With the exploitation of new cost-effective operational concepts, use of digital technologies and increased dependence on cyber structures, the oil and gas industry is exposed to new sets of vulnerabilities and threats. Cyberattacks have grown in stature and sophistication, making them more difficult to detect and defend against, and costing companies increasing sums of money to recover from.
DNV GL recently delivered a study to the Lysne Committee that reveals the top ten most pressing cybersecurity vulnerabilities for companies operating offshore Norway. They are also applicable to the industry at large.
An international DNV GL survey of 1,100 business professionals found that, although companies are actively managing their information security, just over half (58%) have adopted an ad hoc management strategy, with only 27% setting concrete goals.
“Headline cybersecurity incidents are rare, but a lot of lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems,” said Petter Myrvang, head of Security and Information Risk, DNV GL – Oil & Gas.
While the study focused on operations on the Norwegian Continental Shelf, the issues are equally applicable to oil and gas operations anywhere in the world.
The top 10 cybersecurity vulnerabilities:
1. Lack of cybersecurity awareness and training among employees
2. Remote work during operations and maintenance
3. Using standard IT products with known vulnerabilities in the production environment
4. A limited cybersecurity culture among vendors, suppliers and contractors
5. Insufficient separation of data networks
6. The use of mobile devices and storage units including smartphones
7. Data networks between on- and offshore facilities
8. Insufficient physical security of data rooms, cabinets, etc.
9. Vulnerable software
10. Outdated and ageing control systems in facilities
DNV GL said it believes cybersecurity vulnerabilities can be addressed through a risk-based approach, using the bow-tie model familiar in safety barrier management. This allows companies to identify the threats to and vulnerabilities of assets and operations and plan barriers to prevent incidents and mitigate the consequences of cyber-risks. This includes procedures to maintain the barrier quality documented in performance standards.
“As all oil and gas process plants are now connected to the Internet in some way, protecting vital digital infrastructure against cyberattacks also ensures safe operations and optimal production regularity,” said Trond Winther, head of the Operations Department, DNV GL-Oil & Gas.
Industrial automation, control and safety systems used in the oil and gas sector are to a large extent digitized and dependent on digital technology. Formerly, such systems were proprietary, while they are now to a large extent based on commercially available components, such as a PC with a Microsoft Windows operating system. That means the known vulnerabilities of such commercial standard products will also be exposed in the sector.
The networks used between process equipment and control systems were previously isolated and proprietary, but are now based on Internet technology. Industrial automation and control systems used to be physically separate from traditional information systems and open networks. The need to transfer production data to information systems, and for remote maintenance, means that such separation is no longer practically possible.
There is an increasing use of remote operation from an onshore location or neighboring platform, and this may lead to the use of shared computer networks. This means that production equipment is exposed to network-related vulnerabilities.
Malicious codes are usually spread due to human error. An attachment in an email is opened, memory sticks are inserted, mobile phones are charged, laptops are connected to critical networks, etc. Mobile phones can also easily establish Internet connections. Users are tricked into revealing passwords, etc. Locating operations rooms onshore means that less attention may be paid and this increases the likelihood of both unintentional and intentional unwanted incidents. Human error is regarded as the greatest digital vulnerability in the sector.
The consequences of unwanted incidents based on digital vulnerabilities will primarily be of a financial nature. Production has to be shut down and this means a loss of income for the industry. Society will see a decrease in direct and indirect taxes.
Unwanted incidents will affect the companies’ reputations and may affect a reputation as a stable producer and transporter of energy. If saboteur and terrorist organizations manage to control vital production equipment, the consequences can be environmental destruction and the loss of human life.
In order to reduce the CO2 emitted due to power production on oil installations, new field developments are often based on a power supply from the shore (electrification). Most of these installations have to shut down production if there is a breakdown in the power supply from the shore. For a long time there has been an increasing focus on digital vulnerabilities in electricity distribution systems. Such systems are complex grid structures highly dependent on management and control systems.
Large distances and deep waters make it costly to establish a computer network for oil installations on the continental shelf. Fiber-optic cables on the seabed are often used but they are vulnerable to damage from building and fishing activities and erosion. It is challenging to establish redundant and completely independent network solutions.
A lack of communication can mean the immediate shutdown of production on platforms that are operated from a shore-based location or neighboring platforms. This is also critical for pipelines where, among other things, it must be possible to regulate and monitor the pressure and volume throughout the system.
The responsibility for preventive ICT security in the oil and gas sector is fragmented. There is no common contact point for the sector that the authorities can, for example, use to warn of net-based attacks. There are also few formal forums where the sector can exchange experiences.
An unofficial, international survey among companies in the sector concluded that only 40% of the companies have established an emergency preparedness plan that covers digital vulnerabilities. The focus is on fires, explosions, blowouts, etc.
Oil prices are at dangerously low levels for the industry and there is a great deal of uncertainty about future price developments. This means the sector must reduce its costs to maintain profitability. The fact that these savings measures may affect the continuous improvement of security is a major challenge. The increased focus on cost/benefit assessments and new ways of working are important elements going forward.
Many installations on the Norwegian continental shelf, for example, are designed to have a lifetime of 15-25 years, and several have been allowed to operate for longer. This means much of the equipment and software is outdated and not very well-adapted to today’s digital vulnerabilities.
The digitization of the sector is taking place continuously. “The Internet of Things” will lead to more units with digital vulnerabilities. The volume of data to be transported is growing and standard IT equipment will increasingly be integrated with the specialized control systems.
The risk of key critical functions, essential infrastructure, information that must be protected for security reasons and people being affected by espionage, sabotage, terrorist acts and other serious acts is increasing.
In order to reduce risk, barriers are implemented, partly to prevent an unwanted incident from occurring and partly to reduce the consequences of an unwanted incident that has occurred.
There has been a growing focus on barriers that prevent an unwanted incident, but the quality of these barriers needs further testing and verification. It is not enough to simply base protection on a firewall. Other barriers, including the opening/closing of accesses, procedures and work processes, must also be established.
There is a greater need for barriers that reduce the consequences if an unwanted incident has occurred. There is not enough equipment and routines for detecting that a threatening party has ongoing activities aimed at an installation. There is also a lack of practiced routines to prevent negative consequences when there is a suspicion that an unwanted incident may occur.
Supervisory authorities should issue functional requirements stipulating that barriers to digital vulnerabilities must be established. Digital vulnerabilities must be included in relevant risk analysis.
Companies must create a culture for reducing digital vulnerabilities in the same way as there is a culture for preventing fires and explosions. Awareness-creating work must be prioritized both within the sector and in the general public. Schools must focus on behavior when using digital media.
Special to Pipeline & Gas Journal