Data acquisition & control architecture

MANUAL

DATA ACQUISITION & CONTROL ARCHITECTURE (DACA) - TECHNICAL CONTROLS - WIRELESS

SECURITY

DEP 32.01.23.13-Gen.

November 2006

DESIGN AND ENGINEERING PRACTICE

This document is restricted. Neither the whole nor any part of this document may be disclosed to any third party without the prior written consent of Shell Global Solutions International B.V., The Netherlands. The copyright of this document is vested in this company. All rights reserved. Neither the whole nor any part of this

document may be reproduced, stored in any retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) without the prior written consent of the copyright owner.

DEP 32.01.23.13-Gen. November 2006

Page 2

PREFACE

DEPs (Design and Engineering Practice) publications reflect the views, at the time of publication, of:

Shell Global Solutions International B.V. (Shell GSI)

and/or

Shell International Exploration and Production B.V. (SIEP)

and/or

other Shell Service Companies.

They are based on the experience acquired during their involvement with the design, construction, operation and maintenance of processing units and facilities, and they are supplemented with the experience of Shell Operating Units. Where appropriate they are based on, or reference is made to, international, regional, national and industry standards.

The objective is to set the recommended standard for good design and engineering practice applied by Shell companies operating an oil refinery, gas handling installation, chemical plant, oil and gas production facility, or any other such facility, and thereby to achieve maximum technical and economic benefit from standardization.

The information set forth in these publications is provided to Shell companies for their consideration and decision to implement. This is of particular importance where DEPs may not cover every requirement or diversity of condition at each locality. The system of DEPs is expected to be sufficiently flexible to allow individual Operating Units to adapt the information set forth in DEPs to their own environment and requirements.

When Contractors or Manufacturers/Suppliers use DEPs they shall be solely responsible for the quality of work and the attainment of the required design and engineering standards. In particular, for those requirements not specifically covered, the Principal will expect them to follow those design and engineering practices which will achieve the same level of integrity as reflected in the DEPs. If in doubt, the Contractor or Manufacturer/Supplier shall, without detracting from his own responsibility, consult the Principal or its technical advisor.

The right to use DEPs is granted by Shell GSI, in most cases under Service Agreements primarily with Shell companies and other companies receiving technical advice and services from Shell GSI or another Shell Service Company. Consequently, three categories of users of DEPs can be distinguished:

1) Operating Units having a Service Agreement with Shell GSI or other Shell Service Company. The use of DEPs by these Operating Units is subject in all respects to the terms and conditions of the relevant Service Agreement.

2) Other parties who are authorized to use DEPs subject to appropriate contractual arrangements (whether as part of a Service Agreement or otherwise).

3) Contractors/subcontractors and Manufacturers/Suppliers under a contract with users referred to under 1) or 2) which requires that tenders for projects, materials supplied or - generally - work performed on behalf of the said users comply with the relevant standards.

Subject to any particular terms and conditions as may be set forth in specific agreements with users, Shell GSI disclaims any liability of whatsoever nature for any damage (including injury or death) suffered by any company or person whomsoever as a result of or in connection with the use, application or implementation of any DEP, combination of DEPs or any part thereof, even if it is wholly or partly caused by negligence on the part of Shell GSI or other Shell Service Company. The benefit of this disclaimer shall inure in all respects to Shell GSI and/or any Shell Service Company, or companies affiliated to these companies, that may issue DEPs or require the use of DEPs.

Without prejudice to any specific terms in respect of confidentiality under relevant contractual arrangements, DEPs shall not, without the prior written consent of Shell GSI, be disclosed by users to any company or person whomsoever and the DEPs shall be used exclusively for the purpose for which they have been provided to the user. They shall be returned after use, including any copies which shall only be made by users with the express prior written consent of Shell GSI. The copyright of DEPs vests in Shell GSI. Users shall arrange for DEPs to be held in safe custody and Shell GSI may at any time require information satisfactory to them in order to ascertain how users implement this requirement.

All administrative queries should be directed to the DEP Administrator in Shell GSI.


Page 3

TABLE OF CONTENTS 1. INTRODUCTION ........................................................................................................4 1.1 SCOPE........................................................................................................................4 1.2 DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS .........4 1.3 GENERAL DEFINITIONS...........................................................................................4 1.4 CROSS-REFERENCES .............................................................................................7 1.5 COMMENTS ON THIS DEP.......................................................................................7 2. GENERAL...................................................................................................................8 2.1 INTRODUCTION ........................................................................................................8 2.2 WIRELESS APPLICATIONS IN THE PROCESS CONTROL DOMAIN ....................8 2.3 SENSOR SYSTEMS.................................................................................................10 2.4 WIRELESS WORKER DEVICES .............................................................................11 2.5 WIRELESS BRIDGING LINKS .................................................................................12 3. WIRELESS THREATS .............................................................................................13 4. PREVENTION...........................................................................................................15 4.1 GENERAL.................................................................................................................15 4.2 GENERAL PREVENTION METHODS .....................................................................15 4.3 WIRELESS SENSOR SYSTEMS.............................................................................20 4.4 WIRELESS WORKER AND WIFI / WLAN – IEEE 802.11 .......................................23 4.5. WIRELESS BRIDGING LINKS .................................................................................24 5. APPROVALS............................................................................................................26 6. RISK ASSESSMENT................................................................................................27 6.1 GENERAL.................................................................................................................27 6.2 ORGANISATION ......................................................................................................27 6.3 METHODOLOGY......................................................................................................27 6.4 SCENARIOS.............................................................................................................28 6.5 THREATS .................................................................................................................28 6.6 CONSEQUENCES ...................................................................................................28 6.7 LIKELIHOOD.............................................................................................................28 7. MANAGEMENT ........................................................................................................29 7.1 GENERAL.................................................................................................................29 7.2 ROLES AND RESPONSIBILITIES ...........................................................................29 7.3 PATCH MANAGEMENT ...........................................................................................29 7.4 CONFIGURATION MANAGEMENT.........................................................................29 7.5 TRAINING.................................................................................................................29 7.6 REMOTE MAINTENANCE .......................................................................................30 8. SUMMARY OF WIRELESS THREATS AND THEIR PREVENTION METHODS ...31 9. ISA SP-100 DEVELOPMENTS ................................................................................33 10. REFERENCES .........................................................................................................34


Page 4

1. INTRODUCTION

1.1 SCOPE

This new DEP specifies requirements and gives recommendations on the implementation of wireless systems in the Process Control Domain (PCD). It describes some of the wireless systems that can be deployed and the wireless-specific information security threats.

In particular, this DEP focuses on the relevant wireless information security requirements in support of ITCI-117 (Information Security Standard for PCADs and PCDs). It specifies the need for a separate wireless risk assessment and approval prior to deployment of wireless technologies in the PCD.

The use of wireless technology in the PCD is relatively new, and best practice is currently evolving within the production environment. This DEP is based on current best practice rather than established experience. Consequently, all wireless PCD applications require the explicit approval of the relevant Control and Automation / Instrumentation Global Discipline Leader before they are implemented.

