Protecting the connected barrels Cybersecurity for upstream oil and gas

Introduction: Risks—and stakes—keep rising

For years, cyber attackers have targeted crude oil and natural gas (O&G) companies, with attacks growing in frequency, sophistication, and impact as the industry employs ever more connected technology. But the industry’s cyber maturity is relatively low, and O&G boards show generally limited strategic appreciation of cyber issues.¹

Why is this so? Perhaps because the industry—engaged in exploration, development, and production of crude oil and natural gas—may simply feel like an unlikely target for cyber-attacks. The business is about barrels, not bytes. In addition, the industry’s remote operations and complex data structure provide a natural defense. But with motives of hackers fast evolving—from cyberterrorism to industry espionage to disrupting operations to stealing field data—and companies increasingly basing daily operations on connected technology, risks are rising fast, along with the stakes.

Different areas of the O&G business, naturally, carry different levels of risk and demand different strategies.² Our previous article, An integrated approach to combat cyber risk: Securing industrial operations in oil and gas, looked at cyber risks and the governance process at an overall O&G industry level; this follow-up explores the upstream value chain of the O&G industry (exploration, development, and production) to assess each operation’s cyber vulnerability and outline risk mitigation strategies. 

Among the upstream operations, development drilling and production have the highest cyber risk profiles; while seismic imaging has a relatively lower risk profile, the growing business need to digitize, e-store, and feed seismic data into other disciplines could raise its risk profile in the future. A holistic risk management program that is secure, vigilant, and resilient could not only mitigate cyber risks for the most vulnerable operations but also enable all three of an upstream company’s operational imperatives: safety of people, reliability of operations, and creation of new value.

Shrugging off cyber threats

In 2016, energy was the industry second most prone to cyber-attacks, with nearly three-quarters of US O&G companies experiencing at least one cyber incident.³ But in their latest annual filings, only a handful of energy companies cite cyber breaches as a major risk. In fact, many US O&G companies lump cyber risk with other risks such as civil unrest, labor disputes, and weather disruptions; many non-US O&G companies don’t mention “cyber” even once in their 100+-page filings.⁴

Worryingly, more and more cyber-attacks are happening on industrial control systems (ICS) of O&G companies in the upstream business, putting at risk worker safety, reputation, and operations as well as the environment. Whether hackers use spyware targeting bidding data of fields, malware infecting production control systems, or denial of service that blocks the flow of information through control systems, they are becoming increasingly sophisticated and, specifically alarming, launching coordinated attacks on the industry. In 2014, for example, hackers launched an all-out assault on 50 O&G companies in Europe using well-researched phishing campaigns and advanced versions of Trojan horse attacks.⁵

It’s no surprise that pinpointing the attackers is tough. What complicates defense efforts is that their motives are often equally obscure. According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), more than a third of the 2015 attacks on critical infrastructure were untraceable or had an unknown “infection vector.”⁶ That’s why cyber breaches remain undetected for days, and why attacks such as Shamoon—the disk-wiping malware that crippled 30,000 computers at Middle Eastern O&G companies in 2012—continue to reappear in one form or another.⁷

True, some estimates put the average energy company’s annualized cost of cybercrime at only around $15 million.⁸ But a major incident could easily incur costs running into hundreds of millions of dollars and, more importantly, risk people’s lives and the nearby environment. If a cyber attacker were to manipulate the cement slurry data coming out of an offshore development well, black out monitors’ live views of offshore drilling, or delay the well-flow data required for blowout preventers to stop the eruption of fluids, the impact could be devastating.

