Protecting the connected barrels

Cybersecurity for upstream oil and gas

Andrew Slaughter

United States

[ View interactive graphic fullscreen ]

So for O&G strategists, a question is how to make the most critical operations—seismic imaging in exploration, drilling in development, and well production in production and abandonment (as the above section explained)—secure, vigilant, and resilient. The next section describes three illustrative cyber incidents, one for each of the critical operations, to explain and highlight potential secure, vigilant, and resilient strategies. We assume companies already have standard IT solutions in place so here focus more on strategic solutions.

1. Exploration

Scenario: As an offshore seismic imaging project, using a network-attached storage and data management system, nears completion, malware enters through one of the network storage nodes and reaches high-performance computing systems. Although the malware does not impact operations, it steals the competitive seismic data for a field that is up for bidding. How can a company safeguard its digitization drive for seismic data?

Although petabytes of seismic data act as a natural barrier by overwhelming hackers, the growing trend of digitalization and storage of seismic data in the cloud requires securing the sub-surface data from industry spies. By substituting each sensitive seismic data element with a nonsensitive equivalent, called a token, and running applications on tokens instead of actual data, a company would offer would-be hackers nothing of value to exploit or steal. The core token generation or indexation system is isolated, and the system stores the actual seismic data in an encrypted format with strong access controls.25

As several business disciplines access seismic models throughout the field life cycle, and the models are constantly improved with new data from multiple repositories, an O&G company should be vigilant about potential data theft. By logging network traffic across disciplines and inspecting it against established baselines for the disciplines—to catch, for instance, a user downloading too much data or gaining access to data unusually frequently—a company can proactively monitor traffic associated with seismic data.26

Considering the substantial cost of seismic data acquisition, having a trusted backup of seismic data is essential to ensure that even if the actual data is compromised, the processing and interpretation of seismic data continue or remain resilient. With a shift toward digital storage and processing of seismic data using multiple storage nodes, a company’s backup workflow also needs to align with this framework. Rather than a monolithic solution that would require time to recover lost data, a cluster-based program that connects each node in the backup cluster to other storage nodes could allow faster data recovery in case of a breach.27

2. Development

Scenario: A rogue software program, hiding in a rig component’s system or appearing from a network loop, enters the drilling control system and begins governing essential drilling parameters. The result is angular deviation of the well, sudden fluid influx, and well integrity issues, leading to significant additional costs and putting both people and the environment at risk. How best to avoid or respond?

Considering the complex ecosystem of vendors and equipment in drilling, a company can secure its operations by pre-deploying (a.k.a. pre-testing) new systems, equipment, and software before they enter the mainstream system. An operator-governed pre-deployment station on a rig could identify existing malware early and confirm that systems adhere to minimum cyber standards.28

A company needs a holistic vigilant strategy, considering that securing every drilling asset is nearly impossible and additional security features may interfere with the availability of operations or slow down time-sensitive decision making. By running cyber scans on cloned SCADA and other specific systems rather than on actuals, and by searching for anomalies against a “baseline of normal” using both physics and nonphysics-based data, a company can detect a breach early before it reaches its target.29

Although creating air gaps or quarantining systems identified as infected is one of the most-used resilient strategies, developing a cross-discipline cyber playbook for stakeholders on a rig and onshore control centers could significantly reduce response time and reduce losses.30 Response time is critical, especially offshore, as daily contract rates for rigs are as high as $500,000.31 After being overrun by malware, for example, a rig en route from Korea to South America in 2010 had to be shut down for 19 days for engineers to restore its functionality.32

Risk mitigation strategies for cyber incidents on critical upstream operations

3. Production and abandonment

Scenario: A worm is deployed on an onshore industrial control system that can make changes to logics in programmable logic controllers and bypass the protective gearbox for motor pumps. The worm masks the condition of the gearbox in control rooms and changes the speed of the pumps randomly; these variations lead to suboptimal oil production, higher wear and tear of pumps, and even rupturing of wells. What can a company do to avoid such a scenario?

A company can secure its critical control systems by administering a holistic patch-management program using a risk-based approach, rather than only following the scheduled or compliance-based approach.33 At a minimum, this would require inventorying the assets, doing a detailed vulnerability/severity assessment for each asset, and prioritizing and scheduling updates promptly for critical assets. Additionally, an upstream company can err on the side of replacing legacy devices following a simple cyber protocol with wholly new purpose-built hardware rather than retrofitting.34

By correlating threat feeds from external sources (for example, tracking cyber threat topics and modes on social media) with internal cyber data, a company can elevate its cyber vigilance by identifying and addressing threats early. It is essential for an O&G company to share, build, and monitor around key indicators of compromise from external sources, especially knowing that cyber-attacks on the industry’s SCADA systems have a long history, with many attacks reemerging in one form or the other—for instance, the second known Shamoon attack in Saudi Arabia in 2016 reused the Disttrack payload method used in Shamoon 1 in 2012.35

For rapidly containing the damage, or being resilient, a company can regularly practice responding through cyber wargaming and simulations. Staging simulations, especially with people involved in responding to incidents offshore or working in remote locations, creates better understanding of threats and improves cyber judgment at the lowest possible level.36

A company needs a holistic vigilant strategy, considering that securing every drilling asset is nearly impossible and additional security features may interfere with the availability of operations or slow down time-sensitive decision making.