1.2 DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS

Unless otherwise authorised by Shell GSI, the distribution of this DEP is confined to Shell companies and, where necessary, to Contractors and Manufacturers/Suppliers nominated by them.

This DEP is intended for use in major development projects and existing producing assets in exploration and production. However, it may be applied to other Business Groups at the discretion of the Principal.

When DEPs are applied, a Management of Change (MOC) process should be implemented; this is of particular importance when existing facilities are to be modified.

If national and/or local regulations exist in which some of the requirements may be more stringent than in this DEP, the Contractor shall determine by careful scrutiny which of the requirements are the more stringent and which combination of requirements will be acceptable with regards to the safety, environmental, economic and legal aspects. In all cases the Contractor shall inform the Principal of any deviation from the requirements of this DEP which is considered to be necessary in order to comply with national and/or local regulations. The Principal may then negotiate with the Authorities concerned, the objective being to obtain agreement to follow this DEP as closely as possible.

1.3 GENERAL DEFINITIONS

1.3.1 General definitions The Contractor is the party that carries out all or part of the design, engineering, procurement, construction, commissioning or management of a project, or operation or maintenance of a facility. The Principal may undertake all or part of the duties of the Contractor.

The Manufacturer/Supplier/Vendor is the party that manufactures or supplies equipment and services to perform the duties specified by the Contractor.

The Principal is the party that initiates the project and ultimately pays for its design and construction. The Principal will generally specify the technical requirements. The Principal may also include an agent or consultant authorised to act for, and on behalf of, the Principal.

The word shall indicates a requirement.

The word should indicates a recommendation.


Page 5

1.3.2 Abbreviations AES Advanced Encryption Standard - a block cipher adopted as an encryption

standard by the US government

_b bit - a bit can represent a logical ‘zero’ or ‘one’ and is the basis of the digital technology (binary)

B byte = 8 bits [based on binary (base-2)]

BGAN Broadband Global Area Network

C&A Control and Automation

DACA Data Acquisition and Control Architecture

DCS Distributed Control System - a type of Programmable Electronic System often used on production facilities to monitor and control the production process and to provide the primary Human Machine Interface to the process and/or third party control systems.

DHCP Dynamic Host Configuration Protocol - a protocol used by computers to obtain unique IP address from a DHCP server

DMZ Demilitarised Zone

FF H1 Foundation Fieldbus is an all-digital, serial, two-way communications system that serves as a Local Area Network (LAN) for plant-to-plant instrumentation and control devices.

Gbps gigabits per second – 109 bits per second – unit of data transfer speed

GPRS General Packet Radio Service - a mobile data service available to users of GSM mobile phones

HART The HART Protocol uses the American Bell 202 standard frequency shift keying signal (FSK), superimposed at a low level on the 4 to 20 mA analogue measurement signal.

HMI Human Machine Interface

HSE Health, Safety and Environment

Also High Speed Ethernet (Foundation Fieldbus)

I/O Input and Output (of a device in the PCD)

IP Internet Protocol

Ipsec IP Security

ISM Industrial, Scientific and Medical – shared wireless frequency bands

IT Information Technology

LAN Local Area Network

MAC Address

Media Access Control address. This address is an IT equipment unique hardware number

Mbps megabits per second – 106 bits per second – unit of data transfer rate

Mb megabit

MODBUS A communications protocol positioned at the level 7 of the OSI Model, designed by Modicon for use with programmable logic controllers (PLCs)


Page 6

MTBF Mean Time Between Failures. MTBF ratings are measured in hours or years and indicate the reliability of equipment. Calculated by dividing the total unit operating hours accrued in a period by the number of unit failures that occurred during the same period

OD Office Domain

OEM Original Equipment Manufacturer

OPC OPC (OLE - Object Linking and Embedding for Process Control) - A set of seven open standards for connectivity and interoperability of industrial automation and the enterprise systems

PAS Process Automation System: Incorporates DCS functionality and also allows for the use of PLCs and PLC networks, RTUs, and other vendor/OEM equipment integrated via serial and/or hardwired interfaces

PCAD Process Control Access Domain

PCD Process Control Domain

PCN Process Control Network

PHY Physical Layer

PI The Plant Information SystemTM is a software application toolset designed to fully automate the collection, storage and presentation of plant data

PLC Programmable Logic Controller

RF Radio Frequency

RFID Radio Frequency Identification - an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders

RTU Remote Terminal Units (RTUs), used to continually collect data from the sensors in the field, and process and send the information to a centralised Master Station

SAP-PM A program to control and assign resources for plant maintenance

SCADA Supervisory Control and Data Acquisition (SCADA) is used to monitor and control remote plant and equipment

SSID Service set Identifier (assigned name of a wireless equipment network (WiFi)

TCP/IP Transfer Control Protocol/Internet Protocol. A protocol that allows computers to communicate irrespective of brand, type, speed or operating system

TPA Third Party Access: a Shell standard package enabling a third-party PC outside the Shell Network to access the OD via GI and internet. Security is controlled by Shell

UMTS Universal Mobile Telecommunications System - third-generation (3G) mobile phone technologies that uses W-CDMA modulation

VLAN Virtual Local Area Network

VPN Virtual Private Network

VSAT Very Small Aperture Terminal - a 2-way satellite ground station with a dish antenna that is smaller than 3 m

WiFi Wireless Fidelity - Any type of IEEE 802.11 wireless network (e.g. a/b/g/n, dual band, etc.)


Page 7

WiMax Worldwide interoperability for Microwave Access – IEEE 802.16

WLAN Wireless Local Area Network

WPA2 Wireless Protected Access (v2) - an amendment to the IEEE 802.11 standard (802.11i) specifying security mechanisms for wireless networks

1.4 CROSS-REFERENCES

Where cross-references to other parts of this DEP are made, the referenced section number is shown in brackets.

Other documents referenced by this DEP are listed in (10).

1.5 COMMENTS ON THIS DEP

Comments on this DEP may be sent to the DEP Administrator at [email protected]. Shell staff may also post comments on this DEP on the Surface Global Network (SGN) under the Standards.

mailto:[email protected]


Page 8

2. GENERAL

2.1 INTRODUCTION

Wireless is communication without the use of wires, but more specifically telecommunications in which electromagnetic waves carry signals over part or all of a communications path. The electromagnetic spectrum normally used for wireless extends from around 1 MHz up to 60 GHz. Wireless equipment used within the process domain will use frequencies around 400 MHz, 800 MHz, 900 MHz, 2.4 GHz, 3.5 GHz and 5 GHz. Frequencies higher than these are normally referred to as microwave and used for point-to-point high-speed communications.

Today’s wireless technology offers many operational advantages, e.g. deployment of remote monitoring and control technologies that may have been previously impractical using a wired connection. Consequently, wireless can now be considered as an alternative to wired connections.

However a wireless system can radiate ‘outside the fence’ and may have lower availability than a wired system, and hence may provide lower data security. Measures need to be taken to carefully weigh the use of wireless technology against the security risks.

