data Acquisition (SCADA) and Other Industrial Control System Security , 2006 .

[53]  Stian Antonsen,et al.  UNLOCKING THE ORGANIZATION: ACTION RESEARCH AS A MEANS OF IMPROVING ORGANIZATIONAL SAFETY 1 , 2007 .

[54]  Jens Rasmussen,et al.  Risk management in a dynamic society: a modelling problem , 1997 .

[55]  Erik Hollnagel,et al.  Learning How To Create Resilience In Business Systems , 2006 .

[56]  Kenji Itoh,et al.  Track maintenance train operators’ attitudes to job, organisation and management, and their correlation with accident/incident rate , 2004, Cognition, Technology & Work.

[57]  Stig Ole Johnsen,et al.  Resilience in Risk Analysis and Risk Assessment , 2010, Critical Infrastructure Protection.

[58]  Stig Ole Johnsen,et al.  Proactive indicators to improve HSE based on empirical evaluation of accident investigation reports , 2010 .