Boardroom buy-in: Presenting cyber as a business issue that enables safety, reliability, and value creation

The upstream oil and gas industry is fast evolving, whereby automation, digitalization, and IoT technology are rapidly integrating into the complex operational ecosystem. However, the industry’s march toward interconnectedness has outpaced its cyber maturity, making it a prime target for cyber-attacks. We believe that limited strategic appreciation and sponsorship at a boardroom level—rather than lack of technical know-how—explain the industry’s relatively low cyber maturity.

Getting sponsorship from top management requires framing the problem strategically and describing how cybersecurity enables the company’s three topmost operational imperatives: safety of assets, people, and environment; an uninterrupted availability and reliability of assets; and creating new value from assets (see figure 6). The next step involves rallying everyone in the enterprise around a holistic cyber risk management program.

Cybersecurity enables safety, reliability, and value creation

The current period of low oil prices has provided upstream companies—weary after years of chasing high growth—with the much-needed breathing space to focus on internal processes and systems. The industry has made a great beginning by focusing on efficiency; now it needs to close by safeguarding operations from cyber-attacks. We believe that cyber, like automation and digital oil fields, can quickly mature from a cost item to an essential investment.

Appendix: Research methodology

We qualitatively mapped each upstream operation on the cyber vulnerability/severity matrix using a mix of primary interviews, extensive secondary research including a review of technical papers, recent surveys on the industry’s cyber preparedness, and study of recent cyber-attacks on a product and service portfolio of oilfield services, automation, and cyber service providers.

For ascertaining cyber vulnerability, we considered aspects such as: number of users, vendors, interfaces, and services involved in each operation; age and type of control systems (legacy, proprietary, open-ended, or close-ended), and working mechanism of software and control systems (default or query-based); mode and flow of information (physical, virtual, mixed); and the maturity of existing cybersecurity controls.

For ascertaining cyber severity, we looked at aspects such as: type of injury (fatal or nonfatal) and probability of a spill, leakage, and pollution; downtime cost; potential fines and penalties by regulators; damage to brand and reputation; and loss of field data and other competitive data.

i.  An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a hacker. An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. View in article

BY

Anshu Mittal

India

Andrew Slaughter

United States

Endnotes

    1. Paul Zonneveld and Andrew Slaughter, An integrated approach to combat cyber risk: Securing industrial operations in oil and gas, Deloitte, May 2017, https://www2.deloitte.com/us/en/pages/energy-and-resources/articles/integrated-approach-combat-cyber-risk-energy.html. View in article

    2. Ibid. View in article

    3. ICS-CERT, Monitor Newsletters, January to December 2016, https://ics-cert.us-cert.gov/#monitornewsletters; Ponemon Institute, “The state of cybersecurity in the oil & gas industry: United States,” February 2017, http://news.usa.siemens.biz/sites/siemensusa.newshq.businesswire.com/files/press_release/additional/Cyber_readiness_in_Oil__Gas_Final_4.pdf. View in article

    4. Company websites; based on a scan of the latest annual filings of top 25 O&G companies worldwide. View in article

    5. FireEye, “Cyber threats to the Nordic region,” May 2015, www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-nordic-threat-landscape.pdf. View in article

    6. US Department of Homeland Security, “NCCIC/ICS-CER—2015 year in review,” https://ics-cert.us-cert.gov/sites/default/files/annual_reports/year_in_review_fy2015_final_s508c.pdf. View in article

    7. Jim Finkle, “Shamoon virus returns in new Saudi attacks after 4-year hiatus,” Reuters, November 30, 2016, www.reuters.com/article/cyber-saudi-shamoon-idUSL1N1DW05H. View in article

    8. Ponemon Institute, “2016 cost of cyber crime study & the risk of business innovation,” October 2016, www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf. View in article

    9. Doug Black, “ExxonMobil, NCSA, Cray Scale reservoir simulation to 700,000+ processors,” EnterpriseTech, February 17, 2017, www.enterprisetech.com/2017/02/17/exxonmobil-ncsa-cray-scale-reservoir-simulation-700000-processors/. View in article

    10. GlobalData, “Oil & gas database,” https://energy.globaldata.com/research-areas/oil-and-gas, accessed on April 15, 2017. View in article

    11. Economist, “Oil struggles to enter the digital age,” April 6, 2017, www.economist.com/news/business/21720338-talk-digital-oil-rig-may-be-bit-premature-oil-struggles-enter-digital-age. View in article

    12. Spears & Associates, “Oilfield market report,” April 1, 2016. View in article

    13. McAfee, “Global energy cyberattacks: Night Dragon,” February 10, 2011, www.mcafee.com/hk/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf. View in article

    14. Intel, “Intel Enterprise Edition for Lustre strengthens oil and gas exploration,” 2015, www.intel.com/content/dam/www/public/us/en/documents/case-studies/intel-enterprise-edition-for-lustre-strengthens-oil-and-gas-exploration.pdf. View in article

