February 2018, Vol. 245, No. 2


Smart Pipelines and Smarter People

By Dana Pasquali, Cyber Security Lead, BHGE

The industrial world is becoming more digitally connected, making operations smarter and more productive. But with that connectivity comes increased vulnerability to security threats.

Last year, three out of four oil and gas companies fell victim to at least one cyber-attack, as hacking efforts across the industry, and across the world, have become more frequent and sophisticated. This statistic illustrates why the conversation around cyber-attacks in the oil and gas space is no longer a question of “if” but “when.”

Pipeline operators are at a critical turning point. The pressure of managing aging infrastructure is driving the accelerated transformation to digital assets and smart pipelines. New digital technologies can result in better productivity and safety but they also increase the attack surface for cyber-threats. The pace of adoption of these digital technologies needs to match the pace of cybersecurity programs and considerations. The simplest approach to begin mitigating against cyber-threats is a twofold strategy, ensuring you have more secure technology and trained people.

Where to Start

The current network of aging infrastructure was not built with cybersecurity in mind. As the industry continues to update and repair pipelines with digital technologies, we need to address the basic question most operators have when it comes to cybersecurity – “where do I start?”

The first consideration operators need to make is referencing the existing cybersecurity standards for pipelines. The Department of Homeland Security’s guidance on pipeline cybersecurity from the Transportation Security Administration (TSA) is a good starting point to assess what the basic cybersecurity measures and best practices are for the industry.

The next step is to go back to baseline inventories and begin assessing what assets are in the field. In many cases, the differences between how the infrastructure was built and what is currently in the field can be significant and should be documented.

Once you have a full inventory you can begin to conduct a gap analysis to assess what you have and what you ought to have in terms of assets and protection. Based on this analysis, operators need to then identify what are critical and non-critical assets. Depending on the number of critical assets, operator’s information technology (IT) and operational technology (OT) teams can begin to work together on creating a vulnerability assessment and determine what technical controls are necessary to protect operations. Performing this assessment not only gives operators the knowledge necessary to move towards a stronger cybersecurity solution but is also a good starting point for increased communication and collaboration across IT and OT teams.

Once operators have completed this baseline assessment and have a strong understanding of where their infrastructure’s security stands, they can begin critically evaluating the digital technology they plan to bring online.

Protecting the Edge 

Digital technology is the industry’s greatest enabler for productivity and profit. In a Kimberlite Research survey of 51 key decision-makers at pipeline companies across North America, 81% said that getting all of their system assets connected digitally over the next three to five years is a moderate to high priority. The main driver of this digital transformation is the return on investment (ROI).

Some of the industry’s most exciting technologies, such BHGE’s Predictive Corrosion Management (PCM) solution, provide real-time data on pipeline corrosion and ultimately save operators’ costs on downtime and maintenance. The PCM digital solution combines Predix, GE’s application development platform for the Industrial Internet, with RightraxPM installed sensors and advisory services to continuously monitor corrosion-related risk. Together, this solution proactively makes disposition decisions and minimizes total cost of operations.

Corrosion and erosion are measured using permanently installed ultrasonic sensors which help operators maintain personnel safety and reduce the cost and time associated with manual inspection such as scaffolding and insulation removal. The ROI of these technologies is clear in the numbers. Operators who managed assets through a proactive/data-driven approach spent an average of $935 in planned costs and $267 in unplanned costs per mile, whereas those who managed assets through a reactive approach spent an average of $1,433 in planned costs and $1,274 in unplanned costs per miles.

When implementing these digital solutions, a cybersecurity plan is a necessity when the costs of a cyber-hack are considered. Expert advisory services and cybersecurity solutions help operators to protect the “edge,” or the connection between the sensors on the asset and the cloud, from being hacked and the data being manipulated or stolen.

This is a crucial component of any proactive cybersecurity plan and requires a thorough defense-in-depth program that uses multiple tools and policies to help protect, detect and correct an attack. As operators look to digitize their assets and leverage technologies such as PCM, it is critical that cybersecurity is considered a part of the costs and ultimately the ROI.

Insider Threat

When it comes to cybersecurity the saying is true: You are only as strong as your weakest link. As our pipelines become smarter, we need to encourage our people to become more educated as well.

Effective cybersecurity begins with a culture that positions security on the same level as safety and compliance. Creating a culture of cybersecurity awareness through a company’s processes and policies is becoming increasingly important as oil and gas operators adopt digital solutions. Unfortunately, this can prove to be difficult in the midstream industry, where there are numerous contractors and subcontractors who have access to operator data and assets every day.

These third parties can have unrestricted access to the network locally or remotely and may have malicious intentions or, more often, be oblivious to cyber-threats. In an internal exercise, 56% of employees clicked on phishing links, even though they claim to be aware of the risks. Educating your workforce and making them accountable for protecting and preventing against cyber-attacks is critical.

The most important step to this education is making sure your company is providing regular updates to your cybersecurity policies and practices. If you do not have a cybersecurity policy, create one. Institutionalizing best practices for employees is critical to a company’s cybersecurity plan.

These best practices can include proper password management for accounts, safe browsing guidelines, maintaining anti-virus software on computers and institutionalizing caution when dealing with unknown email addresses. Contractors, subcontractors and other relevant supply chain partners should be aware of these policies and, where possible, offered training on additional best practices such as knowing your malware and securing your Wi-Fi.

Considering the threat of cybersecurity while trying to digitize assets and improve productivity can seem like a herculean task. By starting at the basics, assessing their inventory and creating a vulnerability assessment, operators can better inform themselves of where they stand and where there may be gaps in their infrastructure. From there, moving towards a more effective cybersecurity approach starts with more secure technologies and informed people. Educating employees and instilling a work culture conscious of cybersecurity can better protect operators against cyber-threats.

Digital technologies are transforming our whole pipeline network. The value these technologies provide is significant and continues to expand in tandem with the growing threat of cybersecurity. To reduce risks and maximize all the benefits new technologies provide our industry, oil and gas companies need their cybersecurity practices to be in lock-step with their digital transformation. P&GJ

Related Articles


{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}