Over the past few years, the oil and gas industry has witnessed a proliferation of information technology (IT) and operational technology (OT) devices and systems. The Oil and Natural Gas Corporation (ONGC) has also set foot in the digital space with the adoption of automated industrial control system SCADA. However, with greater digitalisation, the threat of cyberattacks has become more evident. Issues such as patch management and constant upgradation of existing systems with evolving technologies have further created complexities. To this end, steps such as intrusion mock drills for accurate data handling, setting inbuilt authentication protocols using digital signatures and creating firewalls against third-party attacks have become vital.
ONGC implemented the biggest SCADA system in 2008 by incorporating 247 onshore production facilities, 11 offshore processing complexes, 157 offshore wellhead platforms, 74 drilling rigs and about 7,000 wells. These assets are linked to 250 ONGC offices for local, regional and mobile control. The state-of-the-art system, which is a three-tier solution, provides information on a real-time basis to field personnel, control room operators and senior management. Through the first-tier architecture, field operators monitor and analyse the performance of production facilities while the second-tier infrastructure enables the collection of data from the SCADA system installed at production facilities (in tier one) and transfers it to about 13 assigned control centres via satellite communication and servers. Integrated data collected at tier 2 is then transferred to the tier-3 architecture. As part of tier 3, hardware and software has been deployed at two ONGC headquarters to enable rapid decision-making based on accurate field information. In all, the performance of the assets is monitored from about 179 control rooms and 75 mobile control centres. This complex architecture comprises fieldbus (communication protocols) compliant 143 regional terminal units (RTUs) and 97 remote RTUs. Further, about 58,979 different equipment have been installed with around 9,885 instrument loops. SAP and EPINET have been deployed at 13 control centres for the integration of real-time and historical data. The contract for this automated instrumentation system was awarded to ABB while equipment was sourced from about 16 equipment manufacturers.
Despite the implementation of industrial control systems across the organisation, ONGC faces several challenges. The convergence of IT and OT being the key amongst them, as integrating legacy systems with the upcoming and rapidly evolving technologies at times becomes infeasible. There is lack of an open architecture system, and the skill set and expertise required to integrate the rapidly changing technologies are also absent. Most industries are undergoing transformation from Industry 3.0 to Industry 4.0; however, this trend is difficult to replicate across small industries due to inadequate return on investment.
Apart from the issues inherent to IT and OT implementation, the external challenge of cyberattacks is even more critical. As there are innumerable entry points in an IT system, it becomes relatively easier for ransomware or malware to sneak in. As a result, managing patches and upgrades is a major challenge and for any industry, building a hack-proof system is easier than upgrading to the constantly evolving technology. Besides, attacks not only from internal IT architecture but also from third-party suppliers are quite common. Weak supply chain networks lack the required defences or security measures to eliminate the chance of attack on surface or vectors. To overcome this, ONGC plans to deploy a silicon route of trust wherein digital signatures of all drivers will be embedded on the motherboard. With the assigning of attribution, the issue of misdirecting authentication protocol will be eliminated.
The implementation of IT and OT systems is vital for the oil and gas industry to optimise operations. However, given the various challenges that digital technology poses, right measures need to be put in place. For instance, the formulation of dynamic policies with the provision of making amendments as and when required, the identification of the need to set up critical infrastructure, and clearly defining the data handling process are some of the key steps. Ownership of data also has to be entrusted and the same needs to be continuously evaluated to understand any deviation in the protocols. For accurate data handling, intrusion mock drills, and other necessary performance auditing measures can be taken. Standardised ratings by the Petroleum and Explosives Safety Organisation, and unambiguous guidelines or standard operating procedures are essential too. Lastly, specialists with sound analytical capabilities need to be hired for generating key insights from the humongous amount of data generated.