February 2017, Vol. 244, No. 2
Features
Reaping Benefits of Digital Age While Avoiding Cyber Threats
Digitalization is taking businesses into a new era, and the oil and gas industry is by no means an exception. With the focus on cost-cutting, increased efficiencies and improved sustainability, the oil and gas industry is increasingly embracing digital technologies to meet these challenges.
By building advanced digital controls on platforms, combined with improved connectivity, the industry is able to transfer tasks for data processing onshore, reducing manpower and increasing energy efficiency and operational effectiveness. DNV GL’s report, Technology Outlook 2025, provides foresight of digital advancements expected to hit the oil and gas marked by 2025, such as fully automated drilling operations, autonomous inspections of pipelines, remote operation and maintenance.
As has been seen in other sectors, digitalization can deliver financial savings through increased efficiency, automation, reduced risk and streamlined processes, but a major challenge facing the new digital world is ensuring the protection of highly sensitive and business critical information. The benefits of these digital advancements can only be fully utilized if the industry manages to control the emerging cyber-risks.
Cybersecurity
Cyberattacks on the oil and gas industry have grown in stature and sophistication in recent years, making them more difficult to detect and defend against, and costing companies increasing sums of money to recover.
Cyber-crimes cost energy and utilities companies an average of $13.2 million each a year for lost business and damaged equipment. The Internet of Things (IoT) integrates new and existing technologies, enabling assets to communicate and interoperate. The Center for Strategic and International Studies estimates that cyber-crime extracts between 15-20% of the value created by the internet.
Recent attacks have included theft of core intellectual property, disruption or destruction of systems and infiltration of confidential communications. Headline-grabbing cybersecurity incidents, such as the suspected injection of malicious software into the control network of the Baku-Tbilisi-Ceyhan pipeline in Turkey causing a huge explosion, are fortunately still quite rare. However, many lesser attacks go undetected or unreported as many organizations are unaware someone has hacked the systems.
As critical network segments that used to be kept isolated are now consolidated, cybersecurity is a growing issue in the oil and gas sector. The trend is toward remote operations, remote maintenance and tighter inter-operability with centralized process data and plant information. Existing and outdated installations with multiple outdated packages and systems are at particular risk.
Awareness Needed
The results of a DNV GL survey of 1,100 professionals from businesses in different sectors in Europe, the Americas and Asia found that although companies are actively managing information security, over half (58%) have adopted an ad hoc management strategy with 27% setting concrete goals.
According to a recent study undertaken by DNV GL, Digital Vulnerabilities Oil and Gas, an analysis of Norway’s oil and gas sectors, lack of cybersecurity awareness and training among employees is the number one reason for heightened digital vulnerability.
The study revealed the 10 most pressing cybersecurity vulnerabilities for companies operating offshore Norway. While it focuses on operations on the Norwegian Continental Shelf, the issues are equally applicable to offshore operations anywhere in the world. A similar study covering the maritime sector presents similar vulnerabilities regarding awareness and training.
High on the list of vulnerabilities was increased exposure of critical systems to external networks. This reflects trends toward remote operation and maintenance, and management systems that transport large volumes of process data to the office domain. Due to limited fiber capacity and redundancy, networks are shared, introducing vulnerabilities. Supplying offshore power from onshore facilities introduces risk as electricity grids are digitally vulnerable.
In the coming year, cybersecurity attack prevention, detection and response, and automation/remote operations are the two IT-related digital technologies that most organizations are expected to invest in (44% and 43%, respectively), according to DNV GL’s industry outlook report for 2016. However, investment in cybersecurity is lagging behind the perceived threat. This difference is most striking in Latin America, where 56% expect cybersecurity risks to increase in 2016, but only 42% plan to make a significant or moderate investment in this area.
Need for Collaboration
Many in the oil and gas sector have indicated it is difficult to prevent and mitigate cyber-vulnerabilities in accordance to the digital acceleration. They now want collaborative effort to take action. The industry has come to believe a major reason lies in not having common industry guidelines on how to act to prevent and mitigate cyber-crime.
To meet need, DNV GL has initiated a joint industry project to develop procedures on how to handle cyber-vulnerabilities. Shell, Statoil, Lundin, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime are participating to develop best practices in addressing this threat. In addition, the Norwegian Petroleum Safety Authority is participating as an observer.
‘What’ Not ‘How’
The joint industry project (JIP), initiated by DNV GL, will develop a best practice on how to deal with cyber-vulnerabilities based on the international standard IEC62443, Industrial Network and System Security. The scope of the JIP is to define which ISA/IEC62443 requirements are relevant for the common industrial automation and control systems in oil and gas installations, while developing guidelines for security level requirements for different systems. The JIP will result in a recommended practice (RP) for industrial automation and control systems in a 12-month period.
Smaller players in the oil and gas sector tend not to have any formal procedures and want a common guideline to be developed as the basis for defining company requirements. Larger companies have developed their own requirements and practices on how to deal with cyber-risks.
Further development and maintenance of these documents has, according to several operating companies, been extremely resource-demanding, and a common industry best practice would save costs and probably improve effectiveness. For suppliers in the oil and gas sector, a common industry standard would be beneficial, as they deliver tools and services meeting various requirements and procedures. For regulatory authorities and third-party auditors, it will be easier to approach a common practice.
Collaborative Action
The focus on cyber-crime in information technology (IT), such as office networks, personal computers and other personal devices has been established for some time, but it is only in the last five to 10 years that the focus included operation technology (OT) such as automation, control and safety systems. When the IT and OT technologies merge, the two cultures have to unite and operate in common. To date, IT and OT are often purchased, organized and managed in different organizational units, with information and decision lines separated.
The oil and gas industry needs to prevent and mitigate digital vulnerabilities in line with increased focus on digitalization and implementation of new technologies. Owners and operators need confidence that counter-measures can deal with cyber-attacks.
The JIP is an important collaborative initiative to ensure the industry is in control of emerging cyber-threats. The recommended practice will ensure guidelines to mitigate and prevent cyber-threats, taking both IT and OT into account. This will make the industry well-equipped to be in the forefront of digital trends, enabling it to meet challenges such as cost reduction, energy efficiency and sustainability.
Author: Pål Børre Kristoffersen is principal consultant for DNV GL-Oil & Gas, working on cybersecurity and information risk management in Norway. He has 20 years of experience in cybersecurity within both information technology (IT) and operation technology (OT) environments. He is Common Criteria qualified evaluator, ISO 27001 lead auditor and certified information systems security professional (CISSP).
Comments