Tuesday, March 13, 2007

How Much Security does Pipeline Software need?

Well, this is my first post on this blog. In the interest of full disclosure, I will introduce myself: my name is Richard Wagner, and I am a Product Manager working for Energy Solutions, the sponsor of this blog site. I am working with the development team on PipelineTransporter for liquids scheduling, PipelineOptimizer for pump and energy optimization on liquids pipelines, and GasLoadForecaster, which predicts natural gas demand based on historical data and available weather forecast data.

I joined Energy Solutions about two months ago, having spent many years working for software companies serving the pharmaceutical industry. I must admit, I wasn't quite sure what to expect when I joined, since the pharmaceutical industry is quite different from the petroleum and gas industry. Interestingly enough, the challenges we face as a software provider are quite similar across the two industries. Our biggest challenge, like most software companies, is to listen to the industry to determine what their biggest challenges are, and deliver really helpful applications without getting too caught up in the technology.

That being said, one interesting difference I have noticed between pharma and oil & gas is in the area of software security. Due to the incredibly tight scrutiny from the FDA, pharma companies have very demanding audit trail and security requirements for virtually all their software systems. On the other hand, I have noticed that many applications in oil and gas have little or no built-in security measures; many of them depend simply on the network administration team to determine who can or cannot use them. In many ways, this can simplify the management of the applications. But I am hearing and reading about increasing concerns concerning the vulnerability of the energy industry in America to radical groups who might want to attack energy assets, including pipelines.

The question is, what should be done to mitigate this potential threat? Dealing with the threat of physical attack on the pipelines is the most obvious place to start. This could include increased security patrols and surveillance, as well as more sophisticated sensors and leak detection software and emergency response teams. But is there anything we need to do to protect pipelines against cyber-attack? With a central control room able to control valves, pumps, compressors and more for hundreds, or even thousands of miles, and millions of barrels at stake, what measures are appropriate to record and protect the software systems that manage this complex interaction?

The physical security that controls access to the control room is part of the answer. The other part will need to be an assessment of the required system security built into the software. SCADA security has already been recognized as an area where improved controls are required, and vendors and independent industry organizations are both working on this. The question I have, and which I need to explore as a product manager, is whether we need to tighten security and auditing controls in our software. Does scheduling software require the same level of user control and auditing as SCADA or other systems?

This is my question to the readers of this blog: what security measures (if any!) do you require, or might you require in the next five years, from the software systems that interact with SCADA, like pipeline scheduling, leak detection, load forecasting, etc. Any and all feedback is welcomed!

Richard Wagner

1 comment:

Jeffrey Hamby said...

My industry too, and I'm a former developer turned project and people manager. Hopefully I can both help and learn from your blog, so keep it up :)

Regarding security: My team is currently rewriting our scheduling/nominations/confirmations software for our gas pipleline. The rewrite is only being done to get us into a current development stack, so the logic itself is not really changing.

However, security will. Where it was once managed as part of our main application, it will now be handled outside the framework. As our applications are web based and we're a Windows server shop, we'll be using ISA Server to handle single sign-on as well as authentication.

After that level, authority within our applications will be handled through the new security application we'll be writing. An extra level of complication is accomplished by tring to provide a single point to handle multiple applications, both commercial and operational.

One thing in your post may need to be clarified though. Intrastate pipelines are regulated by FERC who has some fairly stringent requirements. On top of that, interfaces to pipeline software are handled by NAESB. To top it off, there are always SOX concerns with both security and audit trails.

So keep those in mind when you're discussing pipeline software security... there's much more than meets the eye.

Jeff

Welcome!

The Pipeline Place is a area to access and comment on all relevant information on standards and regulations specific to the North American pipeline industry. Sponsored by Energy Solutions, this blog includes feeds from government agencies, links to various standards bodies, and the latest reports and articles. There will be a monthly update highlighting new regulatory information as well as articles from our technical staff on pipeline simulation, leak detection, nominations & scheduling and gas forecasting. Please let us know what other topics you would like to read about. To subscribe to receive reminders on the monthly Standards update email: info@energy-solutions.com. Thank you!