February 2017, Vol. 244, No. 2
Features
A Holistic Cybersecurity Strategy in Oil & Gas
More than ever, the oil and gas industry is recognizing the importance of cybersecurity. In fact, cyber-threats have joined HSE and terrorism as a top concern for most oil and gas executives. This greater acknowledgment of the importance of cybersecurity is largely driven by prominent, and costly, cyber-attacks, such as the 2012 incident in Saudi Arabia.
The interconnectivity of the digital oil field, with sensitive data flowing freely between industrial and enterprise networks, is a reality the industry now more fully understands. And yet, the need for change to accommodate this reality has not trickled down into day-to-day operations, especially in the industrial and field environments.
With a few exceptions, the oil and gas industry has not made the kind of investment in cybersecurity that we have seen in other critical infrastructure sectors. Still missing in the industry is a dedicated focus and resource commitment to integrate cyber-vigilance at all levels of the enterprise.
On Aug. 5, 2008, a major explosion and fire occurred in Refahiye in eastern Turkey. At valve station 30 of the Baku-Tbilisi-Ceyhan crude oil pipeline, a bomb exploded and shut down the pipeline for three weeks. The Kurdistan Workers Party (PKK) claimed responsibility. The main weapon, reported Jordan Robertson and Michael Riley at Bloomberg News in December 2014, was a keyboard. Following the report, “hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line.”
Today, the energy sector is by far the No. 1 target for hackers, according to PricewaterhouseCoopers (PwC). This wasn’t the case a few years ago, but the number of cyber-attacks continues to grow – including both known and unknown attacks. The operational technology has become a growing target, now comprising 30% of all cyber-attacks. In the Middle East region alone, 50% of all cyber-attacks are directed against the oil and gas industry. These attacks have a major impact on productivity, uptime, efficiency and safety.
A cyber-attack on oil and gas facilities would not only jeopardize operations, risk intellectual property and negatively impact profitability, but also, more importantly, put at risk the lives of personnel and nearby communities. The oil and gas sector faces an array of bad actors in cyber-space including hacktivists, criminals, insiders, competitors and even some nation states. Fortunately, industry executives increasingly recognize the imperative to include cybersecurity in their risk calculus.
Following Deloitte’s 2015 BDO Risk Factors Report, 72% of oil and gas executives identified cybersecurity as a top concern – a sixfold increase compared to 2012 (12%). And for good reason: Threats to life and safety, theft of financial and customer data, and business disruption are the primary concerns for industry executives. A significant disruption to a country’s intricate network of oil and gas facilities used in exploration, production, distribution, storage and refining would have a devastating impact on the economy, environment and overall security.
Cyber-Attack Reality
Cyber-attacks are no longer theoretical. They are occurring with exponential frequency. The 2012 incident in Saudi Arabia led to the shutdown of 35,000 computer terminals, bringing business to a halt and disrupting the interconnectivity of the digital oil field. The financial cost to the company as a result of this cyber-attack was significant.
This devastating incident should not be viewed as an isolated event. Saudi Aramco alone experiences two or three cyber-attacks each year. The probability of additional cyber-attacks – across the oil and gas industry – is almost 100%. Less certain is what these companies are going to do about it.
Indeed, over the past four years, the number of industry executives citing cybersecurity as a top concern has increased fivefold. This recognition of the threat is a welcome development. But it is not enough. Staying abreast of cybersecurity threats must be a core responsibility for oil and gas industry executives. The need for change has not trickled down to daily operations, especially in the industrial and field environments.
The industry is suffering from legacy equipment, unsecure protocols, unpatched assets and untrained personnel. These risks are magnified by a decentralized operating model in which the major players and servicers do not have visibility into the combined attack surface. While some leaders in the industry have recognized the cyber-threat and made significant financial investments in strengthening cybersecurity, the industry as a whole remains far behind other critical infrastructure sectors.
Competing Industry Standards
Pipelines thousands of miles long make especially good targets for cyber-attacks. And yet, the cyber-protection of pipelines is governed by a mix of non-binding frameworks and standards. The United States, cyber-frameworks from the Department of Homeland Security (NIST Framework), Department of Energy (ONG-C2M2) and Transportation Security Administration (CARMA), all compete with industry standards of ISA (ISA 99) and API (API 1164). It is essential to harmonize these standards and develop a binding security standard for pipeline operators.
A positive development is the recent announcement by Christina Sames, American Gas Association’s vice president of Engineering and Operations, that the AGA will adopt TSA guidelines and the NIST framework in order to “remain vigilant and strengthen our offensive security posture, helping ensure the continued safe and reliable delivery of natural gas to our customers.”
But more is needed if the oil and gas industry is going to prevent and respond to cyber-attacks. A holistic cybersecurity strategy is essential. The industry has deployed a growing number of industrial control systems in networks along the entire value chain – upstream, midstream and downstream.
This enables operators to achieve big gains in operational efficiency, visibility and safety. The manufacturing industry has long recognized that connecting their industrial control systems to their enterprise IT networks helps improve operational visibility and provides business insights.
Oil and gas companies are following suit and becoming increasingly digitalized. But along with creating greater efficiency, this connectedness allows the “attack surface” to grow dramatically. This introduces new cyber-vulnerabilities. The new risks associated with digitalization are also exacerbated by aging infrastructure and legacy systems that were not designed with this kind of digital security in mind.
All About Leadership
How do oil and gas companies, and the industry as a whole, develop this holistic cybersecurity strategy? First, it takes leadership. The industry must dedicate its focus at the highest level and with commensurate financial resources to integrate cyber-vigilance at all levels of the enterprise. Every company in the oil and gas industry must develop an industrial cybersecurity strategy, stand up a cyber-governance model, re-examine their security fundamentals and build smart infrastructure defenses that include extensive cyber-training.
Siemens has hardened its own infrastructure to counter cyber-threats to its own operations, including development of a “Web of Systems” security concept designed to integrate “defense-in-depth” protection, encompassing plant, network and system security.
Today the industrial internet of things (IoT) bridges digitalization and automation, allowing secure data processing and automation anywhere on the web. Most automation suppliers rely on partners and third parties for industrial network components. Oil and gas companies are in need of ways to alleviating recurring pain points around endpoint security, securing data management, vendor risk and network visibility.
The Author: Leo Simonovich provides the strategic direction for the Siemens industrial cybersecurity business by identifying emerging market trends. He frequently speaks on topics of cyber-governance, risk management and organizational transformation in operational environments. Prior to joining Siemens, he led the cyber-risk analytics practice area at the management consulting firm, Booz Allen Hamilton, working with large oil and customers to improve their cyber-risk posture. He holds an MBA and master’s degrees in global finance, both from the University of Denver.
Comments