7 minute read 29 Aug 2018
top view Oil refinery

How digitalization in oil and gas is creating security risks

By

Piotr Ciepiela

EY EMEIA Security & Critical Infrastructure Leader, Associate Partner, EY EMEIA Advisory Center

Critical infrastructure security and operational technology leader. Over 14 years of experience managing international, complex OT and IoT security projects. Team and thought leader. Strategy former.

7 minute read 29 Aug 2018

Show resources

Sustained low oil prices are driving adoption of digitalization across the oil and gas industry, ramping up the stakes for cybersecurity.

Digital advancements, such as smart engineering technology (SET), the Industrial Internet of Things (IIoT) and big data, can bring both benefits and increased vulnerability to cyber threats.

The benefits include:

  • Reduction in operational costs and removal of waste through automation of processes, which helps improve profitability 
  • Enablement of faster and more effective decision-making, which helps improve competitiveness
  • Improvement of product quality and reduction in quality risk
  • Further deployment of digital tools and processes in oil and gas companies, which provides an opportunity to radically change business models and engineer a significant organizational transformation

Some of the potential vulnerabilities include:

  • Significant economic risk exposure during the exploration phase, resulting from leakage, sabotage or manipulation of exploration data
  • Risk of harm, loss of life and/or environmental catastrophe caused by sabotage to well drilling processes and technology
  • Security vulnerabilities developed during the design and build of new installations or equipment across the subsectors
  • Formation of new business partnerships, joint ventures or cooperation with suppliers or other third parties with weak security baselines
  • The use of insecure data storage and data communication that could increase exposure to espionage, with major financial implications and loss of competitive advantage on the international stage

Top cybersecurity questions for companies to ask themselves

1. Would you know if you were under attack right now?

2. What would you do if you were under attack?

3. How well do you know the scope of the IIoT/operational technology (OT) asset landscape you protect?

4. Is your business capable of running without IIoT/OT support?

5. How critical do you consider the IIoT environment in terms of business value creation?

6. What are the biggest cyber risks associated with your critical production environment?

7. How do you ensure security and resiliency in times of increased integration of data from multiple sources?

8. How well do you know the boundaries of the environment you need to protect?

9. Is configuration of your critical IIoT/OT devices safe (backup exists, tested, offsite storage is in place, etc.)?

A mere 10%-20% of the oil and gas industry is digitized, and the pace of connected development is likely to significantly increase in the next decade. 

Digital and the IIoT have changed the threat landscape

The IIoT and digital revolution offer great benefits to the oil and gas industry. However, they can increase exposure to new types of cybersecurity risks that require immediate attention.

Our Global Information Security Survey (GISS) revealed that 57% of respondents in the oil and gas industry have had a recent significant cybersecurity incident. In a similar vein, a World Energy Council report published in September 2016 cited cybersecurity as a top issue for the energy industry, particularly in North America and Europe, where the infrastructure is most mature.

OT environments have traditionally focused on ensuring high availability at the expense of confidentiality and integrity, and they are now very exposed to cybersecurity risks as a result of digitization and modernization, including connectivity to the internet. It is no longer practical or cost effective to maintain separate IT and OT environments. Indeed, to realize the maximum benefit from digitization and smart engineering, combining these environments is increasingly a necessity. These changes are being accelerated by the advent of new technologies such as IIoT and big data analytics.

Operational safety and quality are cyber-dependent

The convergence of the IT and OT environments has created new cyber-physical risks.

As the US National Institute of Standards and Technology (NIST) says, “Cyber-Physical Systems or ‘smart’ systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas.”

New risks are being created where network connected endpoint devices such as unmanned vehicles[EM1] , smart sensors, handheld engineer terminals and industrial routing equipment are being produced and deployed without a cybersecurity baseline implementation and are open to remote compromise.

As more and more devices are connected, the potential for infiltration rises exponentially.

Today, cyber-physical risks are not being effectively identified, tracked or monitored — so how can such risks be appropriately mitigated? This, combined with the rate of new technology deployment and digitization of operational processes, means there is reason to act now. If cyber-physical systems are compromised, they could lead to a hazardous event, which could result in loss of critical national infrastructure services to the public or, worse, loss of life due to safety failings.

Examples have already been seen with unmanned vehicles (such as drones and and driverless vehicles). Such attacks in the oil and gas industry can potentially go beyond damage to control systems, devices, equipment and the network. They can also pose risks to the entire supply chain and disrupt regional sector operations. This is the essence of cyber-physical risk.

Enabling safe and reliable digital operations

Aligning an organization’s digital strategy to address cyber-physical risks is necessary to appropriately protect operational assets and processes. An aligned digital and cyber strategy can enable digital transformation by:

  • Reducing operational and safety risk, through the management and monitoring of new technology and cyber-physical risks
  • Enhancing the digital agenda, through the creation of a safe and managed cyber environment where new technologies and processes can be introduced
  • Unlocking technology innovation by clearly understanding the IT, OT and IIoT asset landscape and the threats and risks that could affect their operational uptime and integrity
  • Creating resilient technology platforms for field site and corporate networks that can predict potential attacks and outages before they occur

Oil and gas companies are in various stages of their digital transformation journeys, with many in the early stages. Understanding the current cyber-physical risk landscape and the threats that the IIoT and new technologies bring is critical for planning the long-term success of reliable and resilient sector operations. A clear understanding of the benefits to taking a proactive approach to security now, to avoid major vulnerabilities at a later stage, is critical. Such an approach would also mitigate the risks of digital transformation projects being delayed or experiencing major problems once launched.

Two smart ways to invest in cybersecurity

1. Benchmark with similar companies on security spending.

2. Justify security spending by showing how much value is protected or even created out of ensuring cyber-resilient industrial operations.

The more value we create out of connected cyber-physical systems, the more attention we should give to protecting them.

The top three things to do now

In order to reduce safety and reliability risks to operations, consider the following:

1. Before implementing new “connected” field technologies, ask your vendors to prove their product cybersecurity baseline

Devices today are being deployed with inherent security flaws. Ensuring a security baseline is in place before deployment will protect operations against endpoint IIoT threats and potential safety, reputational and economic impacts.

2. Acknowledge the cyber-physical risk domain, and include it in your operational risk registers now

Your risk footprint grows with every new connected field technology you implement, which can affect the safety and reliability of operations and staff. Our client interaction has revealed that many companies were unaware that cyber penetration testing was necessary, which is especially critical given the deeper connectivity between OT and IT systems. The lack of public reporting of cyber-attacks in the industry is yet another factor complicating the understanding of the size and true nature of various types of risks.

3. Align cybersecurity to your digital strategy for operations

The more you digitize, the more your cyber-risk footprint grows. Ensuring cyber is an active part of the digital design process will enable more technology to be implemented without adding additional operational risk. The US Department of Homeland Security says that oil and gas is the most attacked industrial sector.

Summary

Aligning an organization’s digital strategy to address cyber-physical risks is necessary to appropriately protect operational assets and processes. An aligned digital and cyber strategy can enable digital transformation.

About this article

By

Piotr Ciepiela

EY EMEIA Security & Critical Infrastructure Leader, Associate Partner, EY EMEIA Advisory Center

Critical infrastructure security and operational technology leader. Over 14 years of experience managing international, complex OT and IoT security projects. Team and thought leader. Strategy former.