DSM-AW-201607 Downstream Manufacturing September 2016

Process Control Domain (PCD) Security Incidents

Target audience for this alert

 Engineering and Technology
 Production and Maintenance
 Contracts and Procurement
 IT
 HSSE
 PCD IT Security
Figure 1 – Remote Flow Control Station
A PCD IT SECURITY INCIDENT IS:
“Any event that disrupts the expected standard operation of any PCD service, facility or system and causes
disruption of or denial of operation to the PCD, or inappropriate access to or use of data. An incident can also be
caused by system failure or human error.” (source: IRM 3.318 Risk Profile Process Control Domain).

Incident #1 – EWS Infected with Cybersecurity Virus

What happened
In 2015, a remote flow station lost power. The Universal Power Supply (UPS) and Backup Diesel Generators
sustained the system for a short time but eventually the Flow Control System (FCS) lost backup power and powered
down. Once power was restored, the FCS could not be re-started. Technicians attempted to reload the FCS
software using the local Engineering Work Station (EWS). Trouble shooting later revealed that the EWS software
was corrupted as a result of cybersecurity virus infection. The incident resulted in a production deferment on the
order of hundreds of thousands of dollars.

Why it happened
The attempted reloads of the FCS via the EWS were unsuccessful due to malware infecting the EWS.
 The EWS was not protected by appropriate antivirus software. It was found that installation of antivirus and
system hardening was not specified in the contractor’s commissioning scope of work.
Incident #2 – PCD Vendor Ransomware Incident
What happened
In March 2016, a third-party vendor PCD laptop was being used for general office
purposes when it was infected with the Cerber Ransomware. This virus encrypted the files
on the laptop and told the user that they could buy the special software needed to restore
them. Shell provided a replacement laptop and rebuilt the system using recent backups.
No ransom was paid.

Why it happened
 Ransomware was activated when the user opened an email attachment.
Figure 2 – Ransom note
 Laptop had operating system patches and a freeware antivirus application installed
that did not meet Shell requirements.

Incident #3 – Cybersecurity Virus Incident

What happened
In April 2014, a cybersecurity virus called Paint.exe was discovered on a
Distributed Control System (DCS) in a Shell Control Room. On further checks it
was discovered that the virus had spread to other site PCD systems. The impact
was a loss of process view on the infected DCS systems. Two technicians spent a
Figure 3 – DCS System
total of four days to restore the impacted PCD systems.

Why it Happened
The cybersecurity virus was introduced into the PCD system via USB stick/flash drive.
 The USB stick/flash drive had been scanned, but the PCD antivirus software did not detect the virus. The virus
infected additional systems due to the time it took to recognize the problem and escalate via the correct
channels to get an appropriate response.

Lessons learned
 Restricting portable media and computer use is the most effective control against malware infections of the PCD.
o Follow site procedures for the appropriate use of USB stick/flash drives in the PCD.
o Involve site PCD site focal point anytime someone wants to connect portable media or computers to the
PCD.
o Consider using dedicated portable media for the sole purpose of file transfer within the PCD.
 The threat environment is constantly evolving and changing with the development of new viruses and malware.
We need to be ever-vigilant for these new threats and how to recover quickly from them.
 Any suspected or actual PCD IT Security incidents should be reported through your PCD site focal point.
 For new systems, commissioning should verify that the latest antivirus and systems patches are installed.
Handover from a project to a run and maintain organisation should highlight the need to maintain the antivirus
software and system patches.

Further information
 Learning Materials - to open in pdf, right click on the paper clip near the icon and select ‘open file’

Safety Meeting LFI Summary Safety Meeting

Learning Session DSM-AW-201607.ppt
DSM-AW-201607.docx 1-pager DSM-AW-201607.ppt
 The PCD IT Security Standard is the single standard for ensuring a safe, secure and resilient Process Control
Domain in Shell through the appropriate use of IT by providing a set of effective controls (requirements) that
mitigate risk to As Low As Reasonably Practicable (ALARP). For Operating Assets, it is documented in the PCD
Risk Profile, which is part of the IT Control Framework. For Capital Projects, refer to the Design Engineering
Practice (DEP 32.01.20.12- Process control domain - Enterprise industrial automation information technology and
security)

 PCD-IT Security page in the Manufacturing Management System (MMS) includes a PCD Security Gemba Card
 Think Secure for PCD Shell Open University Course # 00198396
 Think Secure Safety Standstill – includes a 4 minute video and discussion package for an engagement
 Think Secure Ambassador information
 PCD IT Security Knowledge Portal
 SecurePlant Cyber Security Management SharePoint including additional training
 DSM PCD IT Security Community of Practice SharePoint (restricted access)
 Manufacturing PCD Programme Excellence Manager
 Manufacturing LFI Coordinator