Whether a wireless system connects directly or indirectly into the process control domain (PCD), the use of wireless technology is subject to specific approval by the C&A technical authority, including a specific risk assessment according to ITCI-117.

This DEP provides specific guidance to assist in managing the risks of using wireless systems in comparison to other technologies. It addresses some of the identified information security risks, and outlines key considerations in assessing the extent and remediation of the risks associated with the use of wireless systems. It identifies the need for a separate wireless risk assessment and gives guidance on methods to manage the risks.

This DEP focuses on wireless sensors, handheld PCs, ZigBee and Wireless HART, but Blue tooth, WiFi and WiMAX (IEEE 802.16) systems are also in the scope.

This DEP does not cover: risks and management of sub sea applications; down hole applications; infrared systems; wireless keyboards, wireless mice; proximity, passive RFID and near field communication systems; and the use of wireless telecommunication infrastructures such as GPRS, UMTS, VSAT, BGAN. Also excluded are the office domain (OD) wireless networks and wireless devices used to access OD applications only (e.g. work procedures or SAP-PM).

This DEP only addresses wireless security and hence does not address the actual mechanical, electrical, wireless or other issues associated with using wireless as a connectivity solution.

Guidance on issues such as hazardous area certification, wireless frequency selection, wireless engineering, physical housing, physical security, environment, etc. is not given in this DEP but is provided in other DEPs.

2.2 WIRELESS APPLICATIONS IN THE PROCESS CONTROL DOMAIN

Wireless devices may be used for a wide variety of applications within the PCD, e.g.: collection of data from sensors; collection of diagnostic data from field instruments; collection and delivery of data to handheld devices; use of laptops; use of wireless cameras (either portable or fixed); personnel location monitoring; asset location monitoring; network interconnection (bridging).

A wireless system consists of a number of components. For example a wireless monitoring system may use a number of wireless sensors connected by wireless to an access point. This uses a wireless connection to another central host, which may be a separate system hosting data collection and systems administration applications. In turn, this may be connected to the DCS or other systems for distribution of the data collected. The information security of all the elements forming this complete system shall be considered.


Page 9

For the purposes of this DEP 3 example solutions are considered, which may demand a rather different approach to security:

1. The deployment of remote monitoring from individual sensors (2.3; 4.3).

2. The deployment of wide area coverage for ”Wireless Worker” devices that enable a user to remotely access PCD data. Wireless worker devices may be PDAs, Tablet PCs or other devices for remote access using a wireless connection. These often use WiFi systems to connect WiFi enabled devices (2.4; 4.4).

3. Bridging links between PCN (or DCS) segments of a network using various wireless technologies (2.5; 4.5).

PAS

OFFICE NETWORK (GI)

PROCESS CONTROL NETWORK

CONTROL BUS

PCAD

Office Domain

Process Control Domain

DACA Wireless

1

3


CONTROL BUS

PAS

3

2

PDA

PDA

PDA

LaptopLaptop

Laptop

Sensors

Figure 1 Wireless system types


Page 10

2.3 SENSOR SYSTEMS

2.3.1 General Process sensors used for monitoring, control or data acquisition systems are traditionally connected by wires. The use of wireless technology is becoming more feasible and some field applications are already in place. It is expected that in the future many wireless sensors will be widely used within the PCD. The process data from the sensors is ‘collected’ by an access point and passed into the PAS or PCN as required by other applications that make use of the data. Figure 2 schematises a general wireless system with its components.

Access Point

20kmup to 300m

Zone 2 or None

Zone 1 or 2

Figure 2 Typical wireless connection

2.3.2 Types of Connection Wireless sensors are available in a variety of forms with different access and hosting methods. These will dictate where the system has to be connected to make the recovered data accessible. Examples of possible connection points are listed below, these shall be considered when assessing security, as each type will pose a different level of security risk.

1. Current Loop – typically a 4 to 20 mA loop connection replacing a wired sensor – non-routable

2. HART interface directly to PAS – non-routable

3. Ethernet connection to PAS – routable using Internet Protocol (IP)

4. High level protocol connection directly to PAS using e.g. FF H1 or MODBUS with a non-routable interface.

5. Wired Ethernet connection directly to PCN

6. Ethernet connection to the PCAD

7. Ethernet connection directly onto OD

8. Ethernet connection to the Internet


Page 11

PAS

OFFICE NETWORK (GI)


CONTROL BUS

Internet

Access Manager

PCAD

Asset Mgt Historian Clients

CCR Gateway

HMI Control I/O Gateway

FIELD BUS

Office Domain


DACA Wireless Sensor Connections Possible

ma/HART

1

2

Gateway

Ethernet Modbus

3 4 5

Ethernet

6 7 8

Gateway

Gateway

Gateway

Gateway

Ethernet

Figure 3 Possible wireless sensor connections (2.3.1)

NOTE: With wireless sensor systems, care should be taken to cater for the differing protocols and interfaces.

2.4 WIRELESS WORKER DEVICES

Current wireless worker devices used in the process plant are either PDA or laptop type handheld devices. These currently use IEEE 802.11 WiFi systems to connect to either the OD or the PCD. Operators of these devices currently use them primarily to manage work processes, with preset work processes to collect data from the field and download it to applications such as SAP within the OD.

In the future it is expected that the functionality will be extended to the PCD for remote access to data stored in the DCS and possibly some elements of control back towards the DCS.


Page 12

Ethernet

Ethernet

Bridge Bridge

Access Point Master Bridge

VideoLaptop computer

Pen computerPDA

Slave BridgeSlave Bridge

Slave Bridge

Ethernet

Access point

Point to Point Bridge

Figure 4 Wireless Ethernet connectivity

2.5 WIRELESS BRIDGING LINKS

In order to connect different parts of a DCS or wireless system, large distances have to be bridged by direct point-to-point wireless links.

Such links will typically connect parts of the PCN using Ethernet.

Such bridges may use WiFi but can also be implemented with lower UHF frequencies, WiMax (IEEE 802.16) or Microwaves or fixed data networks.

Since these links reside within the PCD, careful consideration shall be given to security.


Page 13

3. WIRELESS THREATS This section considers and explains some security threats that may be unique to the use of wireless.

Wireless technology uses a common medium for signal transmission through the atmosphere and the electromagnetic waves used are open to use or abuse by other parties. In addition, the waves are subject to sudden interruption by changes in atmospheric conditions such as rain and other physical obstructions (e.g. a crane). Hence the medium is inherently unreliable and more vulnerable to security breaches. These factors shall be considered when selecting the technology for a particular application.

Some specific threats associated with the use of wireless are:

Jamming – due to interference from legitimate users sharing the same frequency band or due to malicious jamming.

Remote wireless signals of sufficient strength can overpower an operational wireless system rendering it useless. Due to the inherently open access of a wireless channel, such jamming is hard to prevent.

Jamming may also be caused by the coexistence of various wireless systems offering services over a particular area; these may be of the same type or different types and may all be within local control or may be from an outside third party.

