The hidden risks of oil and gas digitisation
Rising costs of exploration and production, along with increased competitive intensity and regulatory pressures, have been steadily driving the oil and gas industry towards digitisation. As the use of smart sensors and Industrial Internet of Things (IIOT) technologies becomes widespread, new system susceptibilities can expose organisations to levels of risk they may not be prepared for.
While the transition to the digital oilfield is inevitable, cyber breaches don’t have to be. Awareness of a few key vulnerabilities can save oil and gas companies from major brand damage and profit loss, without sacrificing the significant benefits that come from digital adoption.
The foundation of the digital oilfield lies in how devices communicate. In contrast to closed protocols, which effectively build walls around programs, open protocols are designed with cross-device interaction in mind. Applications built on top of open protocols make use of the protocol’s common language to talk to each other and exchange data.
The flipside to the major benefits afforded by open protocols are the security risks. The same networks that allow devices to integrate so effectively with each other and with back-office systems can be an undefended backdoor to vital company information.
Other angles of attack
In addition to potential weak spots in inter-system exchanges, there are a host of other areas that parties with malicious intent could potentially exploit.
As more employees work remotely for convenience or safety, opportunities open for data to be compromised through negligence or infiltration. It’s likely easier to hack an individual employee’s computer and gain access to corporate material remotely than to directly attack a company’s more heavily-guarded servers.
Poorly-made or outdated IT products can be another weak link that leads to a breach. Organisations that use software with known weaknesses as a cost-cutting measure do so at the risk of creating a vulnerability that could eventually undermine their entire control system.
Motives for unauthorised information access can be tactical, such as corporate espionage; financial, such as ransomware or payment system intrusion; or plain destructive, in the case of a disgruntled employee or at worst, a skilled hacker with terrorist motivations.
Companies should be aware of all these possibilities and prepare for the worst.
Risks becoming reality
In the 2017-2018 edition of the Global Information Security Survey, analysts at Ernst & Young surveyed 40 participants from the oil and gas sector about their security concerns. The results indicated that 60 per cent had experienced a “recent significant cyber security incident,” up from 41 per cent in 2016.
Despite the ubiquity of cyber incidents in the industry, a mere 17 per cent of respondents reported feeling assured that their organisation would be able to detect a sophisticated cyber attack. Meanwhile, worries about their overall cyber defenses not meeting company needs was near-unanimous at 95 per cent of those surveyed.
“Our latest Oil and Gas Global Information Security Survey findings indicate that cyber-physical risks are not currently being effectively identified, tracked or monitored across the sector, leaving organisations increasingly exposed,” Jeff Williams, Global Oil and Gas Advisory Leader, Ernst & Young, said.
These findings are echoed by Accenture’s 2016 global report on cyber security, where 186 oil and gas executives reported an average of 96 cyber attacks per company over 12 months. Of these attacks, one-third resulted in a breach, which internal security teams detected only 62 per cent of the time — the remaining 38 per cent were discovered most often by employees in other departments or by law enforcement officials.
The ultimate cause for many breaches comes down to a lack of preparedness. Cyber security threats evolve constantly — oil and gas companies have to evolve with them.
Wade Elofson has worked intimately with Australian oil and gas companies through years of turmoil and growth in the industry. As the founder of Powered, a business development company with close ties to the upstream sector, he’s witnessed digital adoption accelerate while cyber security remains stagnant.
“New innovations in IIOT and operational technology are fantastic, but it’s critical to understand the new threats they bring,” Mr Elofson said.
“The oil and gas industry’s use of these technologies is expanding far faster than the security upgrades that should go along with them, and unfortunately, it’s still common to see organisations waiting for an accident to happen before making changes.
“That kind of reactive strategy isn’t going to cut it when the stakes are this big.”
Mr Elofson recommends instilling a cyber security culture through improved training and an emphasis on the potential severity of cyber attacks. In addition, layered security can compartmentalise data enough to prevent one breach from compromising the whole system, while still preserving open communication between facilities and systems.
At the very least, Mr Elofson said it pays to invest in quality security software and infrastructure.
“Older systems are no match for the abundance of threats that have emerged in recent years, or new ones on the horizon.”
For more information, please contact firstname.lastname@example.org or call Wade Elofson on +61 474 128 517.