IPA18-332-E
PROCEEDINGS, INDONESIAN PETROLEUM ASSOCIATION
Forty-Second Annual Convention & Exhibition, May 2018
MANAGING CYBERSECURITY RISK IN PROCESS CONTROL SYSTEMS
Herlia M Fajarsari*
ABSTRACT
Cybersecurity issues are nowadays very prone to
occur as industrial process control systems are no
longer air gapped from company business networks
and are usually connected to external parties for data
gathering and remote monitoring. There are
requirements such as government regulations,
business efficiency drive for real-time monitoring,
and also remote vendor support needs for
maintaining system performance. Also, by moving
forward technology where the process control system
backbone adopted is a TCP/IP and Windows based
system for Programmable Logic Controller (PLC),
the requirement to have updated security patches and
anti-malware is mandatory to prevent system
security and reliability issues.
To ensure the process control system is well-
protected from cybersecurity risk, the company has
to manage the risk by having sets of protection that
involve robust risk assessments which result in
preventive and corrective actions to be implemented.
Keyword: Process Control System Automation,
Industrial Control Requirement
INTRODUCTION
Overview
Oil and Gas Companies in Indonesia operate under
Production Sharing Contracts (PSC). In order to
operate in the country, they have to comply with
government regulations. The government just
recently issue a new regulation Peraturan Menteri
Energi dan Sumber Daya Mineral Republik
Indonesia Nomor 39 tahun 2016 tentang Sistem
Monitoring Produksi Minyak Bumi Berbasis Online
Real Time Pada Fasilitas Produksi Kegiatan Usaha
Hulu Minyak dan Gas Bumi. This regulation (clause
2 section 1) “requires the Operator to build an oil
production monitoring system through provision and
installation of flow meters and supporting facilities
in every working area”. Section 2 states “the
monitoring system that is referred to section 1 shall
* ExxonMobil Cepu Ltd.
comply with appropriate technical method, process
data, procedure, and recommended standard and
online real time based”. In Section 2 it is mentioned
specifically to have an online real-time based
monitoring.
This government regulation is also in synch with
business requirements for online monitoring. Online
monitoring (e.g. Plant Information system (PI)) is
required by the surveillance engineer to have a
helicopter view of the plant performance, and
identify how and where to improve operation by
gathering information from the plant. Usually plant
data is scattered among different incompatible
systems, formats, and processes. A PI system is able
to collect, analyze, visualize and share large amount
of high-fidelity, time-series data from multiple
sources to the engineer and system across all
operations. This system will collect data from
process control systems, analyze it by comparing
historical versus real-time information, and then
visualize the data. The engineer will then be able to
access data from corporate computers by accessing a
website.
The advancement of process control system
hardware and software from traditional IT
technology to TCP/IP & Windows based platform
also resulted in new requirements for many oil and
Gas Companies to perform system updates. System
update is also driven by the life cycle of each product
from manufacturer and also improvements that have
been done by manufacturer to make their system
more reliable and secure. Nowadays, Distribution
Control Systems (DCS) and Programmable Logic
Controllers (PLC) are built on the Windows
platform, so windows operating system security
patches and malware protection and software /
hardware update are mandatory.
Hence, with the above requirements in mind, remote
connection will be the solution to have real-time
monitoring system and removable media to update
software patches. On the other hand, removable
media and remote monitoring are a gateway for
cybersecurity attack.