Detection – Presence of equipment can be detected by third parties remotely (outside the fence) and may lead to deeper probing with ultimate disruption.

The existence of wireless equipment can be identified by physically visible antennas or by scanning the wireless band from a remote location for the presence of a wireless system.

Eavesdropping – detection and listening in.

This is the passive interception of wireless systems which can permit extensive data to be collected and analysed at a later date using brute force methods to crack encryption, etc.

Bogus Data – replacement of good data with unknown or wrong data or replay of old data.

An attacker can add data to manipulate control and data messages by inserting his own commands. Also valid data can be maliciously repeated / retransmitted in a replay attack. Even though messages may be encrypted, retransmission of valid log-on messages may give access to systems.

Backdoor opened – whilst normal external access to/from remote connections may be protected, wireless may enable remote access to some location within the PCD by opening a backdoor, and hence the possibility of deeper penetration of the PCD and PCN - e.g. denial of service attack, virus, worms, ‘man in the middle’, etc.

Installed firewalls and protections are designed to provide protection against attacks from the outside (e.g. the PCAD), whereas wireless may permit an inside attack where there is lower protection.

This type of attack would involve deeper probing of process systems with potentially greater consequences. Denial-of-Service attacks may interrupt connectivity by hijacking a wireless system or streaming excessive quantities of data rendering the system unusable. Once access to higher-level systems is possible, then weaknesses can be exploited to host an attack on operational computing systems. Man-in-the-middle attacks forge a network resource to initiate a connection to the higher level system, enabling the possibility of injecting data, eavesdropping, etc.

Imitation of wireless equipment can permit rogue access to systems, which may be by use of lost /stolen equipments which can gain access to working systems.

Manageability /Maintainability – Wireless technology is relatively complex, and training and expertise are more difficult. This can lead to possible errors in configuration or operation that could create security vulnerabilities.


Page 14

For example: using frequencies already in use; not enabling encryption; designing wireless with low margins which do not offer adequate protection from interfering signals.

Unauthorised Access – By people with access codes such as disgruntled employees, work permit holders, vendors with secret access codes, casual tampering. They may gain access by wireless remotely where normally they may have been stopped by physical access controls.

Engineering Deficiencies – Ad-hoc engineering neglecting security, inappropriate use of wireless (e.g. installation of cheap office quality WiFi or wireless equipment where ruggedised equipment is required, which may jeopardise data integrity).

Wireless transmission can use many different protocols and coding systems; although all are open to a security attack some are more vulnerable than others. A worst case that can be considered is an attack from a stolen unit of the same type employed at a facility, which can give direct access from outside the Shell fence.

Open standards such as WiFi, using IEEE 802.11a, b, g or n, are most vulnerable, since they are commonly used and any security weaknesses may have been revealed. However much of this security weakness is recognised and these types of equipments often have many security measures embedded within them to enhance their security (but these security measures should be enabled and utilised correctly to be useful).

Currently wireless sensors often use proprietary protocols based upon types of modulation such as Frequency Hopping Spread Spectrum (FHSS) or Orthogonal Frequency Division Multiplex (OFDM). These are fairly complex and more secure than older modulation methods, but they often depend upon ‘security by obscurity’ (a system which uses secrecy as security and may have theoretical and actual security vulnerabilities, but its owners believe that such flaws are not known) and may exclude definitive security measures. NOTE: New wireless systems are being developed and these involve many new developing standards. Many

of these new standards specifically address security, and the possibility of applying any new measures available should be considered in order to achieve an appropriate level of security.


Page 15

4. PREVENTION

4.1 GENERAL

This section describes some of the preventative actions that should be considered to reduce the risks of deploying wireless systems; it covers some general suggestions, applicable to any wireless system, and some specific suggestions for sensing systems, wireless worker systems and bridges. Prevention against threats shall be carefully implemented, which requires a close understanding of the wireless technology.

As a general control, a logging and audit mechanism should be used. This should include automatic, ad-hoc, electronic and human methods to track non-compliance. For wireless equipment and systems, such audits should be performed at a greater frequency than for conventional equipment.

4.2 GENERAL PREVENTION METHODS

4.2.1 Jamming This can be caused by interference from legitimate users sharing the same frequency band or be due to malicious jamming.

Eliminating risks associated with jamming is particularly difficult. Some measures that can be considered are:

ο Careful engineering is essential to provide optimum performance and resistance to interference (jamming) from other users, e.g. by ensuring that RF signal levels are adequate to resist interference by using antenna types which provide adequate rejection whilst covering the required area but limiting coverage outside the asset boundary.

ο Knowledge of known local users will assist in selecting appropriate frequency and coding options to reduce conflicts. Frequency selection can improve security as well as performance; knowledge of adjacent users can lead to selection of alternative frequencies.

ο A scan of the proposed frequency band should be undertaken to identify potential interfering signals.

ο Telecom, IT and C&A staff should co-operate in order to understand the risks of sharing the wireless ‘space’. This is particularly relevant if wireless networks are established for both OD and PCD networks in the same geographical location.

ο Use of higher frequency bands will in general reduce interference risks, as ranges are shorter and obstructions cause higher losses. This shall be balanced against the operating range required to meet the particular application.

ο The wireless antennas used should have the highest gain possible, consistent with providing the required service; this will reduce the risks of interference from and to other systems. However care shall be taken to remain within the local regulatory requirements for maximum transmitted power, which can vary with frequency and location.

ο Antenna shielding may be deployed to reduce unwanted transmission or received interference in particular directions, e.g. shielding the back of an omni directional antenna to block interference from an adjacent wellhead.

ο Wireless equipment should be mounted in a secure location using as much natural shielding as possible to reduce unwanted RF transmission, e.g. in shielded cabinets, within buildings, etc.

ο If possible, licensed frequencies should be used, rather than shared, unlicensed ISM bands, although the added licensing costs and availability of equipment shall be considered.


Page 16

4.2.2 Detection The presence of equipment can be detected by third parties remotely (outside the fence), which may lead to deeper probing with ultimate disruption.

ο Avoiding the detection of wireless equipment is difficult. In the future the use of new technologies such as Ultra Wideband may be possible, but for now the risks associated with this threat shall be controlled by the other methods described below to reduce the risks of eavesdropping and manipulation of data.

ο Camouflaging of equipment and antennas should be considered to resist visual detection and possible subsequent RF detection / probing.

ο The wireless antennas used should have the highest gain possible, consistent with providing the required service; this will reduce the risks of interference from and to other systems. However care shall be taken to remain within the local regulatory requirements for maximum transmitted power, which can vary with frequency and location.

ο The minimum transmitter power necessary should be used to limit coverage in order to meet operational availability requirements whilst minimising transmission outside the asset boundary. This requirement shall be balanced with the use of higher gain antennas to minimise both received and transmitted interference.

ο After a wireless system is installed, the range and area covered by the system should be measured. Preventative actions should then be taken to increase / reduce the area so that it is just within the required limits.

