The adoption of digital technologies in the oil and gas industry is generating exciting new opportunities to improve performance, profitability, and sustainability, but brings new safety and security challenges across all operations.
According to a 2017 survey by the Ponemon Institute, cyber attacks are on the rise. Successful breaches per company each year have risen more than 27%, from an average of 102 to 130. The energy and utilities industry, including oil and gas, suffered average annualized losses from cyber crime of $17.2 million per sampled organization, just behind the financial services sector at $18.2 million.
In June 2017, the NotPetya computer virus affected many companies around the world, including the Russian oil and gas giant, Rosneft. In the same year, another report stated that almost three-quarters of US oil and gas companies had a cyber incident, yet only a handful cited cyber risk as a major concern in their annual reports.
Cyber Concerns
As the global oil and gas industry grasps the benefits that digitalization, automation, machine learning, and artificial intelligence can bring to production and profitability, its relatively immature cyber systems are making it an attractive soft target for hackers.
The traditional focus of cyber security has been on IT, such as the office IT infrastructure. Now, there is an increasing trend for networks on production sites to be connected to wider corporate networks, to allow remote monitoring and control. This increases vulnerability. Managing operational technology, such as control and automation systems, requires both oil and gas operational domain competence, as well as proficiency in general information security.
The level of threat depends on the level of communications. Cybersecurity can be simplest when data is moving in just one direction, for instance, from the production system into the corporate network. However, if using a remote or centralized control room, the need for protection becomes more pertinent and problematic, as control rooms must be able to alter critical offshore systems. The complexity and challenge for fail-safe security deepens if vendors are able to access and perhaps control equipment on the plant via corporate systems.
As each rig operation involves a significant number of suppliers and contractors, all deploying safety critical systems, it is vital that the industry introduces controls and security barriers to eliminate any weaknesses.
Without the understanding and knowledge of how to implement and integrate such systems securely, unnecessary risk and expense can be added to a project. Breaches can lead to lost production; raised health, safety, and environmental risk; costly damages claims; breach of insurance conditions; negative reputational impacts; and loss of licence to operate. Therefore, cybersecurity needs to be a consideration throughout the lifecycle of any project, especially across digital transition activity.
While the Internet of Things (IoT) has driven down the cost of implementing local sensor digitization, and signal processing can be incorporated into short-loop process control systems, it has highlighted vulnerabilities as weaknesses in embedded software are discovered and exploited.
These weaknesses can include monitoring in the operational technology environment. Increased exposure of critical systems to external networks is a key reason for heightened digital vulnerability as connectivity can create security susceptibility at every individual sensor and edge process control.
There have been reports of hacking into vessel dynamic position systems (including hacking the GPS signal). As control systems can sometimes be updated from shore, this is another avenue for threat or attack.
Requirements and Regulations
European Union legislation and the UK’s HSE requirements for cybersecurity are driving action across the sector for companies to build secure systems to manage cyber risk. DNV GL, the technical authority to the oil and gas industry, has published a recommended practice on cybersecurity, tailored specifically for oil and gas, for instance.
DNVGL-RP-G108 provides best practice on how to apply the IEC 62443 cybersecurity standard for industrial automation and control systems to the sector. While the standard focuses on what to do, this guideline focuses on how to do it and takes into account HSE requirements and the IEC 61511 functional safety standard. The National Institute of Standards and Technology at the US Department of Commerce provides a policy framework that helps businesses better understand, manage, and reduce cybersecurity risk and protect networks and data.
While regulatory and advisory assistance and guidance is out there, cybersecurity is everyone’s responsibility, and not solely for the experts or those in the digital department. The entire workforce, across all ranks, should be aware of the different risks and ways in which a business can be hacked, and the preventative measures that can be put in place. In the past, equipment was managed and run on very isolated, fragmented networks; now, thanks to the efficiency and cost benefits that connectivity can bring, there is more exposure to risk.
For instance, when a number of different companies contribute to an integrated system, the failure of the whole system through a vulnerability in just one, potentially small, subsystem may have an enormous impact. Currently, legal contracts do not fully reflect the asymmetry in the cost of implementing small subsystems with potentially high consequential liabilities. This can increase financial exposure for main contract holders and is a compelling reason for oil and gas companies to understand and quantify cybersecurity risks.
This is a huge challenge for the industry and will be a major talking point at this year’s SPE Offshore Europe Conference and Exhibition in September in Aberdeen. The dedicated keynote technical program, “Security Issues in the Digital World” will provide an overview on the current measures in place to control this vulnerability, and to anticipate the changes needed to ensure all future systems are secure.
Data the New Gold
As the sector looks to artificial intelligence, machine learning, and automation to optimize productivity, the challenge of how to gather, manage, monitor, and protect this valuable resource is vital before the benefits can be fully appreciated and, most importantly, the risks averted.
Mission-critical functions can rely on the integrity and availability of data analytics. In the past, we used to protect the network; now identity is the new perimeter. Today, it is crucial to identify who is accessing the data and to have the proper controls in place.
For risk assessment in particular, it is important that in any sort of process, the appraisal of critical assets is as comprehensively examined as the data output that digital systems provide. Understanding of where and what relies upon it and how it is to be protected is key. Companies, therefore, need to create and embed proper governance to ensure the relevant people are aware of, and are acting upon, the changing risk environment.
From the outset, the establishment of a cybersecurity management system relies on assessing an organization’s cyber maturity and its legal and regulatory responsibilities within its operating region. This involves analyzing gaps in provision, current process and practices, and the means by which that risk is measured and mitigated. From there, industry best practice should be carefully reviewed and implemented.
The digital transformation is not just about technology or using the latest gadgets. It is about overhauling the way things have inherently been done. This is a new era, which requires a new mindset. Education and communication are the pillars to ensure systems are protected and preventative measures are in place. Best practice can only be applied if transparency exists to share information on potential threats and incidents.
Ben Dickinson is the global program manager for cybersecurity in ABB’s energy business. He joined ABB in 2018 from the UK’s National Cyber Security Centre, where he advised owners and operators of the UK’s Critical National Infrastructure by advising them in preparing for, detecting, responding, and recovering from cyber attacks. He holds an MS degree in computer security from the University of Liverpool.
Mario Chiock has more than 38 years of experience in oilfield operations, IT, cybersecurity, risk, privacy, and auditing. Prior to his current role as Schlumberger Fellow, he was the chief information security officer at Schlumberger responsible for developing the company’s global, long-term cybersecurity strategy. He is past chair of the American Petroleum Institute Information Security Subcommittee and was involved in the formation of the Oil & Gas Information Sharing and Analysis Center.