Digitization magnifies the challenges

Apart from the upstream industry’s “critical infrastructure” status, a complex ecosystem of computation, networking, and physical operational processes spread around the world makes the industry highly vulnerable to cyber-attacks; in other words, the industry has a large attack surface and many attack vectorsⁱ (see figure 1). A large O&G company, for instance: uses half a million processors just for oil and gas reservoir simulation; generates, transmits, and stores petabytes of sensitive and competitive field data; and operates and shares thousands of drilling and production control systems spread across geographies, fields, vendors, service providers, and partners.⁹

What adds to this vulnerability is contrasting priorities of companies’ operation technology and information technology departments. Operation systems close to drilling and well site operations such as sensors and programmable logic controllers are intended to perform tasks with 24X7 availability as their primary attribute, followed by integrity and confidentiality. In contrast, IT systems such as enterprise resource planning have a reverse priority order of confidentiality, integrity, and availability. This clash of objectives—safety versus security—plays out in drilling and production control rooms where engineers fear that stringent IT security measures could introduce unacceptable latency into time-critical control systems, impacting decision making and operational response.

The technical set-up of ICS also carries inherent security challenges. Decisions about ICS software are often made not centrally by corporate IT but, rather, at the field or unit level, resulting in products from different solution providers, based on different technologies, and with different IT security standards. The decade-plus life cycle of wells and ICS systems and ongoing asset sales and purchases add to the diversity problem, making it challenging to account, standardize, upgrade, and retrofit these systems frequently. About 1,350 oil and gas fields globally, for instance, have been producing for more than 25 years, using systems and equipment from different vintages throughout that period.¹⁰

Growing digitization and interconnectedness of operations have heightened cyber risks further. The risks were lower earlier due to physical separation of systems and decentralization of security at a unit level. But today, connected technology, in the embryonic form of digital oil fields or smart fields, has opened up an altogether new landscape of attack vectors for hackers by connecting upstream operations in real time. For example, Shell recently designed a well and controlled the speed and pressure of the drilling in Vaca Muerta, Argentina, from a remote operating center in Canada.¹¹

What makes Internet of Things (IoT) technology so powerful but also vulnerable is its ability to create, communicate, aggregate, analyze, and act upon the data—the stages of Deloitte’s Information Value Loop (see figure 2). These stages are enabled through sensor technology and, typically, wireless communications networks and several analytical and automated tools, and each is highly vulnerable to security breaches in legacy ICS systems and complex upstream ecosystems. The upstream O&G industry has a dual cyber challenge of safeguarding already-created value and staying ahead of future IoT deployment.

Further, intelligent instrumentation at a field level—devices that can self-process, analyze, and act upon collected data closer to operations rather than at a centralized storage and processing center—have taken cyber risks into the front line of upstream operations. For example, a malicious hacker could slow down the oil extraction process by varying the motor speed and thermal capacity of an integrated sucker rod pump (the “front line” of the oil production process) by altering speed commands sent from internal optimization controllers.

With connected technology’s adoption and penetration getting ahead of current cybersecurity practices, it is not just the new IoT-generated information and value that is at risk. The future opportunity cost—including the safety of personnel and impact on the environment—is at stake.

Where to begin: Assess vulnerability to prioritize cyber investments

How to begin ranking vulnerabilities and priorities, especially when IT and ICS technicalities often cloud strategic appreciation and sponsorship of the cyber issue? For engaging C-suite upstream strategists, it is necessary that the cyber issue be framed in the language of business risks, impacts, and solutions explained at the level of a business unit (offshore, lower 48, international, etc.) or value chain (geophysical surveys to well abandonment). While acknowledging that business units differ from company to company, this paper outlines a detailed cyber vulnerability and severity assessment framework at an aggregate industry value-chain level.

Vulnerability of an upstream operation would be a function of the attack surface (for example, the number of vendors, users, and interfaces or the number and type of industrial control systems and operations); mode and flow of data (physical or digital and unidirectional, bidirectional, or multidirectional); and the existing state of security and controls in place. Severity, on the other hand, includes both direct and in-direct costs in the form of health, environment, and safety incidents, business disruption, legal and regulatory issues, reputational damage, and intellectual property theft (see appendix, explaining our research methodology).