4.2.3 Eavesdropping Detection and listening-in on communications.

ο Wireless systems with proprietary protocols provide some security by obscurity, compared to open systems such as WiFi (Wlan) according to IEEE 802.11a, b, g or n. See (4.4) for special measures necessary when using WiFi.

ο Encryption is should be used; AES encryption is preferred, although WiFi WPA2 is also recommended, where permitted (some encryption methods may be prohibited in certain countries).

ο MAC address filtering should be used as an additional security measure if this can be supported.

ο Pre-shared encryption keys should be at least 20 ASCII characters in length.

ο Identity codes and passwords should:

• Consist of a minimum of 8 characters

• Consist of upper and lower case characters

• Contain at least 1 numeric character

• Have at least 3 different characters

• Have a maximum of 3 consecutive repeated characters

• Include special characters (with care, as these may not be available on all keyboards)

• Not contain easily guessable words


Page 17

4.2.4 Bogus data Replacement of good data with unknown or wrong data or replay of old data.

ο The equipment in use shall be rigorously identified and audited. Changes to nodes shall be monitored.

ο Scans shall be made at regular intervals to identify rogue wireless devices such as access points, sensors, etc.

ο It should be methodically verified that the correct process variable is being measured. Sensors could easily be swapped between different measuring points.

ο Whenever possible, host systems should check that data sequences follow each other for integrity.

ο Encryption should be used; AES encryption is preferred, although WiFi WPA2 is also recommended, where permitted (some encryption methods may be prohibited in certain countries).


ο Pre-shared encryption keys should be at least 20 ASCII characters in length.

ο Identity codes and passwords should:

• Consist of a minimum of 8 characters

• Consist of upper and lower case characters

• Contain at least 1 numeric character

• Have at least 3 different characters

• Have a maximum of 3 consecutive repeated characters

• Include special characters (with care, as these may not be available on all keyboards)

• Not contain easily guessable words

4.2.5 Backdoor access Whilst normal external access to/from remote connections may be protected, wireless may enable remote access to some location within the PCD by opening a backdoor, and hence the possibility of deeper penetration of the PCD and PCN e.g. denial of service attack, virus, worms, ‘man in the middle’, etc.

ο Wireless equipments connected to a TCP/IP port shall use static IP addresses (DHCP shall not be utilised).

ο A firewall is necessary for DACA compliance whenever Ethernet connections are used; see below for possible configurations. The PCAD should be used as a firewall (except for wireless sensors). A separate wireless domain forming a VLAN should also be used.

ο Access control lists and authentication methods shall be implemented and software and procedures should be in place to detect and follow up any unauthorised access.


ο Encryption should be used; AES encryption is preferred, although WiFi WPA2 is also recommended, where permitted (some encryption methods may be prohibited in certain countries).


Page 18

ο Penetration testing should be undertaken to check vulnerabilities.

4.2.6 Manageability /maintainability Wireless technology is relatively complex and requires high-level knowledge and training. Without these there could be possible errors in configuration or operation, which could create security vulnerabilities. Some considerations are:

ο Management and control of engineering, equipment, configurations, passwords, etc. are essential features of security and shall be adhered to closely to ensure that the required level of security is attained and maintained.

ο Staff shall be trained on security risks and threats associated with use of wireless.

ο Location and installation specific issues should be identified by security and wireless experts, and these should be included in the training to be delivered to staff

ο Telecom, IT and C&A staff should co-operate in order to understand the risks of sharing the wireless ‘space’. This is particularly relevant if wireless networks are established for both OD and PCD networks in the same geographical location.

ο Staff shall be trained on use of wireless including the control of configurations.

ο The configuration (whilst offline) shall be regularly tested by means of a penetration tester.

ο There shall be a regular check for updates of the software versions and they shall be applied as soon as possible.

4.2.7 Unauthorised access By people with access codes such as disgruntled employees, work permit holders, vendors with secret access codes, casual tampering.

ο Access control procedures shall be created and enforced. The appropriate tools and procedures shall be in place to detect and follow up any unauthorised access.

ο Logging of access should be implemented.

ο Physical security shall be provided.

ο Manufacturers' default equipment names and passwords shall be changed.

ο Physical spare ports provided on equipments, such as RS232 for configuration, shall be made physically secure (and disabled if possible).

ο Encryption keys, passwords, and access codes shall be logged with careful control procedures.

ο Access by the Vendor shall be particularly tightly controlled by registration and certification before work is commenced and by making Vendor employees accept responsibility. Vendor activity should be logged.

ο Any remote access to any part of a wireless system shall follow the rules for Third Party Access via the PCAD.


Page 19

4.2.8 Engineering deficiencies Ad-hoc engineering neglecting security; inappropriate use of wireless.

ο Design and engineering of wireless systems should rigorously to ensure adequate security and protection from interference, whilst providing the customer driven need for a service.

ο Engineering of wireless systems shall limit the range of wireless coverage as a part of the design.

ο Other standards and guidelines on wireless should be used in order to assist in understanding of the technology.

ο A risk analysis shall be performed and this should allow the option of using another technology if the risks associated with the use of wireless are found to be unacceptable.

4.2.9 PCD wireless domain All “wireless worker” equipment shall be separated from the PCD and shall be routed via the PCAD firewall, particularly when Ethernet connections are used. This is achieved by placing all wireless devices in a separate wireless domain – a demilitarised zone (DMZ) using a closed IP address range – that is connected to the PCAD and provides the necessary authentication for users and wireless devices. This ensures that access and authentication can be controlled by the PCAD. NOTE Two-factor authentication or VPN for PDAs and laptop devices may not be available, but the use of

authentication and the highest levels of control should be implemented on such WiFi devices.

The PCAD can then be used to permit applications to be utilised in the OD and the PCD.

Under no circumstances shall a ‘wireless worker’ device, connected directly to the OD, be used to access the PCD unless PCAD authentication and access controls are imposed. All devices accessing the PCD shall be connected via the PCAD.

Remote access from a ‘wireless worker’ (PDA / tablet) is available via the Office Domain, subject to the same rules as any device using smart cards, tokens, etc., and the wireless worker shall need to follow PCAD access rules to gain access to the PCD. PDAs and other devices may need to comply with intrinsic safety requirements and to be Ex certified for use in the PCD.


Page 20

Process Domain

Wireless DMZ

Laptop computerLaptop computer

Pen computer

Radio tower

FirewallAccess Point

PCAD

Office DomainWireless Access for

Process Users

802.11 WifiAccess

Process Sensing

Firewall

Access Point

PCN PCN

Bridge BridgeVPN onBridge link

PDA

Figure 5 Wireless access for process users

4.3 WIRELESS SENSOR SYSTEMS

4.3.1 General Wireless sensor systems are likely to become more popular, and shall be incorporated into the PCD in a secure fashion. The actual point and method of connection will depend on the nature of the system considered, the protocols used and the system requirements.