A cybersecurity incident is an accidental or
malicious event which impacts network, systems, or
applications and results in an operational incident or
near miss. In summary, process control system
cybersecurity attacks source can be seen in Figure 1
below.
Cybersecurity in Process Control System
Rapid change of technology in process control,
government regulation, and business requirements
have resulted in process control systems being
connected to corporate business networks and even
to internet cloud. Internet is an open access for
everyone to obtain information, any network
connection to Internet can be vulnerable for
cybersecurity attacks.
Cited from Internet Security Threat Report (ISTR
Government) June 2017 Volume 22, issued by
Symantec Page 18, 19, and 20. In 2016, they found
zero-day vulnerabilities (vulnerabilities not
discovered by software’s vendor), the report shows
zero - day vulnerabilities declined marginally from
4,066 in 2015 to 3,986 in 2016 as describe in Figure
2 below.
This report also notes that it is becoming harder to
find attackers, so software vendors focus on
developing their product, for example, in October
Adobe issued a patch for Flash Player, in August
three vulnerabilities in Apple iOS (collectively
known as Trident), and in May Microsoft patched an
Internet explorer zero-day (which was exploited in
targeted attacks in South Korea).
Vulnerabilities have been disclosed in Industrial
Control Systems. The number of Industrial Control
System (ICS) vulnerabilities discovered fell
compared to 2015, see Figure 3 below, this is further
evidence to suggest that attackers are becoming more
devious and harder to find.
Industrial control was attacked by malware a few
years ago. Resumed from Internet Security Threat
Report (ISTR Government) June 2017 Volume 22,
issued by Symantec Page 18, 19, and 20. In 2016, the
sabotage attacks were come back. It was started with
a number of attacks against the Ukraine involving the
use of disk-wiping malware. Trojan.Disakil hit
media organizations and the energy sector in the
Ukraine which resulted in power outages in the
country. Disakil also attacked Ukraine’s financial
sector in the late 2016. Another example is Shamoon
(W32.Disttrack) disk-wiping malware that attacked
Saudi Aramco in 2012. In 2012, it infected
computers had their master boot records wiped. It
returned with a new variant W32.Disttrack.B
attacking targets in Saudi Arabia in November 2016
and January 2017, where the attackers targeted a
range of organizations in the Middle East including
companies in the aviation, energy, government,
investment, and education sectors. It infected at least
one administrator computer belonging to an
organization that was subsequently hit by Shamoon.
Specific to process control systems, summarized
from www.fireeye.com in December 2017,
TRITON malware was programmed for a number
of functions including but not limited to read/write
programs, read/write SIS controllers functions,
and to query the current state of the SIS controller.
It was discovered and investigated, and was
subsequently identified the attacker obtained
remote access through a SIS engineering
workstation. Once the engineering workstation
was compromised, the TRITON malware
framework was deployed with the intention of
reprogramming SIS Controllers. SIS controllers
initiated shutdown during the re-programming due
to application code failing a validation check
between redundant processing units during the
attack. The malware attempted to return the
controller to a running state, and after a period of
time overwrote the malicious program as an
obfuscation technique to hamper investigation.
In general, there are three types of attacks, such as
denial of service, malicious software, and
unauthorized access. When process control
systems are being attacked, there are some
symptoms in the system that can be detected such
as process control performance suddenly slows
down, the operator finds that operating values
change unexpectedly, monitoring from the system
slows down significantly, or sometimes there is a
strange message or dialog pops up in the system
monitoring.
After symptoms occur typically it will be followed
by a system reaction such as operator loss of
process monitoring, some package in the plant
suddenly shuts down, or operator loss of critical
process control and view. In the worst case, the
plant loses its protection system that can lead to
process upset and cause safety health and
environment issues such as high flaring,
condensate burned, release of toxic gas to the air,
or even fatality.
All the events caused by cyber security attacks
may cause a loss of production, which may affect
the company’s crude oil or gas production

