The downside of the proliferation of data-fueled digital technologies in the oil and gas industry is the accompanying deluge of new cybersecurity threats.
Internet of Things (IoT) devices are becoming commonplace as sensors and edge processing pervade the oil field. Data lakes now hold petabytes upon petabytes of reservoir and operational data in the cloud. Digital systems are being integrated across different wellsites, different business units, and different companies, including legacy systems that were not designed with security in mind. And with these changes come more opportunities for threat actors to gain access to critical information and equipment.
The industry is increasingly becoming a target of attacks as “data is becoming more valuable, perhaps the most valuable commodity in the world right now,” and oil and gas companies are oozing with data, said Ben Dickinson, global cybersecurity lead for ABB’s oil, gas, and chemicals unit, at the recent SPE Offshore Europe conference in Aberdeen, Scotland. Underscoring the industry’s appeal to attackers is its economic and geopolitical significance. Threats range from attempts at financial gain by groups or individuals to espionage or sabotage among nation-states.
Dickinson spoke as part of a cybersecurity panel discussion during the September conference that included Saudi Aramco, BP, and Schlumberger, three industry giants at the leading edge of operational advancements and technology development. Keeping these complex, at times unwieldy, organizations secure is a monumental task that requires hypervigilance from an army of cybersecurity experts. But even that is not enough.
“I have bad news for you: Everybody will be hacked,” said Raed Shaikh, Aramco division head, information security. “If you're not hacked already, you will be hacked.” There’s no such thing as 100% secure, he warned, especially for companies such as Aramco, BP, and Schlumberger.
Breadth of the Challenge
Recent attacks on the oil and gas industry include cyberespionage group APT34, or OilRig, posing as a researcher at Cambridge University to send invites on LinkedIn, spreading malware on customer systems in the UK. Threat group Xenotime’s Triton/Trisis cyberattack first targeted a Saudi petrochemical facility, shutting down industrial safety systems, and then expanded to electric utilities in the US and Asia-Pacific region. Cybercriminals have also used ransomware to target European oil and gas firms via phishing emails.
The defense strategy for oil and gas companies begins with solid threat intelligence and knowledge of their own systems. More than 60 potential offenses to Aramco’s upstream datacenter, EXPEC Computer Center (ECC), are analyzed each day with the purpose of ensuring business continuity. ECC is where the company performs its upstream high-performance computing, including reservoir simulations and seismic processing.
BP has more than 150 industrial sites around the world, and its security operation center “evaluates about 4 billion events a day—so data is king,” said Emilie Hudson, BP project manager.
But operators “can only secure what we know about,” Hudson said, as there is almost always integrated connected equipment at BP’s sites that needs to be accounted for and protected. “There is always a wireless endpoint that was unknown. There is always an IoT device that was a proof of concept 2 years ago that has become part of the wallpaper,” she said.
Companies must keep a robust inventory of their equipment that is updated religiously. That means, she said, “not just knowing what is there, but knowing the state it is in” along with other key information.
They must also ensure their vendors are including security in the design and deployment of equipment. “Without a very integrated and coordinated effort by the oil and gas operators as well as with our industrial vendor partners, we together don't really stand a chance,” she said. “We cannot protect ourselves in isolation.”
ABB has requirements for products, services, and relationships with third parties using industry best practices to ensure “cybersecurity is baked into the whole process” in earliest phases of the software development lifecycle, Dickinson said. Aramco extends cybersecurity checks to its vendors and partners, using a consolidated platform to share threat intelligence or incident information.
Schlumberger’s Security Basics
Schlumberger has consolidated groups that previously worked in silos through its cybersecurity operations centers in Houston and Kuala Lumpur. Those facilities bring together IT infrastructure, cloud services, industrial control systems, industrial IoT, and business applications.
The world’s largest oilfield services company has focused on simplifying and automating its security processes, making them repeatable. This includes leveraging tools and processes to minimize the amount of time it takes to react to an incident. “In the past, the average level one analyst would take around 45 minutes before they could actually act on an alert,” said Mario Chiock, Schlumberger fellow for IT security. Now, “with a lot of automation,” it takes 5 minutes.
