Industry implementation of the industrial Internet of Things (IIoT) for oil and gas operations will result in a significant alteration of the existing operations technology/information technology (OT/IT) digital architecture, causing a change in cyber-physical security because of new and additional cybersecurity vulnerabilities.
The conventional defense strategies for cybersecurity are based primarily on traditional IT network security designs and practices, such as assuring data integrity and protecting the confidentiality of data and intellectual property. The primary threat to oil and gas operations, however, comes from the growth in attacks designed and directed at OT systems, which can result in significant negative operational events. In recent years, this has spurred the development of expanded OT defense strategies and the technical hardening of industrial control systems.
The U.S. Department of Homeland Security has recorded the annual cyber incidents relating to different sectors (Fig. 1). The results indicate that the energy sector (including petroleum) is one of the primary potential attack targets.
Changes in digital technologies and architectures arising from the implementation of the IIoT in oil and gas operations have brought intrinsic changes in the security landscape. The goal of this paper is to aid oilfield security planning and design processes through improved recognition of the cyber-physical security effects arising from the implementation of IIoT architectures and technologies into field OT domains.
The paper identifies and compares the current oilfield OT logical structures with the designs emerging through the IIoT implementations. The analysis includes extensive review of developing standards, such as those proposed by Industrial Internet Consortium, and ongoing published experiences to find the primary points of transition.
The security risks stemming from IIoT implementation appear to raise significant concerns with regard to potentially severe cybersecurity outcomes, which could materially affect the integrity and safety of oilfield operations. The study concentrated on the cybersecurity threats that could pose negative physical and operational conditions resulting from loss of visibility or loss of control of the operational processes in field facilities.
Extensive literature reviews were the basis for identifying the implications of cybersecurity risks in the ongoing stages of integrating the IIoT into the field. The reviews identified the modified strategies for cyber-physical systems, including potential threats and countermeasurements for the field IIoT model. These proposed strategies, however, still miss a fundamental denominator: The assessments generally ignore that it is the fundamental nature of IIoT structure itself that creates cyber-security vulnerabilities.
To investigate further, the authors performed a contrasting analysis based on specific case studies of field IIoT devices such as the pumpoff controller and OT architectures. The following three foundational threat implications emerged on the transformation of IIoT architecture into the oil field:
- The exponential growth of connected distributed artificial intelligence (DAI) devices enormously increases the complexity of designing the software of each facility and system.
- The cutting-edge machine-to-machine characteristic in the IIoT model pushes the human out of the traditional control and monitor loop.
- The widespread scale of DAI devices with the unique IP address in the network shifts cybersecurity risks to each connected endpoint.
The cornerstone of the distinctive IIoT attributes illustrated in the paper contributes to the potential loss of control, leading to the potential for serious damages to operational outcomes in the field.