commitment to the government. This would surely
also impact the company’s profit and revenue.
Worse, the attacks may result in process safety
incidents, impacting the Safety, Health, and
Environment performance and subsequently
threaten company’s reputation and credibility.
PROCESS CONTROL SYSTEM DESIGN
Oil Companies have to meet their production target
every day. Some oil companies may produce or
process up to hundreds of thousands or even millions
of barrels of oil through a large capacity production
plant. These plants would usually have highly
advanced network-connected Distributed Control
System (DCS) which is integrated with the Safety
Instrumentation System (SIS) and even the Fire &
Gas System (FGS) to run process control and
protection of the plant.
The plant usually consists of several areas and each
of the areas may have several package equipment
which managed by a local Programmable Logic
Controller (PLC). Each of area usually will have
Local Instrument Room (LIR). All instrument
equipment and package equipment PLC in the field
will be controlled by DCS controller which installed
inside LIR. All LIRs will be tied back all the way to
Central Control Room (CCR) where operator
controls and monitors the plant. The plant will have
over 100 controllers and over 100 PLCs to control
the plant distributed across the area.
From network design perspective, company refers to
international standard in designing their network.
Cited from Figure 3: Functional Hierarchy
(American National Standard ANSI/ISA-95.00.01-
2010 (IEC 62264-1 Mod) Enterprise Control System
Integration- Part 1: Models and Terminology,
Approved 13 May 2010), the different levels of a
functional hierarchy model below (see figure 4).
In designing company network architecture, many of
company also will divide their network into several
zone. Cited from International Standard IEC 62443-
2-1, Industrial Communication Network – Network
and system security- Part 2-1: Establishing an
industrial automation and control system security
program, Edition 1.0 2010-11, page 90. Below is one
of the sample of typical network architecture
commonly used (see figure 5):
From above sample, normally in the oil and gas
company, the layer above will be translated into
below samples:
• Level 0 consist of field equipment such as
sensors and final control element, e.g. control
valves, transmitter etc.
• Level 1 consist of DCS controllers and the
peripheral connected to it such as input/output
(I/O) modules.
• Level 2 consist of supervisory control such as
DCS server, Operator monitor, Engineering
work station etc.
• Level 3 consist of advance control or equipment
management system that is not directly control
process such as historian server, domain control
server, antivirus server, time synchronization
server etc.
• Demilitarize Zone (DMZ) is typically used by
process control system to have certain
application that has the same data Level 3, for
example Plant Historian Shadow.
• Level 4 is corporate business network.
Cybersecurity attack can get into the system thru
level 4, corporate business network, either from
internet service that required by business, or
removable media such as USB that is used by
company personnel. In the previous section
mentioned that there is application that is used to
monitor process control system from L4, Plant
Information application. This application resides in
the level 4 server. PI server receive data from
Historian server in level 3. Any attack to PI server
may also infect historian server. Cybersecurity attack
also able get into process control system through
external connection that directly connected to
process control system such as online real-time
monitoring system or from third party vendor
connection to do remote regular system maintenance
(e.g. software update, system configuration etc.).
Both level 4 and level 3 connection shall equipped
with Network Control Point (NCP) every time they
are connected to each other or connected to outside
of company network. Well designed and configured
NCP is a mandatory to prevent cybersecurity attack.
Removable media that is used by company
personnel, or removable media that is brought by
third party vendor during regular maintenance also
can be one of the door for cybersecurity attack.
Company shall have a proper management of these
removable media.

MANAGEMENT OF PREVENTIVE & produces which caused by a number of
CORRECTIVE ACTION
In managing a system to be able to perform well,
company typically will adopt management of
preventive and corrective action. Cited from
American National Standard ANSI/ISA-95.00.01-
2010 (IEC 62264-1 Mod) Enterprise Control System
Integration- Part 1: Models and Terminology,
Approved 13 May 2010 page 69, definition of
corrective and preventive actions. Management of
corrective actions and preventive actions is
maintaining plant operations often requires that
corrective actions typically in response to an
incident, deviations, or failure, are recorded and
managed and that the results of the corrective actions
are recorded, clear, appropriate, and implementable
corrective actions should be identified at the
conclusion of any investigation. Tracking and
follow-up should be managed to ensure that
corrective actions are implemented and verified.
Preventive actions are typically managed in a similar
fashion, in order to prevent possible future incident
or deviations. Recommended actions are managed in
a similar function. Recommended actions are
predefined sets of actions to occur in the event of an
incident or deviations.
Technology comes with its advantages and
disadvantages. Cybersecurity is part of the
technology changes. Cybersecurity is risk that we
can prevent and mitigate.
Prevention in General
Before getting into the detail on how to manage a
remote connection and removable media to prevent
cybersecurity attack, there are some preventive
actions that need to set up by Oil and Gas Company:
 Establish ownership and define Role &
Responsibility (R&R). Every system shall
have at the minimum owner, custodian, and
system support. R&R also need to be defined
to ensure there is segregation of duty among
owner, custodian, and system support. There
are 4 main area that need to be considered in
determining segregation of duty among the 3
roles. They are management of change, access
management, risk management and asset
management.
 Risk assessments and stewardship
management. This is critical actions that must
have by a company. Risk assessment activities
in general will generate list of scenario
different risk posed to organizations by threats.
This will lead to recommended actions to be
taken to prevent and or mitigate in the case any
cybersecurity attacks take place. The duty of
management is to manage all the risks in their
organizations.
Cited from International Standard IEC 62443-2-
1, Industrial Communication Network –
Network and system security- Part 2-1:
Establishing an industrial automation and
control system security program, Edition 1.0
2010-11, page 51, risk analysis basic concept.
The likelihood of an event occurring takes into
account both the likelihood that a threat that
could cause an action will be realized and the
likelihood that a vulnerability that allows the
action will infect be exploited to the threat. For
example a virus to cripple a network, it needs
to first reach the network end then needs to
defeat antivirus controls on the network. If
likelihood is expressed similar to a probability,
then:
Likelihood Event_Occuring = Likelihood
Event_Realized x Likelihood Vulnerability_Exploited
Risk is made up of both likelihood and
consequence. Consequence is negative impact
such as specific harm that will be experienced by
an organization that caused by specific threat
Risk = Likelihood Event_Occuring x Consequence
There are several items need to be considered
during risk assessment.
• Involve the right personnel. Owner,
custodian and system support have to be
involved to ensure their system is well
assessed and mitigated. Also involve
discipline engineer related and experienced
control advisor as a facilitator during the risk
assessment.
• Use credible scenarios and brain storming.
The quality of risk assessment will be
determined by scenario that is chosen.
• Identify risk, severity & likelihood.
• Identify action control, control action shall
be doable (some action items are not feasible
because there is system limitation, then risk
assessment shall note the limitation as part of

