A refinery (refinery)
PROJECT BACKGROUND AND TOPIC
As a representative company in the petroleum industry, the customer is a representative company of the oil industry. In order to secure the security of the process control system of the large refinery owned by the province, based on the objective related standards at the international level, The need for establishing a consulting firm was raised.
Because the process control system has different components from those of general enterprise information systems, it has adopted standardized standards at international level. It is defined by NIST SP800-82, National Institute of Standards and Technology (US Department of Commerce) We tailored the standard recommendations to apply the information security category of 20 domains.
Three months in 2013
IT AND INFORMATION SECURITY ENVIRONMENT
Business and IT environment
Our main business areas are oil refining and petrochemical production, and it is a leading company producing products such as volatiles, light oil, kerosene, heavy oil, lubricating oil, aromatic products and PP.
Process control system for customer's refinery process is composed of DCS, PLC, process SCADA, VMS, etc. and IT infrastructure such as network, server, security system.
Information protection environment
Due to the issue of SCADA hacking in the US, Iran, etc., we have an organizational structure dedicated to information security. We have been working hard for smooth communication to share information security issues between our headquarters and factories and improvement plans. However, Points and expertise were limited.
MAIN ACTIVITY AND OUTPUT
|Steps to Perform
|Maintenance of security diagnosis criteria
|- Development of security diagnosis criteria based on SP800-53 in conjunction with NIST SP800-82 - Improvement of
security diagnosis and evaluation standards considering factory environment and conditions
|- Project performance plan
- Process control system security level analysis standard
|Understand the status of information protection at headquarters and factories
|- Analysis of documents such as document review, field inspection, and verification of verification for each domain
- Evaluation and analysis of each domain level based on the status analysis results
|- Information security level status analysis report
(by 20 domains)
|Establishment of improvement project and implementation plan
|- Analysis of the cause of the problems found in the security diagnosis
- Establishment of
improvement plans and implementation plans for the next two years - Establishment of roadmap for improvement projects
|- Improvement task implementation plan
* Example of output: Process control security diagnosis item, process control system security diagnosis
- Understanding the configuration and protocol of various process control systems
- Establishment of improvement plan considering environment and environment of factory site
- Establish consensus on the need for information security between headquarters and factories
- Secure financial resources for improving information security, share roles and responsibilities, and secure cooperation system
- Obtain support system for information security implementation plan and monitor continuously