The oil and gas industry is facing complex challenges on various fronts from depleting reserves and falling prices to information and data management systems. Other challenges include environmental, health and safety concerns, and geopolitical pressures. The industry has quickly embraced emerging technologies such as digitization and automation to reduce costs and aid decision making. However, while doing so, they are faced with the difficult challenge of managing cyber security.
The Shifting Industry Environment
Oil industry operations have undergone significant changes due to technological advancements. This has been the case across the value chain from upstream to midstream and downstream sectors. (Learn about the three sectors in Upstream, Midstream, Downstream: A Look at the Petroleum Industry.) Changes in the production operations, whether in an upstream platform or a refinery, have been astounding. For instance, upstream operations have transformed from a collection of standalone modular operations to an integrated fully automated real-time web-enabled access to operations.
This transformation has been enabled by the digitization of production operations leading to “anytime anywhere” workforce involvement in the process. Easy access to information has been made possible with the implementation of mobile solutions. (A complete discussion can be found in the article Mobile Tools: A Disruptive Technology for Oil & Gas Operations.) For example, using mobile phones, supervisors can easily access information regarding the production or plant status, approve contracts and view sensitive information from outside the operational boundaries. In a way, the entire operations are driven by computer systems, both on premises or remotely when the infrastructure is fully digitized.
Although this is an excellent technological achievement, the production infrastructure is endangered in the event of a security breach if the firewall protecting the systems is inadequate. There is reason to believe that the current computer systems are not risk-free, as seen in recent events.
Incidents of Cyber Security Attacks
Cyber security attacks have grown in terms of both their sophistication and the number of occurrences. In 2012, a terrorist organization called “Cutting Sword of Justice” launched a major cyber attack on oil major Saudi Aramco that lead to crippling more than 30,000 computer systems. Though this did not disrupt Saudi Aramco's oil production, it showed the vulnerability of the systems to such attacks.
Similarly, Mexico’s state energy company, Pemex, was subjected to an attack by Iran-backed cyber attackers. Even advanced countries such as the United States and Canada have been vulnerable to such attacks despite increasingly sophisticated systems being put into place.
Several gas tank monitoring systems have suffered electronic attacks, possibly instigated by hacktivist groups. Successful attacks can impact inventory control, data gathering and delivery tracking, in turn affecting the availability of gasoline at local stations. In September 2012, the internal systems of a leading systems management company that manages more than 60 percent of the total hydrocarbon movements in North American and Latin American pipelines were breached despite sophisticated firewall and security systems being in place.
Cyber Security – A Crucial Factor for Safe Operations
Cyber structures and solutions are vulnerable to many security issues that are growing both in complexity and number. Hence there is an increasing need to spend a lot more on cyber security measures as oil organizations race to protect their strategic assets from cyber attacks.
Although headline grabbing cyber breaches appear rare in the oil and gas industry, there may be many incidents that go undetected or unreported even in major oil organizations. The vulnerable starting point in many cases is the office environment and then spreads through the production control's safety system. This vulnerability exists due to various factors including the remote nature of petroleum operations, a lack of cyber security awareness among employees, vendors and suppliers, an inadequate separation of data and process networks, the use of mobile devices and storage devices including smartphones, and aging software systems to name a few.
Factors Compromising Cyber Security
As stated above, there are many factors that contribute to frail computer security practices. A lack of cyber security awareness is one of the primary reasons for the breaches that lead to operational risks. Sometimes employees do not comply with the requisite procedures while working with computer systems or accessing the infrastructure using their mobile phones. It is not enough for organizations to provide training or knowledge sharing sessions on cyber security; they must also institutionalize cyber security as part of their culture.
Vulnerabilities exist in some of the software used in production environments. Newer robust systems are being designed to combat cyber security threats; however hackers are also getting better at designing hacking tools, so there is a challenge to constantly rebuild or update the software from a firewall perspective. There is also a need to revisit the business processes and practices related to the implementation of cyber security.
Implications for the Oil and Gas Industry
A network breach or production system disruption could lead to disastrous consequences for the organization, the community and the environment as a whole. For example if someone tampers with the meter readings of an automatic tank gauge (ATG) system, it could lead to a highly flammable product overflowing and causing a massive explosion. Similarly, unthinkable consequences could follow if upstream production parameters were to be changed remotely through a network breach, resulting in a financial loss. Therefore it is imperative to set up a proper security system to ward off cyber attacks.
Recent Initiatives to Protect Strategic Assets
The oil and gas industry has realized that it is only through a unified approach that the menace of cyber attacks be effectively handled. In this regard, a nonprofit organization called the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) was formed in 2014 to facilitate the exchange of information about security incidents. This has helped organizations learn valuable lessons and improve their networks so as to avert similar incidents in their operations.
Also, a proactive risk analysis is vital to prevent network security breaches. Oil organizations generate massive amounts of data, and a predictive risk analytics model can be developed that will help organizations prepare for cyber attacks.