the risk that is accepted), define number of
hours to complete the activity, and has
specific information on the group to close
the task.
• Steward control action, stewardship can be
done through regular meetings with owner,
custodian, and system support or by using
existing system such as SAP as a reminder
for control action that recurrence.
• Data classification. During risk assessment,
data needs to be classified to ensure it has
appropriate level of protection. Over
classification of data will lead to over
controlled action which will lead to
inefficient time and cost in stewarding
control action. Usually data in process
control is unclassified, some sensitive
information may also occur such as
financially related, contract, sensitive
custody transfer information, licensed,
inventory volumes, etc. Required more
protection such as additional control points
to be implemented. Company also must have
lifecycle management of information to
ensure how long the data need to be recorded
and kept.
 Protect information
Data classification will lead into number of
information protection requirements. There is
some protection of information that can be
implemented such as:
• Physical access restriction (e.g. attended
post), site controlled access (site-building-
room-cabinet). Sensitive data may need to
have extra protection for example, it is
located inside locked cabinet in the room
that protected with access control system.
• Software and information protection such as
unique logon ID for personnel, key-locked
consoles or workstations, access control list,
and Encryption. Sensitive data will need to
be encrypted in the PC with unique log on
ID.
Protection of information need to be followed up
by stewardship action. For example, system
owner conduct periodic access review related to
IDs at the minimum annually, review system log,
delete or disable any unused ID, and ensure all
password are regularly renewed.
• Specific procedure which consist of strategies
for continuation of service in the event of
prolonged interruption of resources that
impact the ability to operate. This procedure
may consider loss of personnel, systems
peripheral, and also critical utility systems.
Besides that, company also requires a guide to
recover system or data during emergencies or
disasters such as fire, flooding, explosion and
other catastrophic event. This guide shall
consider about well-trained recovery team
personnel, spare part, vendor support, and set
of standard operating procedure to resolve
problem sue to unknown and anticipated
failure modes.
• User awareness training and refresher training.
It is recommended to have a mandatory
training for new comer related to cybersecurity
attack. At the minimum, company must
conduct refresher training annually for the
employee.
• Change management. Any permanent or
temporary changes to the system shall be
logged, reviewed, and approved. This
management of change will be used during
investigation in the case there is any
cybersecurity incident.
Removable Media in Process Control System
Below is some guidance related to Removable
Storage and Mobile Devices handling management
• Connected to the control environment are
dedicated to a single purpose especially Safety
Health Environment‐critical systems will not
be used for any other purpose
• Used in the control environment are to be
physically secured when not in use
• Where technology is feasible, it is
recommended to disable USB port
• Secure console port with password
• Scanned for malware using internal updated
virus scanner
• Only Removable Storage and Mobile Devices
from reputable sources relevant to necessary
job function

