Cybersecurity for upstream oil and gas
Protecting the connected barrels
Oil and gas might not seem like an industry that hackers would target. But they do—and the cybersecurity risks rise with every new data-based link between rigs, refineries, and headquarters. In an increasingly connected world, how can upstream O&G companies protect themselves?
Introduction: Risks - and stakes - keep rising
For years, cyber attackers have targeted crude oil and natural gas (O&G) companies, with attacks growing in frequency, sophistication, and impact as the industry employs ever more connected technology. But the industry’s cyber maturity is relatively low, and O&G boards show generally limited strategic appreciation of cyber issues.
Why is this so? Perhaps because the industry - engaged in exploration, development, and production of crude oil and natural gas - may simply feel like an unlikely target for cyber-attacks. The business is about barrels, not bytes. In addition, the industry’s remote operations and complex data structure provide a natural defense. But with motives of hackers fast evolving - from cyberterrorism to industry espionage to disrupting operations to stealing field data - and companies increasingly basing daily operations on connected technology, risks are rising fast, along with the stakes.
Different areas of the O&G business, naturally, carry different levels of risk and demand different strategies. Our previous article, An integrated approach to combat cyber risk: Securing industrial operations in oil and gas, looked at cyber risks and the governance process at an overall O&G industry level; this follow-up explores the upstream value chain of the O&G industry (exploration, development, and production) to assess each operation’s cyber vulnerability and outline risk mitigation strategies.
Where to begin - Assess vulnerability to prioritize cyber investments
How to begin ranking vulnerabilities and priorities, especially when IT and ICS technicalities often cloud strategic appreciation and sponsorship of the cyber issue?
For engaging C-suite upstream strategists, it is necessary that the cyber issue be framed in the language of business risks, impacts, and solutions explained at the level of a business unit (offshore, lower 48, international, etc.) or value chain (geophysical surveys to well abandonment).
While acknowledging that business units differ from company to company, this paper outlines a detailed cyber vulnerability and severity assessment framework at an aggregate industry value-chain level.
Of the three major stages, exploration has the lowest cyber vulnerability and severity profile. Its cyber vulnerability is low because the first two operations — seismic imaging and geological and geophysical surveys — have a closed data acquisition system (rock formation data captured through magnetics, geophones, and hydrophones is largely sent via physical tapes and/or processed in proprietary models, which have limited connectedness with the outer world) and a fairly simple ecosystem of vendors (the top three geophysical vendors control 50 to 60 percent of the market and provide a complete suite of offerings).
The third operation, exploratory and appraisal drilling, has a higher risk profile but includes many elements of the development stage, covered in the next section.
Within the O&G value chain, development of oil and gas wells is an operation particularly exposed to cyber incidents. The development drilling operation involves similar techniques to those used in exploratory and appraisal drilling but has a much bigger cyber-attack vector, due to higher drilling activity, expansive infrastructure and services both above and below the surface, and a complex ecosystem of engineering firms, equipment and material suppliers,
drillers and service firms, partners, and consultants.
At first, diverse business objectives of all stakeholders make it challenging for operators to have a single cybersecurity protocol, and then there may be a systemic concern of already-infected rigs and devices entering the ecosystem.
3. Production and abandonment
The oil and gas production operation ranks highest on cyber vulnerability in upstream operations, mainly because of its legacy asset base, which was not built for cybersecurity but has been retrofitted and patched in bits and pieces over the years, and lack of monitoring tools on existing networks.
Approximately 42 percent of offshore facilities worldwide have been operational for more than 15 years, fewer than half of O&G companies use monitoring tools on their networks, and of those companies that have these tools, only 14 percent have fully operational security monitoring centers.
Mitigating cyber risks using a holistic risk management program
Ascertaining cyber risks is the first step; forming risk mitigation strategies is the next. The all-too-common response when it comes to mitigating cyber risks is to attempt to lock down everything. But with IoT technology connecting ever more systems and hackers becoming more sophisticated, zero tolerance of cyber incidents is simply unrealistic. Thus, a company should focus equally on gaining more insight into threats and responding more effectively to reduce their impact.
Put simply, an effective cyber strategy needs to be secure, vigilant, and resilient. So for O&G strategists, a question is how to make the most critical operations—seismic imaging in exploration, drilling in development, and well production in production and abandonment (as the above section explained)—secure, vigilant, and resilient. The next section describes three illustrative cyber incidents, one for each of the critical operations, to explain and highlight potential secure, vigilant, and resilient strategies. We assume companies already have standard IT solutions in place so here focus more on strategic solutions.