Wireless monitoring devices shall form an integral part of the PAS. Data from these devices will probably be gathered by an access point with an integral gateway. If this gateway is connected to the PAS or PCN by means of a routable protocol (e.g. IP), it should be connected via a separate firewall designed and configured for wireless sensors. See Figure 6 below for the recommended connection methods.


Page 21

PAS

OFFICE NETWORK (GI)


CONTROL BUS

Internet

Access Manager

PCAD

Asset Mgt Historian Clients

CCR Gateway

HMI Control I/O Gateway

FIELD BUS

Office Domain


DACA Wireless Sensor Connections Recommended

ma/HART

1

2

Gateway

Ethernet

Modbus

3 4 5

Gateway

Ethernet

Firewall

Firewall

Figure 6 Recommended wireless sensor connections (2.3.1)

Sensor devices should be connected to the process control network via a dedicated access point and firewall. The advantage of this is that the sensors are more embedded within the process domain and not subject to any disruptions, outages or controls from the PCAD.

This wireless sensor system firewall should not require active management but be a ‘set and forget’ device.

Many wireless systems available at this time may not have many security features available, but for any implementation the measures included and available should be used to ensure the required degree of security.

In the long term wireless sensor devices will probably have an improved degree of security embedded within them. Preference should be given in the procurement phase to Vendors offering the best security features, which may include encryption, access controls, authentication, key management and 2 factor authentication.

Some of the preventative measures specific to wireless sensor systems, in addition to those described in (4.2), are considered below.


Page 22

4.3.2 Jamming

ο If possible wireless sensor systems should not use the unlicensed WiFi bands (2.4 GHz).

ο In the US 900 MHz bands can be used.

ο In some parts of the world 400 MHz or 868 MHz can be used, however the lower transmission power and restricted duty cycle may limit usefulness.

ο Some new sensor systems are using IEEE 802.15.4 wireless devices. These may have limited range and also may use the 2.4 GHz band. If so, RF channels should be chosen which interleave with WiFi to reduce the likelihood of interference i.e. IEEE 802.15.4 channels 15, 20, 25 and 26 (2425, 2450, 2475 and 2480 MHz).

4.3.3 Detection

ο See (4.2.2)

4.3.4 Eavesdropping

ο Encryption in current sensor systems may be proprietary, strong or non-existent.

ο If encryption is available it should be enabled, however this has a processing overhead and may affect latency and power consumption.

4.3.5 Bogus Data

ο If encryption is available it should be enabled, however this has a processing overhead and may affect latency and power consumption.

ο Password access for maintenance is likely to be available; this should be used in accordance with Shell password rules.

ο Sensors can be provided with a GPS receiver or other locating device which periodically verifies that the sensor is still attached to the proper process connection and has not been swapped with another sensor.

ο Varying levels of access control should be implemented in full; this may include various equipment identification codes, hopping sequences, etc. In all cases the appropriate record keeping and controls should be established.

4.3.6 Backdoor opened

ο Individual firewalls shall be separate hardware devices with tightly controlled firewall rules. The rules shall be recorded and maintained.

ο Individual device authentication methods for sensor units should be sought and utilized in any selected equipment. In the future 2-factor authentication may be provided, but currently devices may only have identification codes available.

ο Wireless sensors often have multiple coding levels such as RF channels, hopping sequences, device identification, etc. Each of these should be used to assist separation in order to improve the security levels and reduce risks of intrusion.

4.3.7 Manageability /maintainability

ο Wireless sensors are often powered by batteries and the lifetime of these will be governed by the methods used for data recovery including sampling rates, transmission rates, operating temperatures, etc. Battery failure will impact availability and hence data integrity.

ο Battery lifetime shall be considered in the design.

ο Procedures for checking and replacing batteries at regular intervals shall be established.


Page 23

ο Wireless coding, frequencies and device identification shall be fully managed.

ο Staff with wireless competence shall be selected and trained on the specific wireless technology and Vendors' products. Such training shall be reviewed at regular intervals to ensure there is no loss of knowledge due to staff turnover, etc.

4.3.8 Unauthorised access

ο The use of access codes and passwords for access control should be reviewed in detail, and comprehensive controls shall be put in place to administer and control access within the constraints of the equipment available.

ο If access is via the PCAD then access control shall utilise the established DACA procedures.

4.3.9 Engineering deficiencies

ο Engineering of wireless systems shall be given special attention to ensure that all the systems being installed, and how they may interact, are fully understood and that the RF planning of specific systems is properly carried out prior to installation.

4.4 WIRELESS WORKER AND WIFI / WLAN – IEEE 802.11

4.4.1 General Wireless worker devices often use WiFi /IEEE 802.11 based equipment. WiFi is often used for other applications within the PCD as well.

IEEE 802.11(a, b, g or n) is the same WiFi as that used in domestic systems and represents a significant security risk. It is standardised almost world wide, and the standard is completely open and may be visible to anyone with a suitably equipped device such as a readily available laptop, PDA, etc. Being so common also means it is more susceptible to interference from other users and this can disrupt any essential communication. There are only three non-overlapping wireless RF channels to be shared between all users, which makes it very difficult to avoid interference.

The technology may be used for a variety of applications such as:

! Hotspot type access for roaming handheld devices for process monitoring or information reporting within a plant (Wireless Worker)

! Hotspot access to the internet

! A network layer in a mesh type network

! Bridging between remote segments of LAN

! Possibly sensor measurements (not recommended)

Many of the following recommendations, in addition to the general recommendations in (4.2), are considered essential to achieve the necessary degree of security and to reduce the risks of deploying WiFi systems to acceptable levels.

4.4.2 Jamming

ο IEEE 802.11b should not be used in crowded urban environments where other users may be close by. Since the protocol is so open, anyone can listen in and/or attack the data stream or cause disruption due to interference by using the same or close wireless frequencies. However, certain prevention measures are available to reduce some of the risks.

ο IEEE 802.11a (5 GHz) should be used in preference to IEEE 802.11b or g to reduce the risks of interference (jamming), although this may not be available in all countries due to regulatory restrictions.

ο The problems of OD systems mutually conflicting with PCD, by sharing the same small frequency band, shall be carefully considered.


Page 24

4.4.3 Detection

ο A unique, location specific SSID shall be used.

ο No SSID shall be used that can be easily tracked to the location like SHELL_PLANT.

ο The SSID shall NOT be broadcast.

4.4.4 Eavesdropping

ο WPA or WPA2 or AES (NOT WEP) security / encryption shall be used where permitted (some encryption methods may be prohibited in certain countries).

ο Keys for encryption shall be carefully chosen and shall be managed to ensure they are securely protected and accessible, with the appropriate permissions, when required.

4.4.5 Bogus data

ο The wireless access point should be placed in a demilitarised zone (behind a firewall) – connections to PCD or OD shall only be via the PCAD.

ο User authentication should be provided.


ο Static IP addressing shall be used.

ο DHCP shall be disabled.


ο See (4.2.6)


ο The use of access codes and passwords for access control should be reviewed in detail, and comprehensive controls shall be put in place to administer and control access within the constraints of the equipment available.

