Eric Knapp, Honeywell Process Solutions, USA, examines cyber security in the digital oilfield and how it can be used to combat threats to information security.
Safe and reliable energy supplies supporting global prosperity have always been a top priority of the oil and gas industry. Leading petroleum producers are committed to preventing and mitigating security threats jeopardising their production operations, including risks to both offshore and onshore infrastructure, assets, personnel, and the environment.
The business of oil and gas production and distribution relies heavily on the modern industrial automation and control system (IACS), digital communications and information management systems, which represent widely available points of access for potential cyber attacks.
In today’s oil and gas field, diverse stakeholders are making business decisions in an interconnected landscape of risks and rewards. Success demands balancing the vast array of new regulations, advanced technology, and emerging threats and opportunities that are present in this sector.
Petroleum producers face a shrinking talent pool for those with specialised expertise. Most individuals who have institutional and technological ‘know how’ about their organisation’s specific operations and operational risks are looking towards retirement. As cyber security curricula are introduced into schools, younger employees are more likely to understand the emerging cyber security threats. However, without the necessary context of operational experience, these new skills are of limited use. This dynamic creates a dangerous knowledge gap that can make effective industrial cyber security a challenge during a time when the need for effective security is stronger than ever.
Historically, oil and gas has been a capital-intensive business, but it is fast becoming more information-intensive, with data spanning numerous systems and locations. This evolution includes the growing adoption of technology for ‘smart fields’ (or digital oilfields). Production companies are dealing with rapid growth in the amount and types of data their assets generate, yet they risk being less competitive if they do not make this data work for them.
In this environment, oil and gas companies must find ways to protect critical IACS infrastructure and information assets from hackers and cyber terrorists (or even disgruntled employees) who wish to disrupt operations or cause damage. They also have the weighty task of assessing the security of a wide range of third-party vendors.
Risks to oilfield operators
The oil and gas cycle from initial field exploration through production, transport and distribution is highly complex, with countless potential weak links that are subject to security breakdowns. Significant advancement and development of high-volume and high-value oil sands, liquefied natural gas (LNG) and offshore operations present unique security challenges.
Onshore and offshore production fields may be far from population centres in many cases, but distance does not minimise the risks to information security. Various networks and devices have found their way onto rigs and remote installations. Innovations in production technology are also allowing drilling at greater depths and farther distances, but these advancements often come with unanticipated open backdoors.
Critical network segments at oil and gas production sites were once kept isolated, but the trend towards remote operations, remote maintenance, and centralised process data and plant information systems have made this approach impractical. New integrated and networked solutions provide an ever-larger target for cyber threats.
Almost all aspects of petroleum operations are impacted to one degree or another by information technology (IT) systems, and these assets are vulnerable to cyber attacks – a fact known within the industry and beyond. Potential information security issues include state or industrial espionage, employee error or accidental loss of sensitive data, and vulnerabilities resulting from unsecure code.
An IDC Energy Insights study found oil and gas companies still lag behind other industries in formulating, approving, and executing information security policies, as well as getting buy-in from senior management. More than 31% of US respondents stated information security was a top IT initiative at their company, but only 12% of those surveyed were actually making investments to improve their security capabilities and mitigate risk.
Threats to digital communications
When it comes to asset protection and the security of digital communication from the oilfield, a single event can result in significant safety, operational and financial consequences. Petroleum operations are exposed to growing cyber threats from organised cybercrime, foreign intelligence services, and terrorist organisations. In countries where critical infrastructure is owned and operated by private companies, these firms are especially vulnerable to determined attacks that may ruin or seriously disrupt company operations.
Asset protection and information security are an increasing focus in petroleum operations.
The reliability of today’s oil and gas fields is made possible by the extensive use of supervisory control and data acquisition (SCADA), distributed control systems (DCS), and other systems enabling automated control of production and distribution. These systems integrate a variety of electronic devices and networks to help monitor and control energy flows in the energy infrastructure.
However, the ability of modern industrial control systems to seamlessly interoperate and communicate with physically dispersed devices and information systems can also expose the enterprise to malicious cyber attacks. A successful attack could compromise the control performance and reliability of producing fields, as well as disrupt energy networks and the downstream entities that depend on them.
Cyber attacks against the oil and gas sector come in a variety of forms: some target data, while others attack operations and control. Data that can be extracted from a process network is extremely useful and valuable in the right (or rather the wrong) hands, with confidential information about upstream, midstream and downstream facilities potentially sold on the black market. Also, interruption of the flow of this information through malicious attack could cause a loss of view to operation consoles or even suppress alarms. The manipulation of this data could cause a variety of disruptions that could range from a minor nuisance to a catastrophic event. The information that is continuously generated by sensors through automated systems is vital for smooth operations, and when that information is suppressed or altered it can be devastating.
Strategy to protect information
Every oil and gas company is a target for hacking, and only so much can be done to prevent this threat. Regardless, firms must make the utmost effort to minimise the likelihood and impact. One strategy is to take a holistic view of the entire plant and consider a comprehensive and integrated approach to security and safety. But where should this assessment start?
First, oil and gas companies should carefully examine their security posture. Where could a cyber attack come from? What could be compromised? What would happen if an attack succeeded? Are control personnel equipped to manage cyber security and system requirements?
Some of the key security-related initiatives for oil and gas firms include:
Develop internal programmes to increase cyber awareness across the enterprise to ensure all employees assume an active role in making security part of every action they take.