    15. Andrew Slaughter, Gregory Bean, and Anshu Mittal, Connected barrels: Transforming oil and gas strategies with the Internet of Things, Deloitte University Press, August 14, 2015, /content/www/globalblueprint/en/insights/focus/internet-of-things/iot-in-oil-and-gas-industry.html. View in article

    16. Linda Hsieh, “Industry recognizing need for better cyber defenses as hackers become more sophisticated and drilling equipment becomes more interconnected,” Drilling Contractor, September 8, 2015, www.drillingcontractor.org/drilling-cybersecurity-36727. View in article

    17. Ibid. View in article

    18. Jordan Blum, “Fewer jobs in oil patch as automation picks up,” Houston Chronicle, December 21, 2016, www.houstonchronicle.com/business/energy/article/Fewer-jobs-in-oil-patch-as-automation-picks-up-10812124.php. View in article

    19. Sonja Swanbeck, “Coast Guard commandant addresses cybersecurity vulnerabilities on offshore oil rigs,” CSIS, June 22, 2015, www.csis-tech.org/blog/2015/6/22/coastguard-commandant-addresses-cybersecurity-vulnerabilities-in-offshore-oil-rigs. View in article

    20. Trent Jacobs, “Schlumberger: New automated hydraulic fracturing tech trims time and workforce requirements,” Journal of Petroleum Technology, April 6, 2017, www.spe.org/en/jpt/jpt-article-detail/?art=2892. View in article

    21. GlobalData, “Oil & gas database”; Tim Heidar, “Digital trenches: On the front lines of the cyber war,” Fox-IT, October 14, 2016, www.fox-it.com/en/about-fox-it/corporate/news/65-oil-gas-companies-unprepared-major-cyberattack/. View in article

    22. Annual filings of large international oil companies, 2016. View in article

    23. SC Media UK, “Black Hat Amsterdam: Oil & gas cyber-vulnerabilities,” November 12, 2015, www.scmagazineuk.com/black-hat-amsterdam-oil-gas-cyber-vulnerabilities/article/535118/. View in article

    24. Irfan Saif, Sean Peasley, and Arun Perinkolam, “Safeguarding the Internet of Things: Being secure, vigilant, and resilient in the connected age,” Deloitte Review 17, July 27, 2015, /content/www/globalblueprint/en/insights/deloitte-review/issue-17/internet-of-things-data-security-and-privacy.html. View in article

    25. Linda Musthaler, “Are you overlooking tokenization as a data security measure?”, Network World, November 6, 2015, www.networkworld.com/article/3002307/security/are-you-overlooking-tokenization-as-a-data-security-measure.html. View in article

    26. John Kindervag with Stephanie Balaouras, Kelley Mak, and Josh Blackborow, “No more chewy centers: The zero trust model of information security,” Forrester, March 23, 2016, www.forrester.com/report/No+More+Chewy+Centers+The+Zero+Trust+Model+Of+Information+Security/-/E-RES56682. View in article

    27. Hari Mankude, “Big Data needs a new backup architecture—part 1,” Talena, August 18, 2015, https://talena-inc.com/blog/big-data-needs-a-new-backup-architecture. View in article

    28. Hsieh, “Industry recognizing need for better cyber defenses as hackers become more sophisticated and drilling equipment becomes more interconnected.” View in article

    29. Ibid. View in article

    30. Deloitte, Changing the game on cyber risk: The path to becoming a more secure, vigilant, and resilient organization, 2017, https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-gra-Changingthegameoncyberrisk.pdf. View in article

    31. IHS Markit, “IHS petrodata offshore rig day rate trends,” April 2017, www.ihs.com/ja/products/oil-gas-drilling-rigs-offshore-day-rates.html. View in article

    32. Jeremy Wagstaff, “All at sea: Global shipping fleet exposed to hacking threat,” Reuters, April 23, 2014, www.reuters.com/article/tech-cybersecurity-shipping-idUSL3N0N402020140423. View in article

    33. Deloitte, Changing the game on cyber risk. View in article

    34. Saif, Peasley, and Perinkolam, “Safeguarding the Internet of Things.” View in article

    35. Robert Falcone, “Second wave of Shamoon 2 attacks identified,” Palo Alto Networks, January 9, 2017, http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/. View in article

    36. Deloitte, Changing the game on cyber risk. View in article

    View in Article

Acknowledgments

The authors would like to thank executives from Siemens AG and Honeywell International Inc. for sharing their valuable insights.

Special thanks to John England (vice chairman and US Energy & Resources industry leader, Deloitte LLP), Vivek Bansal (senior analyst, Deloitte Support Services India Pvt. Ltd.), Kartikay Sharma (senior analyst, Deloitte Support Services India Pvt. Ltd.), Kevin Urbanowicz (senior manager, Deloitte & Touche LLP), Matthew Budman (manager, Deloitte Services LP), and Alok Nookraj Pepakayala (senior analyst, Deloitte Support Services India Pvt. Ltd.) for their contributions in research, analysis, review, and design.