ο Only authorised persons shall have administrative rights at wireless access points and equipment. (e.g. only approved maintainers shall have access, whilst project staff could be allowed limited access when required).

ο WPA keys shall be carefully controlled and managed, and shall be stored in a secure location and only shared with a minimum number of authorised persons.

ο If access is via the PCAD then access control shall utilise the established DACA procedures.


ο See (4.3.9).

ο More details on WiFi security standards are contained in the relevant ITCI standards and guidelines. Although these are aimed at the OD the same principles shall be applied in the PCD (where relevant) to provide adequate protection.

4.5. WIRELESS BRIDGING LINKS

4.5.1 General Wireless bridges may be necessary within the PCD to link parts of the domain, e.g. DCS LAN segments and wireless segments within the PCN.

If WiFi equipment is utilised then the measures in (4.4) shall be addressed.


Page 25

In all cases, a VPN tunnel shall be used to tunnel the PCD traffic across the wireless link. This is consistent with the transmission of PCD data across “public” or “OD” networks as required in the Information and Security Standard for PCADs and PCDs (ITCI-117). Consequently, the underlying wireless link can generally comply with the relevant Shell IT wireless standards, however the following recommendations are provided for guidance.

There is a wide range of technologies and frequencies which may be used. Selection will depend upon local conditions, the frequencies that can be used and local availability.

Wireless bridges within the PCD shall use two-factor authentication via unique a pair of IP addresses using an IPsec tunnel with unique pre-shared keys across bridge links to avoid backdoor access to the PCD.

Security considerations are the same as specified in (4.4) and prevention measures are described below. NOTE: Security requirements for wireless are currently under further development.

4.5.2 Jamming

ο See (4.2.1).

4.5.3 Detection

ο See (4.2.2).

4.5.4 Eavesdropping

ο AES or equivalent encryption on the wireless equipment itself should be used, where permitted (some encryption methods may be prohibited in certain countries).

ο Two-factor authentication via a unique pair of IP-addresses using an IPsec tunnel and unique pre-shared keys shall be used across bridge links.

4.5.5 Bogus data

ο Two-factor authentication via a unique pair of IP-addresses using an IPsec tunnel and unique pre-shared keys shall be used across bridge links.


ο See (4.5.5).


ο See (4.2.6).


ο See (4.2.7).


ο See (4.3.9).


Page 26

5. APPROVALS ITCI-117 section 4.7.1 specifies that the use of any form of wireless technology within the PCD is subject to approval by the C&A Technical Authority.

Due to the evolving nature of wireless technology applications in the PCD, approval and input shall be sought from the relevant C&A / Instrumentation Engineering Global Discipline Leader for all wireless application projects in the PCD.

To support the approval, a specific risk assessment shall be undertaken.

Non-PCD data over wireless connections may also be implemented as a part of the OD in the same geographic area as the PCD. Wireless waves do not respect such boundaries and hence wireless signals may ‘reach’ within the PCD; consequently any risk assessment and approval shall include consideration of each of the wireless networks and how they may impact each other.

A risk assessment should demonstrate the business impacts before the wireless network connection method is approved.

For audit purposes, the design, assessment, approval and certification shall be fully documented, with clear management of wireless assets and configurations to assure compliance with the necessary security requirements.


Page 27

6. RISK ASSESSMENT

6.1 GENERAL

To ensure compliance with DACA security requirements, a site-specific risk assessment of wireless technology implementations shall be performed. This will ensure the necessary security and establish the basis for design and configuration to achieve the required security.

As an example of site-specific differences, if WiFi IEEE 802.11 is to be implemented in an onshore location close to an urban environment, the risks of interference may be considered too great to provide the necessary data transfer, whilst on an offshore platform the risks are less.

During the risk assessment the requirements of the wireless system at the application layer ((higher levels of the OSI model) should be identified e.g. file transfer.

Some guidelines on undertaking a risk assessment for a wireless system are outlined below.

6.2 ORGANISATION

A risk assessment should be arranged as a workshop to gain input from all stakeholders and should include representatives from IT, C&A, Telecom and other responsible parties associated with the particular system being considered.

The method and details should be carefully recorded and the results incorporated into a report which concludes whether wireless is permitted or not. This is then subject to approval by the C&A Technical Authority.

6.3 METHODOLOGY

A risk assessment should be based on standard Shell methodologies as described in Shell EP 95-0300.

This uses the matrix below and serves to highlight areas of concern.

Figure 7 Risk assessment matrix


Page 28

6.4 SCENARIOS

It may be possible to consider a number of options to establish the most suitable one with the least risk, by gauging the risks of each threat in each scenario.

Such options may be the alternative wireless domain methods described elsewhere in this DEP.

6.5 THREATS

Possible threats include those described earlier in this DEP; these may be considered in further detail. See (8).

6.6 CONSEQUENCES

There are two elements in any risk: the consequences or impact of a threat materialising and the likelihood that it will occur. These are combined to give a score, which is entered into the risk matrix for review. Consequence considers the impact on people (loss of life), assets (financial losses, such as production losses or equipment damage), environment (damage due to spill, etc.) and reputation (damage to company reputation by adverse publicity, etc.). The highest value of these is considered as the worst case in the assessment.

6.7 LIKELIHOOD

The determination of the likelihood of a threat occurring depends upon knowledge of the possibility of attack based upon some prior experience. Unfortunately in the wireless domain there is limited experience and hence this determination requires judicious consideration of possible worst-case scenarios.


Page 29

7. MANAGEMENT

7.1 GENERAL

When implementing wireless systems, Vendors and operators shall adhere to DEP 32.01.23.17-Gen. This will apply not only to the specific wireless elements but also to any PCs or equipment used to gather and distribute data, configure devices, etc.

7.2 ROLES AND RESPONSIBILITIES

Wireless technology is different from previous C&A technology and its use is likely to bridge across IT and C&A disciplines. Since wireless systems can be deployed in OD and PCD, they may share the same frequencies and bands and be mutually exclusive, the systems and frequencies, etc. shall be closely managed. Hence the roles and responsibilities of staff must be determined to ensure that the appropriate competence and training is provided to assure smooth operation of any parallel networks. For further information on roles and responsibilities refer to DEP 32.01.21.10-Gen.

7.3 PATCH MANAGEMENT

Wireless sensor devices may have separate operating systems installed, which can be subject to future updates. The patch update procedure shall follow that in DEP 32.01.25.11-Gen. and shall be administered carefully.

7.4 CONFIGURATION MANAGEMENT

Individual wireless sensor devices can form part of a wider wireless network covering a number of wireless sensors, wireless access points, repeaters etc. The configuration of these shall be tightly controlled in order to assure smooth operation and extended security.

Configuration management guidelines for PCD systems shall be followed in accordance with DEP 32.01.22.10-Gen. Particular attention shall be paid to:

ο Maintenance of the system architecture to describe the network and record equipment addresses.

ο Maintenance of access to the remote devices using strong user names and passwords.

ο Maintenance of the remote wireless sensors to assure they remain in place and operational.

