Digitalisation is rapidly gaining steam in the oil and gas industry, and so it must, especially in the prevailing period, when the upstream segment is coming to terms with new realities.
But while digitalising operations and adopting information communications technology (ICT) concepts like Cloud computing, the Industrial Internet of Things (IIoT), and automation have helped oil and gas players to strive towards achieving operational excellence, it has also left critical networks and digital infrastructure susceptible to cyber security threats.
Regional oil and gas companies have fallen prey to numerous cyber attacks in the past, and the cyber-security risk continues to loom over the industry, putting assets, workforce, and operational networks at peril.
The oil and gas industry, particularly in the region, has long been perceived to be slow – and even hesitant – to embrace technology (and statistics cement this perception). The attitude towards cyber security is now changing, however, although perhaps not as quickly and comprehensively as it needs to, if the results of a survey by Accenture are anything to go by.
Lacking enterprise-wide cyber-analytics technology to monitor for cyber attacks, most oil and gas companies are not fully aware of when – or even how – cyber attacks might affect them, the research suggests. A majority (74%) of the 186 oil and gas company leaders surveyed in Accenture’s High Performance Security Report 2016, which included oil and gas leaders from the UAE, said their organisation is confident that cyber-security measures will yield valuable results. Indeed, more than three-quarters believe their top strategies are now able to protect their companies’ reputations and information, and prevent service disruption.
However, this is at odds with 60% of energy leaders who said cyber security is a bit of a “black box”, as they don’t quite understand the timing or impact of cyber attacks. When asked about basic requirements to keep their company secure, energy leaders were less confident than their counterparts in other industries in their ability to measure the impact of breaches (40% compared to 47% for the cross-industry average), and to know their frequency (28% compared to 41%).
“The industry’s record of adopting new industrial security technologies is mixed. The industry’s challenge to secure assets that are often remote and over a large footprint has led companies to find new technologies to work smarter, explore more efficiently, optimise production, and reduce downtime. The phenomenon of digitalisation has accelerated that pace,” says Leo Simonovich, director of global cyber strategy and product development at Siemens.
“That is all good. But security has not kept pace with digitalisation. The industry has, in some cases, ignored the first line of defence measures, like cyber asset management and incident response. The defence-in-depth concept is critical here. That is, taking a risk-based approach to prioritise what’s important, identifying the weakest links, and applying prioritised security measures that have a proven return on investment,” he continues.
The much-discussed attack by the Stuxnet virus on an industrial controller in 2010 firmly established the fact that industrial systems are vulnerable and are gullible targets for cyber attacks. In the last five to 10 years, the risk of cyber attacks on industrial systems has risen significantly due to increasing digitalisation. In addition to endangering information security, these attacks increasingly pose a direct threat to system safety.
Oil and gas company leaders, surveyed by Accenture, reported an average of 96 cyber attacks over 12 months, with one in three resulting in a breach that was discovered only 62% of the time by firms’ security teams. Even then, detection took months for 51% of companies and weeks for 25%. The rest of the time, other employees and law enforcement officials most often discovered the breaches.
Oil and gas companies don’t have far to look to identify the sources of most cyber attacks. Company leaders told Accenture that breaches are mostly from malicious company insiders (43%) or staff that accidentally published information (23%). Hackers accounted for 21% of attacks.
“System operators must be aware of the potential risks and actively address them. This can be done by means of various systems and measures to increase cyber security. Unlike functional safety systems, which are mainly intended to protect people, these systems and measures protect technical information systems against intentional or unintentional manipulation and attacks intended to disrupt production processes or steal industrial secrets,” says a statement sent to Oil & Gas Middle East by Germany-based HIMA Group, a systems provider for safety-critical applications.
“Due to [these] conditions, safety and security have become closely meshed topics. Cyber security plays a key role, particularly for safety-oriented systems such as those in the process industry, because it forms the last line of defence against a potential catastrophe,” the statement continues.
(article continues on next page…)
Strengthening cyber defence
Safety and security are closely related aspects of process systems, which must be considered separately and then combined. Standardised hardware and software in process control systems require regular updates to remedy weaknesses in the software and the operating system.
However, the complexity of the software architecture makes it difficult – or impossible – to analytically assess the risks that could arise from a system update. For instance, updates to the process control system could affect the functions of the safety system integrated into the control system.
To avoid critical errors with unforeseeable consequences in safety-relevant processes as a result of control system updates, the process control system must be technologically separate from the safety system. This is the only way to ensure that control system updates do not impair functional safety, according to experts at HIMA.
“For effective cyber security, it is not sufficient to upgrade an existing product by retrofitting additional software functionality. Every solution for functional safety must be conceived and developed with cyber security in mind, right from the start. This applies equally to the firmware and the application software,” HIMA says.