Upstream stages (exploration, development, and production and abandonment) have a distinct cyber vulnerability and severity profile (see figure 3). In fact, within a stage such as development, field development planning has a different cyber risk profile than development drilling. Although each operation needs to be secured, prioritizing security for the most critical, risk-prone operations is essential for determining where to take action first and narrowing the remediation scope. Below, we discuss major critical and risk-prone operations in each stage.

1. Exploration

Of the three major stages, exploration has the lowest cyber vulnerability and severity profile. Its cyber vulnerability is low because the first two operations—seismic imaging and geological and geophysical surveys—have a closed data acquisition system (rock formation data captured through magnetics, geophones, and hydrophones is largely sent via physical tapes and/or processed in proprietary models, which have limited connectedness with the outer world) and a fairly simple ecosystem of vendors (the top three geophysical vendors control 50 to 60 percent of the market and provide a complete suite of offerings).¹² The third operation, exploratory and appraisal drilling, has a higher risk profile but includes many elements of the development stage, covered in the next section.

The likely financial impact of a cyber-attack on geological and geophysical and seismic imaging is low, as upsetting this operation would have a low probability of causing a business disruption or health, environment, and safety risk. However, a company’s competitive field data is at most risk in this operation, and an attack might long remain unnoticed due to no direct costs or visible impacts. For instance, the hackers behind the 2011 Night Dragon cyber-attack disabled proxy settings and, for years, used remote administrative tools to steal field exploration and bidding data of many O&G companies.¹³

Although the current exploration workflow has a relatively safe cyber risk profile, companies are increasingly using advanced gravity wave sensors to improve accuracy of subsurface imaging and putting more and more terabytes of seismic data to use by digitizing, storing, and processing it on supercomputers. CNOOC, for example, reduced its seismic data computing time from two months to just a few days and increased its storage performance by 4.4 times by deploying open-source, high-volume servers scalable to multiple storage clusters.¹⁴

Expanding such software-based, high-performance computing and storage advancements would, no doubt, exponentially enable IoT-based value creation. But when this exploration data starts feeding in real time into cross-discipline upstream operations such as drilling plans of nearby fields, completion designs, and reserve estimations, a cyber-attack’s impact would multiply, from a potential revenue loss to a significant business disruption.¹⁵

2. Development

Within the O&G value chain, development of oil and gas wells is an operation particularly exposed to cyber incidents. The development drilling operation involves similar techniques to those used in exploratory and appraisal drilling but has a much bigger cyber-attack vector, due to higher drilling activity, expansive infrastructure and services both above and below the surface, and a complex ecosystem of engineering firms, equipment and material suppliers, drillers and service firms, partners, and consultants. At first, diverse business objectives of all stakeholders make it challenging for operators to have a single cybersecurity protocol, and then there may be a systemic concern of already-infected rigs and devices entering the ecosystem.¹⁶

Drilling and computer systems in place, mostly in offshore rigs, were designed around the theory of an isolated network—the notion that the hundreds of miles of ocean and the physical barriers to get to the rig provide a natural defense against cyber-attacks.¹⁷ But with the coming of real-time operations centers—which access and visualize real-time offshore rig data from anywhere in the world, control drilling operations, and even link geoscience and engineering databases and predict drilling hazards—nothing is off the hacker’s radar. Additionally, the industry is mechanizing and automating even manual tasks such as the lifting of pipes from racks at a rig (such as Nabors’ iRacker), making everything interconnected.¹⁸

As with the vulnerability factor, the severity of a cyber-attack is highest in the development drilling operation. Whether it is an asset loss, business disruption, regulatory fines, reputation damage, IP theft, or a health, environment, and safety incident, this phase has the highest future opportunity cost across all the risk categories. From hackers drifting a floating unit off of a Gulf of Mexico well site, to tilting an oil rig off the coast of Africa, to making network subject-matter resources take 19 days to delete malware from an oil rig on its way from South Korea to Brazil, the phase has already seen many incidents.¹⁹ In creating new value by adopting open-source, vendor-neutral data protocols (for instance, Wellsite Information Transfer Standard for Markup Language, WITSML), the industry should see that hackers don’t use it to their advantage by manipulating this now-comprehensible well data.