Chiock noted that it is impossible to “take care of everything” security-wise, so the organization must prioritize. Schlumberger assigns risk scores to every user and an entity score to every device, allowing the company to act on what it deems most important.
He emphasized the concept of basic “cyber hygiene” in avoiding the vast majority of cybersecurity threats. Limiting administrative privileges to devices, for example, can significantly reduce infections. The company has segmented networks, and every machine, server, and database is encrypted.
Multi-factor authentication is mandatory when an employee externally tries to access the corporate network. “We are moving in the next couple of years to where all of the resources in the company will require multi-factor authentication,” he said. Patching is also performed every month on company laptops through an automated, largely unnoticeable process, though patching operational technology equipment can be more daunting.
Simplifying hardware is important too, Chiock said, as the company was able to virtualize 110 servers into a single server on a rig. He believes the future is in containers, which virtualize operation systems, enabling multiple isolated applications to work on one system. However, currently “there is not enough security in containers,” he noted. BP and Aramco are also exploring or moving toward containerization, Hudson and Shaikh said.
Humans: The First Target and Line of Defense
Dickinson said when he first became interested in cybersecurity, he read a book from a prolific hacker about infiltrating the US Department of Defense but came away disappointed because he discovered that much of the hacker’s success came through social engineering and exploiting the human element. While the hacker was technically talented, Dickinson said, he cleared some of his biggest hurdles by merely picking up the phone and calling the department.
These days, vulnerabilities involving the human element include systems powered by internet-connected devices and web access from control systems. Dickinson noted an example where an engineer on an offshore platform changed the firewall to allow him to watch Netflix. “It’s quite common for those types of things to happen,” he said.
In addition to insecure passwords and haphazard methods of saving those passwords—e.g., Post-it notes on a desktop screen—insecure protocols are also a hazard.
Another instance mentioned by Dickinson involved the hacking of a North Sea windfarm operating on a flat network connected directly to the corporate network “with very little protection.” The hackers used a File Transfer Protocol (FTP) to gain control of its systems. “It was very easy for an attacker with a phishing email to get onto the corporate network, find this network, and look for passwords,” which were viewable in clear text, he said.
To avoid similar incidents across its assets, Aramco conducts internal phishing test campaigns with its more than 150,000 employees where the company poses as a potential hacker and sends suspicious emails. Shaikh said when those campaigns were first implemented, his team was surprised by their effectiveness from the would-be hacker’s perspective—employees too often let their guard down and took the bait.
Employees who are caught twice in these campaigns receive “counseling” in an effort to fortify their knowledge of phishing tactics, Shaikh said. If that does not work, a third breach affects their performance appraisal. For those who reach five in calendar year, “there is a very big chance that you'll be dismissed,” he said. Conversely, employees get points for reporting phishing campaigns, meaning they are given a positive assessment based on their cybersecurity aptitude, not unlike with HSE performance.
“We have seen our numbers came up recently,” Shaikh said. “We were amazed [by] how people are becoming phishing aware.” Simply taking a closer look at an email’s text or an email address can go a long way, he said.
While Schlumberger employees who repeatedly fail phishing tests also find themselves in “very deep trouble,” Chiock said, the company encourages its staff to report suspected phishing attempts in the same way it does HSE incidents. “We have found a lot of very targeted attacks in Schlumberger through people reporting them.”
Hudson said BP doesn’t “take quite as punitive of an approach” as Aramco because, like Schlumberger, it wants to encourage constant, honest reporting from its employees. “What we have found to be very effective is having those phishing campaigns coupled with adjustments in the educational campaigns as well,” she said. “As employees become more clever about evaluating an email, we also know that those emails change. So we're trying to make sure that the educational component keeps up.”
Schlumberger promotes cybersecurity awareness among its employees with its “cyber moments” program that prompts them to discuss incidents that occurred within the organization and beyond. “In the last few months, I've seen a lot of reports of things like, ‘Employee X posted on his LinkedIn profile the name of a secret project that he's not supposed mention,’” he said. “People are becoming more aware of cybersecurity.”