“Due to the complexity and diversity of systems found in incident command systems (operational technology, or OT), there are several positive developments in cyber security. Most OT operators understand operational risks and, ever since the Shamoon Campaign targeting Saudi Aramco, cyber attacks are now part of that risk calculation,” says Dr Jamie Graves, CEO of UK-based cyber-security firm ZoneFox.
“In fact, because a failure of safeguards – physical or cyber – could result in injury, death, and huge liability, progress in securing OT systems is rapid. The protagonists of attacks are often nation-state actors. Although casual attacks do happen, rarely do cyber criminals understand the OT environment and its strange protocols such as ModBus and DNP3. Typically, OT systems involved are monitored by using a network tap and analysing the data in near real-time. What OT systems are primarily concerned with is anomalous behaviour – the detection of activity that may indicate a security event,” Graves explains.
A noteworthy common feature of the process industry standard, and the cyber-security standard, is that both require separation of the safety system (SIS) and the basic process control system (BPCS). Along with being a basic prerequisite for the effective protection of process systems, this independence of safety systems is a good idea from practical and economic perspectives, for example, because the SIS and BPCS have very different life cycles and rates of change. System operators are thus free to choose from a range of solutions from different manufacturers to safeguard their network infrastructures.
“A proprietary operating system specifically designed for safety-oriented applications runs on HIMA’s autonomous safety controllers. It includes all functions of a safety PLC (programmable logic controller) and excludes all other functions. It is therefore immune to typical attacks on IT systems. The operating systems of the controllers are tested for resistance to cyber attacks during the development process,” HIMA says of its cyber defence capabilities.
“In HIMA’s controllers, the central processing unit (CPU) and the communication processor are separate, ensuring high operational security even in the event of an attack on the communication processor. The controllers allow several physically separate networks to be operated on a single communication processor or processor module. This effectively prevents direct access to an automation network from a connected development workstation. In addition, unused interfaces can be individually disabled,” the company adds.
(article continues on next page…)
For Siemens, meanwhile, the fact that it works across many different industries allows it to “transfer knowledge and built solutions that are best-in-class”, Simonovich says. While securing a power plant is certainly very different from securing a manufacturing facility, he continues, there are certain best practices that are applicable to any industry, such as “coming up with secure zones, segmenting networks and, in those high-criticality zones, allowing only specific kinds of connectivity”.
“It is not enough to design a secure network and then leave it alone, assuming it will remain secure,” he adds. “The networks must be maintained and regularly refreshed, as attackers change their tactics and new technology gets added. The best way to maintain the network security posture is to have visibility into the network, with dedicated monitoring and anomaly detection across the asset fleet.”
On the subject of cyber defence, Graves talks about a methodology to combat threats to oil and gas networks. “The critical challenge for IT in OT systems is ensuring segmentation of the two environments and guarding the systems that bridge the ‘air gap’ architecture. The ‘air gap’ approach is the preferred method of preventing common Trojan malware from making its way into the OT environment. Enforcing policies on USB drive use – which is how Stuxnet was introduced into the OT environment in Iran – becomes critical to defending OT systems. Protecting IT systems from penetration is vital in protecting these environments.”
He continues: “The progress on security products and the introduction of secure OT protocols has been fast. However, the life cycle of these systems can be 10, 20, or even more than 30 years. They are designed to industrial standards, and are designed to last. To my mind, ‘hand-me-down’ technology may be responsible for the level of OT risk exposure in Africa and Malaysia. Due to the more politically charged atmosphere of the Middle East, and the well-established oil economies, investment in secure systems is in the national interest of countries in the region.”
However, with the current industry climate taking its toll on the major NOCs of the region and forcing them to considerably reduce capital expenditure, has the need to invest in boosting their IT network security slipped down their list of priorities for the time being? Simonovich doesn’t believe so.
“NOCs understand that the cyber risk to their industrial control systems is growing. That’s why one area where budgets in the industry have not stayed flat – or have even risen – is around cyber security. That means we don’t have to convince our customers that cyber security is an important issue. They understand the imperative. They just need to understand what is mission critical,” he says.
In fact, he asserts that “GCC companies are leading the way in digitalisation”. “They have put it at the forefront of their competitiveness,” he states.
“In this region, more than in others, security is of paramount concern, given the recent spate of attacks against the operational technology environment. Our customers realise that connectivity, digitalisation, security intelligence, and security insights go hand-in-hand,” he explains.
“By connecting, you know what is on your network, you can closely monitor [it] and, as a result, you can be faster when it comes to detecting and responding to threats.”