Implement strategies to manage cyber security budgeting – both in times of growth and consolidation.
Integrate increasingly automated SCADA and DCS controls with appropriate cyber security countermeasures.
Employ cyber security risk analysis and management strategies to enable a proactive security approach that can minimise the likelihood of an incident, and facilitate response and recovery efforts when there is an incident.
While the protection of process and automation systems can be more challenging than traditional IT systems, petroleum organisations have a greater obligation to overcome these challenges because the potential consequences are simply too high to ignore. This protection requires greater network separation, stronger authentication and access controls, more prohibitive portable file and media handling, increased group policy enforcement, and much more strict cyber incident containment, security management, change control, configuration and maintenance.
Programme for cyber security
Oil and gas producers can mitigate their information security risks by implementing an overall cyber security programme for both the corporate and plant enterprise. It should combine all aspects of managing security, ranging from the definition and communication of policies through implementation of best industry practices, and ongoing operation and auditing. The programme’s framework will include technology (hardware and software), process (policies and procedures) and people (training and awareness).
Since industrial cyber security requires specific expertise and knowledge of both cyber security and IACS, resources can be difficult to obtain. One of the greatest obstacles to effective cyber security remains the scarcity of qualified specialists. Approaching industrial cyber security with insufficient knowledge is a compromise that could cause more harm than good.
Managed service providers can take the uncertainty, complication and effort out of industrial cyber security.
The most critical step in any cyber security programme is the first step. Once a plan is put into action, the most important step is the next step – realising that cyber security is a cyclical process and not a single effort, and continuing to move forward. Continuing to learn, adapt and react to the never-ending cyber threat requires an end-to-end solution that includes evaluating cyber vulnerability and risk, then progresses to recommending appropriate changes, developing the best architecture design for specific requirements, implementing the design, and overseeing continuous management of the IACS environment. Once complete, it also involves continuously re-assessing, re-evaluating, and above all remaining diligent.
Detailed roadmap to assess risks
For oil and gas companies, it is important to establish a roadmap to diminish or eliminate revealed areas of risk. A comprehensive cyber security assessment can uncover passive attacks, identify vulnerabilities such as unauthorised access and other non-compliance issues, identify and evaluate the current security posture, and prioritise efforts to reduce risks. Recurring assessments allow cyber security teams to track their milestones and the maturity of their security programme over time to indicate progress toward achieving their desired assurance level.
Periodic audits to identify trends
Petroleum firms should also undertake independent audits to assess the adequacy of system controls, determine compliance with established policies and operational procedures, and recommend necessary changes. Periodic auditing offers a view of trends and is intended to identify performance against predefined metrics.
Secure architecture to improve reliability
Oil and gas companies need a secure architecture approach serving as a long-term baseline for control system availability, reliability and safety. Plant management should understand the benefits and pitfalls of various cyber security architectures and recognise the advantages and disadvantages of each topology based on proper segmentation of security zones and conduits. Strong walls are more effective when built upon a strong foundation.
Proper deployment of network security
Network security is often the first line of defence against a cyber threat. An effective approach will employ cyber security counter-measures such as firewalls, threat detection, and security analytics, and will use these countermeasures to enforce policies and procedures restricting unauthorised access to and use of system resources.
Effective protection of network endpoints
Each and every device is a potential target and also a potential entry point for security threats within an IACS, as threats pivot between security zones. For this reason, effective means of protection are essential to secure various endpoints on the network prior to granting device access. Organisations can fortify their network through patching and anti-virus protection, application whitelisting, end node hardening, and portable media security.
Greater awareness of hazardous situations
Ensuring personnel can quickly assess a cyber security situation is a key objective for petroleum firms. This requires ongoing situational awareness of cyber vulnerabilities and threats. Workers must be equipped to interpret and understand activity on the control network through continuous monitoring, compliance and reporting, security analytics, security information and event management, and security awareness training.
Improved recovery and response
Energy industry operations should develop sound strategies for incident response and recovery. While it is best to minimise the frequency, scope and impact of cyber incidents, there is no such thing as 100% security. A successful cyber attack will at best compromise the integrity of target systems, and in the worst case could result in unrecoverable failures of digital assets. Backups of trusted and clean systems need to be kept current, so that systems can be restored quickly. Especially within critical industries, these precautions need to be a part of a broader incident and disaster recovery plan to minimise downtime and limit potential damages.
Enhanced risk management
Now more than ever, the oil and gas sector needs solutions to proactively monitor, measure and manage cyber security risks for control systems, as well as real time visibility, understanding and decision support to address related issues and vulnerabilities. The latest risk management tools enable real time assessment of cyber risks and vulnerabilities, as well as consolidation of data for better visibility of threats. Armed with knowledge of where cyber risks are originating from, as well as the potential impact of a risk and possible resolutions in the context of the IACS, both IT and OT personnel are able to prioritise effort where it is needed most, and take the right remediation actions with minimal delay.
The latest risk management tools enable real time assessment of cyber risks and vulnerabilities, as well as consolidation of data for better visibility of potential threats.
With a sharp rise in both the frequency and sophistication of cyber threats against modern petroleum operations, oil and gas firms must take stronger and more proactive steps to protect their critical assets. These steps include a cyber security programme integrating industry standards, best practices and advanced technology to improve understanding of cyber security risk, so that process control infrastructure is better protected from ever-changing forms of electronic endangerment.