Staying Alert

Managing cybersecurity risks in the oil and gas industry

The evolving information technology and operational technology systems have led to an increase in cybersecurity threats in the oil and gas industry. Managing cyber risks requires a mandate, funds, resources and accountability.

The oil and gas industry is embracing the industry 4.0 era, which has led to the increased use of digital tools and technologies, as the industry is looking to implement organisational and process integration. Industry 4.0 incorporates digital tools such as big data, industrial internet of things (IIoT), digital twin technology, wireless communication technologies, augmented reality and blockchain technology. Other technologies enabling the digital integration of the upstream oil and gas sector (both offshore and onshore) include machine learning, cloud computing and artificial intelligence. Oil and Gas 4.0 is applicable in seismic exploration, intelligent oilfields, intelligent completion, and research and decision-making platforms. The increased adoption of digital tools and technologies has increased cybersecurity risks owing to the lack of cybersecurity awareness and employee training, use of commercial-type information technology products with known vulnerabilities in the production environment, insufficient separation and segmentation of data networks, use of mobile devices and storage units such as smartphones, data networks between onshore and offshore facilities, insufficient physical security of data rooms, and use of vulnerable software and outdated and ageing control systems in facilities.

Cybersecurity challenges and malignant threats

Broadly, the global market for oil and gas cybersecurity can be split into physical security and network security – upstream, midstream and downstream. The market can also be bifurcated into the onshore and offshore groups depending upon the application. Some of the cybersecurity challenges in the upstream sector are breach of confidential information or data pertaining to drilling operations, planned projects, production-sharing contracts, block diagrams, tenders, field production information and drilling methodologies. Generally, the upstream segment of the industry is considered most prone to cyberattacks. Cyberthreats in the midstream oil and gas sector are mostly related to supply chain logistics, distribution networks, storage information, pipeline data, and pipeline and transportation information. Downstream, the major cybersecurity challenges pertain to refinery information, consumer data, end-user distribution, retail data, and industrial plants and manufacturing data.

Other malignant threats include infrastructure sabotage, which refers to the use of malware or malicious software for the manipulation and damage of information technology infrastructure, as well as the alteration of data and equipment operating parameters, all leading to the malfunction and/or damage and destruction of assets, systems, etc. Data leaks are another very important concern, not particular to the oil and gas industry. Data leaks are caused by the unsafe handling or storage of data through web or file servers, as well as through targeted hacking attacks. Data leaks are also caused by the use of external email communication through corporate or personal computer systems, whereby the unsafe storage or transmission of data becomes a risk; and by insider malicious cyber incidents, which comprise insider-led destruction or alteration of data, theft of intellectual property, and data leakage.

In addition, there can be attacks on webmail and corporate virtual private networks servers, which are achieved through domain name server (DNS) hijacking or targeted phishing attacks. DNS hijacking involves the modification of corporate domain name servers for the theft of corporate credentials, email communication interception, access to internal and virtual private networks, etc. Espionage and data theft involve intrusion into corporate IT systems for the theft of data and/or monitoring of financial transactions, corporate data processing, etc. Malware, which comprises adware or spams, trojans, spyware and viruses are used to gain access to information technology/ operational technology systems in order to remotely intervene, control or monitor processes and to access data.

Organisational and technical measures to ensure cybersecurity

Measures for the mitigation of insider cybersecurity threats include methods and tools used by the military and government sectors that could be replicated to the extent possible in order to tackle these threats in a proactive manner. Advancements in the performance and technological characteristics of unmanned platforms pose a significant threat that can cause electronic interference or even attacks against network-connected devices. Thus, countermeasures should be implemented to consider the special operational conditions of offshore oil and gas assets, and should not impede the safety of infrastructure, systems or personnel. These countermeasures can be electronic countermeasures or kinetic-type weapons that neutralise such airborne, surface or underwater threats, similar to the ones used by the military or government security agencies. Although the improvement of corporate and industry culture on the perception of cybersecurity is a difficult task, it can be achieved through the study of known cyberattacks in the industry, sharing of information on such attacks, increased communication between industry sectors and companies’ IT departments, and increased and continuous training of individuals on the subject.

Further, the industry requires monitoring of cybersecurity performance through the use of key corporate performance indicators, which are basically a set of quantifiable measurements that are used to gauge a company’s overall long-term performance. The abolition of universal serial bus devices from the available toolkit of the offshore oil and gas domain could be achieved through further integration of IIoT and wireless communication, with their enhanced security features. As the offshore oil and gas sector is considered critical for many national economies and it supports other critical infrastructure, it is of utmost importance to increase the funding and resources allocated to the sector in order to increase asset and organisational resilience. The lack of understanding of cybersecurity principles and the consequences for an organisation in case of an incident also pose a hurdle in the proactive and reactive mitigation of cybersecurity breach incidents.

Conclusion

Robust cybersecurity is an absolute necessity for safe, continuous and reliable operations, and can be a reality with the right solutions. It is necessary for the oil and gas industry to recognise that cybersecurity threats are persistent and evolve continuously with technological advancements. The industry needs to acknowledge and understand this threat, and the necessity of adopting organisational and technical measures to protect itself from cybersecurity attacks. In addition, the industry needs to dynamically evaluate and implement these measures in order to ensure that oil and gas companies and their assets are caught up with the advancements of their cyber adversaries. Also, in order to maximise the possibility of repelling cyberattacks and minimise the technical and corporate consequences of cyber breaches, especially for remote offshore assets, resiliency has to be built at the organisational, operational and technical levels of these companies. Alongside cybersecurity, physical security should not be neglected, as its failure or inadequacy could impede insider threat mitigation measures.