The other two main phases of development—field development planning and well completions—have relatively lower cyber risk profiles. Field development planning, in particular, has few real-time connections with other operations but involves cross-disciplines such as geology, geophysics, reservoir management, production, infrastructure, completion, economics, and finance, therefore offering hackers many entry points. Apart from losing the confidential field design data and blueprint of technologies and installations, a hacker making even a small change in the GPS coordinates of rig and optimum well spacing could carry significant financial implications.

The well completion process has a high probability of slipping into the high-risk cyber zone. The industry is aggressively prototyping new and connected technologies to reduce well completion time through real-time monitoring and advanced analytical software, especially in the areas of fracturing fluids, sand, and logistics management in US shales. According to Schlumberger, “the growing intensity of horizontal well programs demands that the next wave of fracturing technology come loaded to bear with sensors and real-time data streaming capabilities.”²⁰

A point worth clarifying: No one should blame automation and connectedness for an increase in O&G cyber risks. Automation makes operations efficient and safer and, very importantly, gives meaningful savings and time back to operators and management, which we worry companies are failing to utilize for safeguarding this new value creation by doing acceptable cybersecurity planning and investments.

3. Production and abandonment

The oil and gas production operation ranks highest on cyber vulnerability in upstream operations, mainly because of its legacy asset base, which was not built for cybersecurity but has been retrofitted and patched in bits and pieces over the years, and lack of monitoring tools on existing networks. Approximately 42 percent of offshore facilities worldwide have been operational for more than 15 years, fewer than half of O&G companies use monitoring tools on their networks, and of those companies that have these tools, only 14 percent have fully operational security monitoring centers.²¹

What explains or magnifies the above cybersecurity problem is an expansive operating environment and the changed role of instrument vendors from system suppliers to system aggregators. A large US O&G company has more than 25,000 producing wells, and each well has a diverse set of industrial control systems—from sensors in boreholes, to programmable logic controllers on a well, to SCADA systems in local control centers—purchased from a number of vendors with different maintenance schedules and connected using off-the-shelf technologies.²²

On top, these loosely coupled but nonetheless integrated industrial control systems are increasingly connected with a company’s enterprise resource planning systems. With 75 percent of global oil and gas production controlled by resource planning systems, this part of the value chain faces cyber risks both from the top (IT systems) and bottom (hardcore legacy operation technology systems in the field).²³ Thus, the consequence of a cyber-attack on oil and gas production could be severe, promptly affecting both the top and bottom lines. Unlike more complex and specialized seismic and drilling data, production parameters (typically consisting of temperature, flow rate, pressure, density, speed, etc.) are relatively easy to understand, allowing hackers to go for high-consequence breaches.

The last stage of the value chain—well intervention, workover, and abandonment—has a lower vulnerability profile, as the process mostly involves mechanical alteration, well diagnostics, and replacement and maintenance work. But lately, vendors are increasingly using interoperable equipment and standard software platforms and HMI interfaces to reduce costs, which in turn are raising vulnerability risks.

The O&G production operation ranks highest on cyber vulnerability in upstream operations, mainly because of its legacy asset base, which was not built for cybersecurity but has been retrofitted and patched in bits and pieces over the years.

Mitigating cyber risks using a holistic risk management program

Ascertaining cyber risks is the first step; forming risk mitigation strategies is the next. The all-too-common response when it comes to mitigating cyber risks is to attempt to lock down everything. But with IoT technology connecting ever more systems and hackers becoming more sophisticated, zero tolerance of cyber incidents is simply unrealistic. Thus, a company should focus equally on gaining more insight into threats and responding more effectively to reduce their impact. Put simply, an effective cyber strategy needs to be secure, vigilant, and resilient.²⁴