No doubts: Digitization creates unimagined possibilities. Do you remember? What was unthinkable just a few years ago has long since become reality. The flipside of the coin is the threats and vulnerabilities that come with it. Every activity in the oil and gas sector is exposed to risks, also due to cyber security vulnerabilities. Adverse incidents, both intentional and unintentional, can affect individuals, businesses, and society as a whole.
In recent years, events show that the energy and oil sectors are among the most vulnerable sectors. As our technology evolves, the methods used by attackers are becoming increasingly innovative and sophisticated.
Digital vulnerabilities in Oil & Gas
Why are cyber attacks increasing in the oil and gas sector? Is this a historical fact?
Let us first take a look at the status quo: The industrial automation, control, and security systems used in the oil and gas sector are largely digitalized and dependent on digital technology. In the past, such systems were proprietary. Whereas today they are largely based on commercially available components, such as a PC with a Microsoft Windows operating system. This means that the known weaknesses of these commercially available standard products are also revealed in this sector.
Such kinds of development can also be seen in networks. The networks used between process equipment and control systems were isolated and proprietary in the past, but are now based on Internet technology. Also, industrial automation and control systems used to be physically separated from traditional information systems and open networks. The need to transfer production data to information systems and remote maintenance means that separation is virtually impossible. Increasingly, remote maintenance is performed from an onshore location or a neighboring platform, which can lead to the use of shared computer networks. This means that production equipment is exposed to network-related vulnerabilities.
Top 10 Cyber Security Vulnerabilities in the Oil and Gas industry
- Lack of cyber security awareness and no staff training
- Remote operation and maintenance
- Use of standard IT products with known vulnerabilities in the production environment
- A limited cyber security culture among vendors, suppliers, and contractors
- Insufficient separation of data networks
- Use of mobile devices and storage units including smartphones
- Data networks between onshore and offshore facilities
- Insufficient physical security of server rooms, cabinets, etc.
- Vulnerable software
- Obsolete control systems in plants
The consequences of unwanted incidents caused by cyber security vulnerabilities
Customers often ask me: Which are the biggest cyber security vulnerabilities in the oil and gas sector? The answer is simple: It’s the human being!
Malicious codes are usually spread by human error. An attachment in an e-mail is opened, memory sticks are inserted, mobile phones are charged, laptops are connected to critical networks, and so on. Mobile phones can also easily connect to the Internet. Users are tricked into revealing passwords, etc. Human error is considered the greatest digital vulnerability in this sector.
The consequences of unwanted incidents based on cyber security vulnerabilities are primarily financial. Production must be shut down, and that means a loss of income for the sector. Society will experience a drop in direct and indirect taxes. Unwanted incidents will mean a loss of reputation for the company. If saboteurs and terrorist organizations manage to control vital production facilities, in the worst case, environmental destruction and fatalities may result.
Dependencies
In order to reduce the CO2 emissions caused by the generation of electricity from oil plants, the power supply is often based on the coast (electrification). Most of these plants have to shut down production in the event of an onshore power supply failure.
For a long time, there has been an increasing focus on digital vulnerabilities in power distribution systems. Such distribution systems are complex network structures that are highly dependent on management and control systems.
Emergency readiness
An unofficial, international survey of companies in the sector revealed that only 40% of companies have an Incident Response Plan / Business Continuity Plan in place, which covers digital vulnerabilities and defines how to proceed in case of a cyber attack. The focus of crisis and emergency preparedness is on fires, explosions, outbreaks, etc.
Future problems and trends
At the time of writing this report, the price of oil is below USD 40 per barrel and future price developments are uncertain. This means that the sector will have to reduce its costs in order to maintain profitability. The fact that these cost-cutting measures may affect the continuous improvement of safety is a major challenge. The increased focus on cost-benefit assessments and new working methods are important elements for the future.
Digitization of the sector is continuing. The “Internet of Things” (IIoT) will lead to more units with cyber security vulnerabilities. The amount of data to be transported is increasing and standard IT equipment will increasingly be integrated into specialised control systems.
The risks that important critical key functions, infrastructures, and information that must be protected for security reasons are increasing. Further, there is a higher risk that individuals will be affected by espionage, sabotage, terrorist acts and other serious acts.
Most important risk-reducing measures
So what can be done to protect oil and gas platforms from cyber attacks?
Barriers are introduced to reduce the risk – partly to prevent an undesirable event from occurring, partly to mitigate the consequences of an undesirable event that has occurred. There is an increasing focus on barriers that prevent an undesired event from happening. However, the quality of these barriers has been tested and verified only to a limited extent. It is not enough to simply rely on a firewall for protection. Additional barriers, including opening/closing of accesses, procedures, and work processes must also be established.
In most cases, there is not enough equipment and routines to detect that hackers have already targeted ongoing activities to a system. In addition, there is a lack of trained routines to prevent negative consequences when there is a suspicion that an adverse incident may occur.
What individual actors should implement to mitigate cyber security vulnerabilities
Regulatory authorities should adopt functional requirements demanding that barriers to digital vulnerability have to be put in place. Cyber security vulnerabilities must be included in the appropriate risk analysis.
Companies must create a culture of reducing digital vulnerabilities, just as there is a culture of preventing fires and explosions. Awareness raising measures must be a priority both within the sector and with the public. Schools should focus more on how to use digital media.
Outlook
Yes, you can get quite queasy when it comes to cyber security vulnerabilities. However, it is possible to use suitable barriers to prevent attackers from intruding on your system. Have you already integrated all the necessary barriers? If not, please contact our cyber security team. We will be glad to help you.