[ View interactive graphic fullscreen ]
So for O&G strategists, a question is how to make the most critical operations—seismic imaging in exploration, drilling in development, and well production in production and abandonment (as the above section explained)—secure, vigilant, and resilient. The next section describes three illustrative cyber incidents, one for each of the critical operations, to explain and highlight potential secure, vigilant, and resilient strategies. We assume companies already have standard IT solutions in place so here focus more on strategic solutions.
Scenario: As an offshore seismic imaging project, using a network-attached storage and data management system, nears completion, malware enters through one of the network storage nodes and reaches high-performance computing systems. Although the malware does not impact operations, it steals the competitive seismic data for a field that is up for bidding. How can a company safeguard its digitization drive for seismic data?
Although petabytes of seismic data act as a natural barrier by overwhelming hackers, the growing trend of digitalization and storage of seismic data in the cloud requires securing the sub-surface data from industry spies. By substituting each sensitive seismic data element with a nonsensitive equivalent, called a token, and running applications on tokens instead of actual data, a company would offer would-be hackers nothing of value to exploit or steal. The core token generation or indexation system is isolated, and the system stores the actual seismic data in an encrypted format with strong access controls.25
As several business disciplines access seismic models throughout the field life cycle, and the models are constantly improved with new data from multiple repositories, an O&G company should be vigilant about potential data theft. By logging network traffic across disciplines and inspecting it against established baselines for the disciplines—to catch, for instance, a user downloading too much data or gaining access to data unusually frequently—a company can proactively monitor traffic associated with seismic data.26
Considering the substantial cost of seismic data acquisition, having a trusted backup of seismic data is essential to ensure that even if the actual data is compromised, the processing and interpretation of seismic data continue or remain resilient. With a shift toward digital storage and processing of seismic data using multiple storage nodes, a company’s backup workflow also needs to align with this framework. Rather than a monolithic solution that would require time to recover lost data, a cluster-based program that connects each node in the backup cluster to other storage nodes could allow faster data recovery in case of a breach.27
Scenario: A rogue software program, hiding in a rig component’s system or appearing from a network loop, enters the drilling control system and begins governing essential drilling parameters. The result is angular deviation of the well, sudden fluid influx, and well integrity issues, leading to significant additional costs and putting both people and the environment at risk. How best to avoid or respond?
Considering the complex ecosystem of vendors and equipment in drilling, a company can secure its operations by pre-deploying (a.k.a. pre-testing) new systems, equipment, and software before they enter the mainstream system. An operator-governed pre-deployment station on a rig could identify existing malware early and confirm that systems adhere to minimum cyber standards.28
A company needs a holistic vigilant strategy, considering that securing every drilling asset is nearly impossible and additional security features may interfere with the availability of operations or slow down time-sensitive decision making. By running cyber scans on cloned SCADA and other specific systems rather than on actuals, and by searching for anomalies against a “baseline of normal” using both physics and nonphysics-based data, a company can detect a breach early before it reaches its target.29
Although creating air gaps or quarantining systems identified as infected is one of the most-used resilient strategies, developing a cross-discipline cyber playbook for stakeholders on a rig and onshore control centers could significantly reduce response time and reduce losses.30 Response time is critical, especially offshore, as daily contract rates for rigs are as high as $500,000.31 After being overrun by malware, for example, a rig en route from Korea to South America in 2010 had to be shut down for 19 days for engineers to restore its functionality.32
Scenario: A worm is deployed on an onshore industrial control system that can make changes to logics in programmable logic controllers and bypass the protective gearbox for motor pumps. The worm masks the condition of the gearbox in control rooms and changes the speed of the pumps randomly; these variations lead to suboptimal oil production, higher wear and tear of pumps, and even rupturing of wells. What can a company do to avoid such a scenario?
A company can secure its critical control systems by administering a holistic patch-management program using a risk-based approach, rather than only following the scheduled or compliance-based approach.33 At a minimum, this would require inventorying the assets, doing a detailed vulnerability/severity assessment for each asset, and prioritizing and scheduling updates promptly for critical assets. Additionally, an upstream company can err on the side of replacing legacy devices following a simple cyber protocol with wholly new purpose-built hardware rather than retrofitting.34
By correlating threat feeds from external sources (for example, tracking cyber threat topics and modes on social media) with internal cyber data, a company can elevate its cyber vigilance by identifying and addressing threats early. It is essential for an O&G company to share, build, and monitor around key indicators of compromise from external sources, especially knowing that cyber-attacks on the industry’s SCADA systems have a long history, with many attacks reemerging in one form or the other—for instance, the second known Shamoon attack in Saudi Arabia in 2016 reused the Disttrack payload method used in Shamoon 1 in 2012.35
For rapidly containing the damage, or being resilient, a company can regularly practice responding through cyber wargaming and simulations. Staging simulations, especially with people involved in responding to incidents offshore or working in remote locations, creates better understanding of threats and improves cyber judgment at the lowest possible level.36
A company needs a holistic vigilant strategy, considering that securing every drilling asset is nearly impossible and additional security features may interfere with the availability of operations or slow down time-sensitive decision making.
The upstream oil and gas industry is fast evolving, whereby automation, digitalization, and IoT technology are rapidly integrating into the complex operational ecosystem. However, the industry’s march toward interconnectedness has outpaced its cyber maturity, making it a prime target for cyber-attacks. We believe that limited strategic appreciation and sponsorship at a boardroom level—rather than lack of technical know-how—explain the industry’s relatively low cyber maturity.
Getting sponsorship from top management requires framing the problem strategically and describing how cybersecurity enables the company’s three topmost operational imperatives: safety of assets, people, and environment; an uninterrupted availability and reliability of assets; and creating new value from assets (see figure 6). The next step involves rallying everyone in the enterprise around a holistic cyber risk management program.
The current period of low oil prices has provided upstream companies—weary after years of chasing high growth—with the much-needed breathing space to focus on internal processes and systems. The industry has made a great beginning by focusing on efficiency; now it needs to close by safeguarding operations from cyber-attacks. We believe that cyber, like automation and digital oil fields, can quickly mature from a cost item to an essential investment.
We qualitatively mapped each upstream operation on the cyber vulnerability/severity matrix using a mix of primary interviews, extensive secondary research including a review of technical papers, recent surveys on the industry’s cyber preparedness, and study of recent cyber-attacks on a product and service portfolio of oilfield services, automation, and cyber service providers.
For ascertaining cyber vulnerability, we considered aspects such as: number of users, vendors, interfaces, and services involved in each operation; age and type of control systems (legacy, proprietary, open-ended, or close-ended), and working mechanism of software and control systems (default or query-based); mode and flow of information (physical, virtual, mixed); and the maturity of existing cybersecurity controls.
For ascertaining cyber severity, we looked at aspects such as: type of injury (fatal or nonfatal) and probability of a spill, leakage, and pollution; downtime cost; potential fines and penalties by regulators; damage to brand and reputation; and loss of field data and other competitive data.
i. An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a hacker. An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. View in article