ο Wireless systems may have a variety of networking addressing options, e.g.

• Vendor code – a generic address code common to all equipment used at the location to help block non-approved equipment.

• Frequency channel, hopping code or time code (all providing dedicated and separated communications channels permitting multiple channels to operate simultaneously).

• Destination code – a code for the specific equipment to identify its rights to transmit and receive on this wireless network.

These codes and frequencies must be managed to assure security and avoid interference and disruption between adjacent systems. This applies to new and existing wireless systems in both the PCD and the OD.

7.5 TRAINING

Wireless systems are often far more complex than their wired predecessors, hence specialised training shall be considered. This training shall include security awareness as well as maintenance and operation of the complete wireless system. The findings of the risk assessment should be used to increase the value of the training.


Page 30

7.6 REMOTE MAINTENANCE

To assure the benefits of wireless technology it is desirable to have remote configuration capabilities. Current technology may provide this in some limited form, such as reporting low battery, but in future more extensive control of operational features such as sensor sampling rates, wireless transmission rates, etc. is likely to be available. Processes to control and manage such changes are essential and the security aspects of this must not be overlooked. Selected staff performing remote maintenance must be granted authority to do so, but equally others must be prohibited from doing so and the management of these is an essential part of the wireless network.

Should remote maintenance be required from outside the PCD, e.g. from a Vendor's premises via the Internet or a user in the OD, then this shall only be facilitated via the PCAD into the PCD by means of third party access procedures when required.


Page 31

8. SUMMARY OF WIRELESS THREATS AND THEIR PREVENTION METHODS

Threat Prevention 0 Generic Detection Camouflage and in future UWB modulation

1 Sensor originated data

1.1 Eavesdropping Encryption

1.2 Bogus sensor data Encryption, message integrity.

1.3 Jamming Frequency management, use of licensed rather than unlicensed bands, use of high gain antennas, shielding, check for interference.

1.4 Running out of power Sampling strategy. Alarms, maintenance routines

1.5 Redundant path below critical level

Network engineering

1.6 Unpredictable delays Use of new technologies has most effect on control

1.7 Occasional signal obstruction Careful wireless engineering. Choose protocol with error correction and ARQ (Automatic Repeat Request)

2 False data to sensor

2.1 Instrument setting integrity compromised

Encryption, access control, use access control codes

2.2 Integrity of field loop setting compromised

Encryption, access control, use access control codes

2.3 Inability to shutdown from Central Control Room (CCR)

Applies to control – use redundant paths (wired)

3 Backdoor access to Shell Network

3.1 Backdoor opened Firewall / PCAD. Encryption, access control

3.2 Denial of service attack Access control, firewall, intrusion detection

3.3 VPN Compromised, stolen sensor

Key management and access controls

3.4 Man in the middle Access control and encryption – end to end

4 Manageability

4.1 Roles and responsibilities unclear

Clear documented roles and procedures

4.2 Poorly managed Service Level Agreement (SLA)

Manage SLAs and associated procedures

4.3 Vendor management Select good Vendors

4.4 No standards Use new standards where possible. Train staff on proprietary equipments

4.5 Encryption algorithm compromised

Use AES – expected to have long life before compromise. Also manage keys


Page 32

5 Management and Maintenance

5.1 Poor maintenance procedures Manage maintenance procedures

5.2 Staff not trained Training on security, password and access control procedures. Integrate activities between IT and C&A

5.3 Lack of diagnostics Use new technology with diagnostics (needs new standards)

6 Unauthorised access

6.1 Disgruntled employee Access control procedures. Encryption

6.2 Misuse of work permit Access control and procedures

6.3 Casual Tampering Access control. Encryption

6.4 Loss of confidentiality Security of data within PCD, key management, password control

6.5 Vendor secret access Access control, encryption, procedures, Vendor registration

6.6 Disgruntled vendor employee Vendor registration and access control

7 Design and implementation

7.1 Traditional engineering / design

Careful engineering and use of new technology

7.2 Ad-hoc engineering / under engineering

Careful engineering, training, co-operation between departments


Page 33

9. ISA SP-100 DEVELOPMENTS The ISA SP-100 committee is developing new standards for wireless systems in automation, which will also include strong security, but publication of these standards is expected to take some time. The current recommendations of SP-100 should be reviewed and adopted where relevant.


Page 34

10. REFERENCES In this DEP, reference is made to the following publications: NOTES: 1. Unless specifically designated by date, the latest edition of each publication shall be used,

together with any amendments/supplements/revisions thereto.

2. The DEPs and most referenced external standards are available to Shell users on the SWW (Shell Wide Web) at http://sww05.europe.shell.com/standards.

SHELL STANDARDS

Data Acquisition and Control Architecture (DACA) DEP 32.01.20.10-Gen.

Data Acquisition & Control Architecture (DACA) - Roles and responsibilities

DEP 32.01.21.10-Gen.

Procedural Controls Configuration Management DEP 32.01.22.10-Gen.

PCD Vendor Computer system specifications DEP 32.01.23.17-Gen.

System security patching DEP 32.01.25.11-Gen.

Information Security Standard for PCADs and PCDs ITCI-117

Overview Hazards and Effects Management Process EP 95-0300

HSE Risk Assessment Matrix March 2006

AMERICAN STANDARDS

IEEE Standard for Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks—Specific requirements — Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications — Amendment 1: High-speed Physical Layer in the 5 GHz band

IEEE 802.11a

IEEE Standard for Information technology —Telecommunications and information exchange between systems—Local and metropolitan area networks — Specific requirements— Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications —Amendment 2: Higher-speed Physical Layer (PHY) extension in the 2.4 GHz band

IEEE 802.11b

IEEE Standard for Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks — Specific requirements — Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications —Amendment 4: Further higher-speed physical layer extension in the 2.4 GHz band

IEEE 802.11g


Page 35

Last page of this DEP

IEEE Standard for Information technology - Amendment to IEEE Std 802.11, 1999 Edition (Reaff 2003). —Telecommunications and information exchange between system — Local and metropolitan area networks. Specific requirements — Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications — Amendment 6: Medium Access Control (MAC) Security Enhancements

IEEE 802.11i

IEEE Standard for Information technology—Telecommunications and information exchange between systems: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Enhancements for Higher Throughput. NOTE: draft expected late 2006

IEEE 802.11n

IEEE Standard for Information technology--Telecommunications and information exchange between systems--Local and metropolitan area networks-- Specific requirements Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low Rate Wireless Personal Area Networks (WPANs)

IEEE 802.15.4

IEEE Recommended practice for local and metropolitan area networks – Coexistence of fixed broadband wireless access systems

IEEE 802.16

Issued by: Institution of Electrical and Electronics Engineers, 445 Hoes Lane PO Box 1331 Piscataway NJ 08855-1331 USA

ISA committee developing new standards for wireless systems in automation

ISA SP-100 committee

Issued by: Instrument Standards and Automation Society (ISA) 67 Alexander Drive Research Triangle NC 27709 USA