Ensuring a safe work environment has been at the forefront of tank terminal organisations since the beginning. Companies implemented safety measures across their organisations. Health, safety and environment (HSE) has become an integral part of tank terminal operations. The introduction of automation allowed tank terminals to improve their (primary) processes, making them more efficient and safer. However, this increases the risk of cyber incidents that can impact HSE. Cyber security risks for tank terminals are present in all forms. Threats can originate from inside and outside the organisation and are continuously evolving. This means that cyber security resilience needs to evolve as well. Tank terminal operations must be prepared by being aware of the latest threats and operators must know what to do in case of a cyber-attack. It is recommended that cyber security is well integrated in the operation of any tank terminal. Only if this is the case can operators ensure that cyber risks are managed appropriately.

Current situation

Where most tank terminals have a legacy infrastructure that was designed without considering cyber security as compared to what is accepted within the industry today. New installations or projects that intend to upgrade the current infrastructure need to take this into account, both to ensure that these do not pose a (cyber security) risk to the legacy infrastructure or vice versa. Larger organisations with multiple locations and terminals often have tank terminals with different infrastructures and levels of automation, ranging from tank terminals with manual operation or limited automation to highly automated tank terminals. Hudson Cybertec, as an independent provider of cyber security consultancy and services for operational technology, often encounters tank terminals that struggle with the implementation of cyber security within their own organisation. One of the reasons that tank terminals struggle is because most do not have an up-to-date overview of their own infrastructure, both for their IT- and OT-environments. The situation is even more complex in larger organisations that have multiple terminals, how can they ensure that current cyber security risks are properly managed, mitigating the risk that cyber security incidents pose to the organisation?

Manage cyber security

To manage cyber security, industry derived cyber security standards are frequently used as a basis. For example, the IT-environment can use a cyber security standards framework like the ISO 27k series while the OT-environment can use the cyber security standard IEC 62443 for Industrial Automation and Control Systems. The IEC 62443 standard specifically provides guidance, based upon industry best practices, to manage cyber security within an OT-environment using a cyber security management system (CSMS). These cyber security standards consider security measures which address the three areas of cyber security: people, process and technology.

CSMS as specified in the IEC 62443 should be aligned with the organisation’s vision and goals. An effective implementation determines the right balance of security measures that address people, process and technology. IEC 62443 addresses each of these, for example: training and awareness addresses people, policies and procedures address the process and system requirements address technology. Hudson Cybertec has a thorough experience supporting companies with the development and implementation of a CSMS which is tailored to each organisation’s specific cyber security requirements.

Know your infrastructure

Decisions on how to implement cyber security within a tank terminal can only be made if the company knows where it stands with regard to cyber security. Therefore, as the first step to take control of cyber security, Hudson Cybertec often performs a baseline measurement in form of a cyber security assessment as a starting point to improve cyber security at a tank terminal. This gives the organisation a clear overview of its challenges in the area of cyber security. It also allows the company to define and focus on those aspects of cyber security that have the highest priority for the organisation or need to be remediated first. In addition, it allows the tank terminal to identify so called ‘quick wins’ that can be easily implemented without too much effort.

Click here to read the full article.