Microsoft performs security balancing act with oil and gas industry IT architecture initiative

In an interview with Infosecurity, Van Dyke said that integrating such a vast international network of companies and facilities poses a number of challenges, not the least of which is security.

“It’s a double-edge sword. You’ve got to provide security across different countries, but from a user perspective we are advocating more transparency so that users don’t have to get bogged down by regulations in different countries,” Van Dyke said.

The Microsoft Upstream Reference Architecture (MURA) initiative is intended to define and expand a common reference architecture for the oil and gas exploration and production industry, known as the upstream industry. The volume of data produced by the industry has prompted many within it to seek integration solutions.

According to a recent industry survey by Microsoft and Accenture, 44% of respondents said that the volume of data had a negative effect on their productivity. The most pressing challenges were: difficult and time-consuming search for diverse systems to find information; data appearing in unstructured forms not easily captured or archived; data stuck in repositories not easily shared across sectors; and too much redundant and unnecessary data.

Respondents said that more extensive upstream IT standards (57%), a service-oriented architecture approach (57%), cloud computing (30%), and social media (30%) hold the most value for providing enhanced integration. Yet, company adoption of these technologies lags behind worker interest. Fewer than one-quarter of professionals polled said their company has fully implemented these tools.

To address industry needs, Microsoft launched the MURA initiative, which now has 21 partners, including EMC, Infosys Technologies, NetApp, and Accenture.

One of the security focus areas for MURA is identity management and security. This includes support for general security capabilities and for managing identification, authentication, and entitlements for employees and automated processes.

Van Dyke explained that one of their oil and gas operator customers, which has around 50 000 employees, performed a security audit and found that it was responsible for 150 000 ID log-ins, which included employees from the operator’s partners.

“We are looking at alternative architecture solutions so they don’t have to provide those separate IDs; one solution is federated security. If I’m a drilling company, rather having to get IDs for all my employees from the operator, I can ‘federate’ my drilling company with the operator so that when engineers need to get data, they can use their own company’s ID to get access to the operator’s information...the cloud is a great place to do this federated authentication.”

Another security focus area for MURA is the supervisory control and data acquisition (SCADA) systems. These provide automated controls of industrial processes, such as monitoring oil flow through a pipeline.

“Within the upstream oil and gas industry, there is a lot of security architecture that comes into play because you have multiple networks within a particular company. At the base level, there is the SCADA network. On that SCADA network is all of the equipment and the real-time data generated by the equipment, how the pumps are working. That network from an architecture point of view has to be kept within a secure architecture away from the normal company network,” Van Dyke said.

Maintaining top-level security of the SCADA networks is a top priority for the oil and gas industry, as well as the Department of Homeland Security and Department of Energy. If hackers are able to access the SCADA network, they could disrupt the flow of oil and gas and cause major economic disruption in the US. Some of these issues are explored in the departments’ Roadmap to Secure Control Systems in the Energy Sector.

“The ability of these cyber systems to provide automated control over a large, dispersed network of assets and components has helped to create the highly reliable and flexible energy infrastructure we have today. However, this span of control requires control systems to communicate with thousands of nodes and numerous information systems – thus exposing energy systems and other dependent infrastructures to potential harm from malevolent cyber attack or accidents”, the roadmap warned.

The energy industry set a goal of securing all of its industrial control systems from cyber assault, with no loss of critical function, by 2016 – an ambitious goal indeed.

What’s hot on Infosecurity Magazine?