 Only allow authorized 3rd party access to the
system
o Escort 3rd party vendor to get into facility
and into the system
o Work under supervision
o Only install and use authorized software
o Ensure your vendor contract have an
agreement that vendor shall kept our system
clean related to removable media
management
Remote Connection in Process Control System
There are some rules of thumb that can be used in
designing remote or external connections:
• Always choose conservative solution, if
possible. For example, try to use direct analogue
signal connection for 2 network connection
within acceptable distance. Hardwire connection
does not involve any Internet Protocol (IP)
address, data communication is one way, so there
is no risk of having cybersecurity attack.
• If network infrastructure is required to build the
connection, the use network control point (NCP)
in the design is mandatory to protect the network.
There are several items that need to be consider
in NCP implementation:
o NCP must be configured in a way so that
only certain data that is required can get
through the system and block the rest of the
data.
o NCP must be well designed, tested, and
certified by approved by qualified party
(trusted third party) or company internal IT
department.
o NCP must be periodically reviewed both
physically (secured in the restricted location)
and logically NCP set up and configuration
(password regularly changed and unique ID
for each of personnel).
Cybersecurity Attack Corrective Actions
Corrective action is resulted from deviation of
system behavior in normal condition. Cited from
International Standard IEC 62443-2-1, Industrial
Communication Network – Network and system
security- Part 2-1: Establishing an industrial
automation and control system security program,
Edition 1.0 2010-11 -Management of deviations:
maintaining plant operations often requires that
deviations that have been detected because of normal
conditions are recorded and that the response to the
deviation is recorded. Deviations are typically
measured differences between an observed value and
an expected or normal value, or an anomaly from a
documented standard or process. Deviation
management typically involves determination of the
root cause of the deviation and may lead to corrective
actions to remove the source of the deviations.
This deviation can be caused by cybersecurity attack
to the system. In the case cybersecurity attack
occurred, company needs to have proper mitigation
steps. Referring to International Standard IEC
62443-2-1, Industrial Communication Network –
Network and system security- Part 2-1: Establishing
an industrial automation and control system security
program, Edition 1.0 2010-11, table 17, there are
some steps need to be considered by a company, they
are:
• Implement an incident response plan:
Emergency response team (responsible
personnel – R&R)
• Communicate the incident response plan: call
tree emergency response will be required
• Reporting procedure for unusual activities and
events: trained personnel to report e.g. spam
email flag, followed up by contacting IT
department and email to respective supervisor.
• Report cyber security incidents in a timely
manner
• Identify and respond to incident: this activity will
consist of how personnel are well trained to
identify any of system conditions that may be
recognized as a cybersecurity attack, contact the
expertise in the company, determine the severity,
do the network isolation, until determine process
consideration to minimize the impact to plant
operation.
• Identify failure and success of cybersecurity
breaches: procedure shall be in place to identify
fail or successful breaches.
• Document details of incident, this is crucial for
investigations

• Communicate the incident details
• Address and correct issues discovered
• Conduct drills – annually at the minimum
SUMMARY
• It is impossible to detach process control
system from external connection and
removable media due to government
regulation, business requirement, and
technology changes that adopt by process
control system
• Annual reports from security anti-malware
Company shows that there is a tendency
towards cybersecurity attacks which are even
more difficult to be detected. In 2016, there is
zero vulnerability days. This is the day where
they can’t found any single vulnerability. The
existence of this day shows that there is
significant improvement in technology that is
used by hackers to do cybersecurity
vulnerability.
• Cybersecurity risk is manageable by having
robust risk assessment resulted in sets of
preventive and corrective actions to be
implemented.
• Company personnel awareness and emergency
response plan is important to response
cybersecurity attack and quickly recover
critical process control or monitoring impacted
by cybersecurity attack.
ACKNOWLEDGEMENT
This paper is dedicated for Allah Subhanahu Wa
Ta’ala and Rasulullah Muhammad Sallallahu
AIailihi Wasallam
Qindi and Gary (my sons), husband, and our
parents
ExxonMobil Cepu Limited : Druvi J Ruberu,
Yuri A Sumarno, June Kobayashi, Taufiq
Firmansyah, Mitsalina Nisrinawati, Rizal A
Dharma, Hanifatu Avida Romas, et al.
REFERENCE
International Standard IEC 62443-2-1, Industrial
Communication Network – Network and system
security- Part 2-1: Establishing an industrial
automation and control system security program,
Edition 1.0 2010-11
American National Standard ANSI/ISA-95.00.01-
2010 (IEC 62264-1 Mod) Enterprise Control System
Integration- Part 1: Models and Terminology,
Approved 13 May 2010
Peraturan Menteri Energi dan Sumber Daya Mineral
Republik Indonesia Nomor 39 tahun 2016 tentang
Sistem Monitoring Produksi Minyak Bumi Berbasis
Online Real Time Pada Fasilitas Produksi Kegiatan
Usaha Hulu Minyak dan Gas Bumi
Internet Security Threat Report (ISTR Government)
June 2017 Volume 22, issued by Symantec
https://www.osisoft.com/pi-system/#tab1
https://www.fireeye.com/blog/threat-
research/2017/12/attackers-deploy-new-ics-attack-
framework-triton.html
 

Figure 1 - Process control system cybersecurity attacks source

 

Figure 2 - Vulnerabilities found in 2014 - 2016

 

Figure 3 - The number of Industrial Control System (ICS) vulnerabilities discovered in 2014-2016
 

Figure 4 - The different levels of a functional hierarchy model

 

Figure 5 - Reference architecture alignment with an example segmented architecture