The oil and gas industry is facing complex challenges on various fronts from depleting reserves and falling prices to information and data management systems. Other challenges include environmental, health and safety concerns and geopolitical pressures. The industry has been fast embracing emerging technologies such as digitalization and automation to save costs in operations and aid in decision making. However, while doing so, they are faced with a difficult challenge of managing cyber security.

Shifting industry environment

Oil industry operations have undergone significant changes due to technological advancements. This has been the case across the value chain from upstream to midstream and downstream sectors. Changes in the production operations whether in an upstream platform or a refinery have been astounding. For instance, upstream operations have transformed from a collection of standalone modular operations to an integrated fully automated real-time web enabled access to operations. This transformation has been enabled by the digitalization of production operations leading to “anytime anywhere” workforce involvement in the process. Accessibility to information has been made easy with the implementation of mobility solutions in the oil and gas environment. For example, supervisors using mobile phones can easily access information on production or plant status, approve contracts and view sensitive information from outside the operational boundaries. In a way, the entire operations are driven by computer systems both on premises or remotely when the infrastructure is fully digitalized. Though this is an excellent technological achievement in operating the production processes remotely with system enablement, it endangers the production infrastructure to the potential breach of security as the existing firewall protecting the systems may not be adequate. There is a reason to believe that the current production environment is not risk free in terms of cyber attacks as we have seen such incidents in recent times.

Incidents of Cyber security attack

As stated earlier the cyber security attacks have been growing in the last 30 years both in terms of sophistication and numbers. In 2012 a terrorist organization called “Cutting sword of justice” launched a major cyber attack on oil major Saudi Aramco which lead to crippling of more than 30000 computer systems. Though this did not disrupt the intended oil production of Saudi Aramco, it showed the vulnerability of the systems to such major attacks. Similarly Mexico’s state energy company Pemex was subjected to an attack by Iran-backed cyber attackers. Even advanced countries such as US, Canada have been vulnerable to such attacks despite increased sophisticated systems being put in place. Several gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups. Successful attacks can impact inventory control, data gathering, and delivery tracking, in turn affecting the availability of gasoline in local stations. In September 2012, the internal systems of a leading systems management company which manage more than 60 percent of the total hydrocarbon movements in North American and Latin American pipelines were breached despite sophisticated firewall and security systems in place.

Cyber security – a crucial factor for safe operations

Cyber structures and solutions are vulnerable to many security issues which are growing both in complexity and number. Hence there is an increasing need to spend a lot more on cyber security measures as oil organizations race to protect their strategic assets from cyber attacks. Though headline grabbing cyber breaches are rare in the oil and gas industry as of today, there are many incidents which go undetected or unreported even in major oil organizations. The vulnerable starting point in many cases is usually the office environment and then it weaves its way spreading through the process and production controls safety system. The vulnerability exists on account of various factors including remote nature of petroleum operations, lack of cyber security awareness among employees including workers, vendors and suppliers, inadequate separation of data and process networks, use of mobile devices and storage devices including smartphones, and aging software and systems to name a few.

Factors compromising cyber security

As stated above, there are many factors that contribute to frail cyber security practices. Low level of awareness of cyber security is one of the primary reasons for the security breaches leading to high risks in operations. At times employees do not comply with the requisite procedures while working with computer-aided systems or accessing the infrastructure using their mobile phones. It is not only enough for organizations to provide training or knowledge sharing sessions on cyber security, but also important to institutionalize cyber security as part of their culture.

It is an indisputable fact that the software used in production environment is vulnerable in nature. New robust systems are being designed to combat cyber security; however, hackers are also getting smarter in designing stronger hacking tools and hence there is a challenge to constantly keep rebuilding or updating the software from a firewall perspective. There is also a need to revisit the business processes and practices relating to the implementation of cyber security in operations.

The oil and gas industry is unique

A breach in cyber networks or disruption to production systems could lead to disastrous consequences not only for the organization, but also for the community and environment as a whole. For example if someone tampers with the meter readings of the Auto Tank Gauging (ATG) system, it could lead to overflowing of highly inflammable product and cause massive explosion. Similarly, if upstream production parameters are changed remotely by breaching the cyber network, unthinkable consequences would follow, resulting in financial and human loss. Hence, oil and gas being a high risk business, it is inevitable to set up a proper cyber security system in place to ward of cyber attacks.

Recent initiatives to protect strategic assets

The oil and gas industry has realized that it is only through a unified approach can the menace of cyber attacks be handled effectively. In this perspective, a nonprofit organization called the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) was been formed in 2014 to facilitate exchange of information on the security incidents. This has helped organizations to learn valuable lessons and upscale their network so as to avert such incidents in their operations.

Also, a pro-active risk analysis and management practice is vital in order to prevent network security breaches. Oil organizations generate massive amount of data and a predictive risk analytics model can be developed using data analytics tool, which would help organizations to be better prepared in case of exigencies.