The technological changes the oil and gas industry has seen in recent years have brought huge benefits in creating efficiencies and reducing costs. But these same advancements have also increased the number and variety of cybersecurity risks. Joe Morgan, Segment Development Manager, Critical Infrastructure, Americas, at Axis, looks at how oil and gas producers can mitigate the cybersecurity risks.
I have been involved in the oil and gas industry in one form or another for more than 35 years. This long tenure has enabled me to witness incredible changes in both the market and technology. There have been busts and booms, the discovery of new oil and gas fields, and techniques to reach these reserves. I have seen the emergence of downhole instrumentation that gives indications of factors – such as pressure, volume – as well as new stimulation techniques to extract every ounce.
Over the years, there have been great technological advances within the oil and gas industry, and the pace of change continues today. If anything, the technological transformation is accelerating. But with these advances come cybersecurity risks, which have also been steadily increasing in the sector.
This post will look at how today’s oil producers are using new sensor technologies to improve efficiencies and reduce cost, and examine how associated security risks can be mitigated.
From ‘keen ears’ to network-connected sensors
An oil producer’s main objective is to keep their wells profitable, and technology plays a significant part in operations. Where once the keen ear of a field service operator could spot the sound of a failing bearing, today local embedded sensors have taken over.
Smart sensors and SCADA systems (Supervisory Control and Data Acquisition) are helping companies to monitor and report on the operational aspects of oil and gas. These sensors can detect early changes and relay critical data across a facility to a plant manager or send it thousands of miles away to a remote-control room.
Until recently remote monitoring was too expensive, but innovations in cellular technologies (powered by solar and battery storage), now allow sensors to send information across long distances. Smart sensors can also be programmed to send data or alerts when there is a problem, cutting operational costs significantly.
Verification of alerts or alarms can be achieved using additional sensors, including visual and thermal cameras. These can be positioned to determine if the initial sensor – for instance a smoke or gas detector, or an audio sensor - has indicated a problem correctly, and therefore prompt the appropriate response.
Producers are adapting systems to remotely monitor well sites for security, process, and health & safety, using a combination of these new technologies. This will move producers from a reactionary stance to a proactive stance, benefiting the operational aspects of a site and decreasing the need for some well services. Sensors working around the clock can detect abnormal activity, replacing random manual checks. This will ultimately save money and keep the well profitable.
Battling cyber threats to critical infrastructure
The oil and gas sector forms an important part of a country’s critical infrastructure sector, and cybersecurity is the number one concern for most operations. In our ever more connected world, any and every network endpoint can provide an opportunity for cyberattack. The industry has seen an increase in ransomware attacks, often targeting IoT devices as the network entry point, due to their inherent security vulnerabilities.
Trojan horse-type malware attacks also represent a direct threat to oil and gas operations, as they typically aim to allow attackers to gain some level of operational control of the plant which, even if only limited, could have serious consequences.
A malicious actor could, for example, trigger a false alert that a piece of machinery has malfunctioned. If not verified, an incorrect reactionary response could cause more damage than the actual event. Even the act of manually verifying a false alarm could cause a costly interruption to operations.
Successful attacks against critical infrastructure, the numerous subsectors, and the associated authorities could have catastrophic effects. Successful cyberattacks can also result in a cascading or domino effect: if one subsector goes down, other subsectors will likely follow.
A compromised solution within a critical sector could not only have dire consequences for the business, but for society as well. As countries rely on these services, the implications could be widespread. From a business perspective, a successful cyberattack could have negative impacts on their brand reputation, share price, and profitability, as well as result in operational downtime and regulatory fines.
It is therefore crucial for organizations to defend against these attacks, which are continuing to morph and evolve. Indeed, regulations in some regions are increasingly demanding that critical entities demonstrate resilience in the face of cyber threats, not only in their own operations but across their entire value chains.
Evaluating the supply chain
Hackers are opportunistic and will look to exploit vulnerabilities in existing processes. In addition to verification, advanced sensor manufacturers have added more layers of protection and will look to third party cybersecurity partners to help reinforce their defenses. Therefore, supply chain due diligence has never been more important when we consider the associated risks of a cyberattack.
In protecting their own operations from cyberattacks, oil and gas producers need to look beyond the operational benefits gained from new technology and focus on the cybersecurity maturity of the businesses within their entire supply chain.
To support the evaluation of partners within an organization’s supply chain, the approach needs to go beyond the operational aspects of the technology itself. Areas to consider throughout the evaluation should be the process and policies that they have in place to demonstrate their own internal maturity, such as ISO 27001. If these organizations can’t demonstrate what they are doing to protect themselves from cyberattacks, how can they be trusted to protect their customers? Working with technology vendors that demonstrate transparency regarding their own approach to cybersecurity, and across their own value chains, is essential.
As the oil and gas sector enters a new era of increased automation, the role of the technology partner will become even more pivotal to success. The solutions they provide will help improve efficiencies and reduce costs in the sector, especially from a remote monitoring perspective. However, careful cybersecurity evaluation of these businesses is critical and should be prioritized during the procurement process. From my experience, it would be a disaster if the technology that was deployed to improve business operations and improve profitability, resulted in the user’s systems being compromised.
If we acknowledge that every business is only as strong as the weakest link, we need to make sure that cybersecurity falls within the evaluation process and isn’t an afterthought. Only then will oil and gas organizations be in a strong position to take advantage of emerging technology solutions.
