Pipeline visibility cuts downtime, improves safety

Operators in the midstream oil & gas industry need to keep their focus on what's happening behind the scenes to prevent costly issues happening down the road.

By Paul Smith January 18, 2019

Operators in the midstream oil & gas industry know their main priorities are to keep product flowing through the pipeline and making sure it’s done in a safe and secure manner. However, it’s easy to get tunnel vision and lose sight of the proper operating scope for the network and devices.

It is natural to stay focused on the product moving from one end of the pipeline to the other. However, without proper operational visibility into what is really happening, small changes may cause major problem for companies.

The U.S. midstream oil & gas equipment market is expected to grow to almost a trillion dollars by 2026, according to a Polaris Market Research report. However, the industry is ramping up digitization efforts aimed at improving efficiency and reliability to improve connectivity.

Operators face many challenges as they try to achieve full pipeline operational visibility or robust cybersecurity. These include:

  • Long pipelines that are open targets for physical or cyber attacks
  • Limited visibility to the components that make up the pipeline system
  • Poor communication practices regarding new components such as new tie-ins
  • Inadequate ability to see or detect developing operations problems
  • Multiple customers on various pipeline segments, all operating with different levels of security
  • Relying on customers for good security practices
  • Hard-to-correlate data from different customers along the pipeline
  • Impractical nature of manual audits.

Understanding what is on the network and filtering through all the data to make smart decisions to protect against anomalies or cyberattacks are top issues. Network and asset visibility are a must.

The case of a pipeline organization that had a truck offload-onload skid is a good example of the challenges that comes with visualizing a potential problem. This facility pulls oil off a pipeline and hauls it away in tanker trucks. However, when a programmable logic controller (PLC) went down, the truck onload and offload terminal backed up to the point where it cost the company $1.9 million in lost revenue and downtime.

In the midstream market, time is money. If a company suffers unscheduled downtime, it’s unlikely they’ll ever make up the lost time/revenue because the company is always moving product at high capacity.

Outage detection

The pipeline operator would have been able to predict a potential outage when the PLC started to behave abnormally if an industrial network monitoring solution was in place. If the operator knew the type of PLC, the type of cards it was running, the firmware and the serial number, they could diagnose the problem.

On top of that, by adding an enterprise-wide centralized network monitoring solution, it would then be possible to look at all similar devices within the eco-system. If one PLC behaved strangely and ended up cost $1.9 million, it’s worthwhile to flag the others and watch to see if they start behaving like the problem PLC did. If they do, the issue can be mitigated before a bigger problem occurs.

In triaging this problem, one of the pipeline company workers said they noticed some “weird” operational values. The operator didn’t see any major problems and assumed it was normal behavior.

When asked how long he trended the data, the worker said, “Oh, just a few months.”

If the system was already failing when the worker started observing the trend, the abnormal behavior looked normal because the change was slow and gradual.

The operator didn’t trend the PLC back to when it was operating well. And, the operator didn’t compare its behavior trend to similar devices to see how the others were operating. He could have checked whether all devices with the same load were behaving similarly, or not.

Effects of ghost drift

In this case, the PLC suffered from “ghost drift,” which is where a device slowly slips out of scope over a long period. When something started to fail, it skewed the PLC’s numbers to such a small degree the operator did not notice.

In this scenario, pipeline operational visibility comes into play. Today’s industrial control system (ICS) network monitoring solutions can detect when devices are starting to drift. The system alerts the operator that it’s time to take a closer look before another unplanned downtime incident occurs.

If you are not familiar with passive network monitoring, here’s how it works. An appliance is typically attached to a SPAN or mirror port of a switch or router on the pipeline. The application on the appliance observes network traffic and builds a model of the pipeline’s network and operational behavior. It employs machine learning and artificial intelligence (AI) to deal with today’s complex systems.

There are two phases to the implementation of the network monitoring application: the learning phase, and then an operational protect mode. After installation, the application quickly learns the system, and then it can start detecting operational changes.

From a cybersecurity perspective, a potential problem is when the user first plugs in the appliance. If there is malicious malware beaconing out to an external server, the application learns that as normal behavior.

To deal with this problem, the best passive monitoring solutions use a technique called dynamic learning. This technique allows the operator to go through the learning phase and conduct a statistical process control analysis. If the system’s behavior is within one standard deviation, the solution will start monitoring based on that behavior.

If ghost drift has been occurring operationally over a period of time, the behavior will hide within the standard deviation. This means the user has to go through the results and do the due diligence needed to eradicate the problem. One method is to compare the operational behavior of similar devices across the pipeline system and determine if the trend for one of the devices is different from the others.

This exercise truly educates the operator about their process inside and out.

Security as byproduct

When that happens, good cybersecurity becomes a byproduct, and the operator can flip the monitoring application into protect mode. Going forward, the operator will know if there is any kind of drift or malicious attack because the system will generate alerts.

Documenting a SCADA system’s network and asset infrastructure for a long-distance pipeline and keeping it up-to-date used to be virtually impossible. It was also next to impossible to monitor all the equipment involved. Now, thanks to technology advances, it’s easy to implement passive industrial network monitoring that automatically provides real-time network visualization and asset discovery.

The same solution can also provide early detection of both operational problems as well as cybersecurity incidents. In the truck offload-onload skid scenario, the realized return on investment (ROI) of a visibility solution was $1.9 million. That’s a significant return based on improved reliability, with added, unquantified cybersecurity benefits.

Paul Smith is director of product research and strategy at Nozomi Networks. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

Original content can be found at www.isssource.com.

Author Bio: Paul Smith is director of product research and strategy at Nozomi Networks.