Digitization and the rise of cyber-physical risks
Sustained low oil prices are driving adoption of digitalization across the oil and gas industry, ramping up the stakes for cybersecurity.
Digital advancements, such as smart engineering technology (SET), the Industrial Internet of Things (IIoT) and big data, can bring both benefits and increased vulnerability to cyber threats.
Benefits of digitalization:
- Reduction in operational costs and removal of waste through automation of processes, which helps improve profitability
- Enablement of faster and more effective decision making, which helps improve competitiveness
- Improvement of product quality and reduction in quality risk
- Further deployment of digital tools and processes in oil and gas companies, which gives an opportunity to radically change business models and engineer a significant organizational transformation
Some of the potential vulnerabilities include:
- Significant economic risk exposure during the exploration phase, resulting from leakage, sabotage or manipulation of exploration data
- Risk of harm, loss of life and/or environmental catastrophe caused by sabotage to well drilling processes and technology
- “Building in” security vulnerabilities during the design and build of new installations or equipment across the subsectors
- Forming new business partnerships, joint ventures or cooperation with suppliers or other third parties with weak security baselines
- The use of insecure data storage and data communication which could increase exposure to espionage, with major financial implications and loss of competitive advantage on the international stage
Top cybersecurity questions a company must regularly ask itself
|1.||Would you know if you were under attack right now?|
|2.||What would you do if you were under attack?|
|3.||How well do you know the scope of the IIoT/operational technology (OT) asset landscape you protect?|
|4.||Is your business capable of running without IIoT/OT support?|
|5.||How critical do you consider the IIoT environment in terms of business value creation?|
|6.||What are the biggest cyber risks associated with your critical production environment?|
|7.||How do you ensure security and resiliency in times of increased integration of data from multiple sources?|
|8.||How well do you know the boundaries of the environment you need to protect?|
|9.||Is configuration of your critical IIoT/OT devices safe (backup exists, tested, offsite storage is in place etc.)?|
It is estimated that 10%-20% of the oil and gas industry is digitized and the pace of connected development is likely to significantly increase in the next decade.
Digital and the IIoT have changed the threat landscape
The IIoT and digital revolution offer great benefits to the oil and gas industry, however they can increase exposure to new types of cyber security risks which require immediate attention.
Our Global Information Security Survey (GISS) revealed that 57% of respondents in the oil and gas industry have had a recent significant cybersecurity incident. In a similar vein, the World Energy Council report1 published in September 2016 cited cybersecurity as a top issue for the energy industry, particularly in North America and Europe, where the infrastructure is most mature.
OT environments have traditionally focused on ensuring high availability at the expense of confidentiality and integrity, and are now very exposed to cyber security risks as a result of digitization and modernization, including connectivity to the internet. It is no longer practical or cost effective to maintain separate IT and OT environments. Indeed, to realize the maximum benefit from digitization and smart engineering, combining these environments is increasingly a necessity. These changes are being accelerated by the advent of new technologies such as IIoT and big data analytics.
1“The road to resilience – Managing cyber risks,” World Energy Council in in partnership with Marsh & McLennan Companies and Swiss Re Corporate Solutions, https://www.worldenergy.org/wp-content/uploads/2016/09/20160926_Resilience_Cyber_Full_Report_WEB-1.pdf, published September 2016, accessed on 16th November 2017
Digital oil and gas company of the future
Operational safety and quality are cyber-dependent
The convergence of the IT and OT environments has created new cyber-physical risks.
As the US National Institute of Standards and Technology (NIST) says, “Cyber-Physical Systems or “smart” systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas.”2
New risks are being created where network connected endpoint devices such as UAVs, smart sensors, handheld engineer terminals and industrial routing equipment are being produced and deployed without a cybersecurity baseline implementation, and are open to remote compromise.
As more and more devices are connected, the potential for infiltration rises exponentially.
Today, cyber-physical risks are not being effectively identified, tracked or monitored – so how can such risks be appropriately mitigated? This, combined with the rate of new technology deployment and digitization of operational processes, means there is reason to act now. If cyber-physical systems are compromised they could lead to a hazardous event, which could result in loss of critical national infrastructure services to the public or, worse, loss of life due to safety failings.
Examples have already been seen with UAVs (e.g., drones, autonomous and driverless vehicles etc.). Such attacks in the oil and gas industry can potentially go beyond damage to control systems, devices, equipment and the network. They can also pose risks to the entire supply chain and disrupt regional sector operations. This is the essence of cyber-physical risk.
Oil and gas companies have to devote more focus to understanding the potential negative impacts new technologies can have on their business. They should continually assess, understand and manage risk exposure, both at an organisational level and for individual processes, functions, facilities, locations and technologies.
2“Cyber-Physical systems,” US National Institute of Standards and Technology (NIST) website, https://www.nist.gov/el/cyber-physical-systems, accessed on 16th November 2017
Enabling safe and reliable digital operations
Aligning an organization’s digital strategy to address cyber-physical risks is necessary to appropriately protect operational assets and processes. An aligned digital and cyber strategy can enable digital transformation by:
- Reducing operational and safety risk, through the management and monitoring of new technology and cyber-physical risks
- Enhancing the digital agenda, through the creation of a safe and managed cyber environment where new technologies and processes can be introduced
- Unlocking technology innovation by clearly understanding the IT, OT and IIoT asset landscape, and the threats and risks that could affect their operational uptime and integrity
- Creating resilient technology platforms for field site and corporate networks which can predict potential attacks and outages before they occur
Oil and gas companies are in various stages of their digital transformation journeys, with many in the early stages. Understanding the current cyber-physical risk landscape and the threats that the IIoT and new technologies bring is critical for planning the long-term success of reliable and resilient sector operations. A clear understanding of the benefits to taking a proactive approach to security now, to avoid major vulnerabilities at a later stage, is critical. Such an approach would also mitigate the risks of digitial transformation projects being delayed or experiencing major problems once launched.
The top three things to do now
In order to reduce safety and reliability risks to operations, the following areas should be considered:
1. Before implementing new “connected” field technologies, ask your vendors to prove their product cyber security baseline
Devices today are being deployed with inherent security flaws. Ensuring a security baseline is in place before deployment will protect operations against endpoint IIoT threats and potential safety, reputational and economic impacts.
2. Acknowledge the cyber-physical risk domain, and include it in your operational risk registers now
Your risk footprint grows with every new connected field technology you implement, which can affect the safety and reliability of operations and staff. Our client interaction has revealed that many companies were unaware that cyber penetration testing was necessary, which is especially critical given the deeper connectivity between OT and IT systems. The lack of public reporting of cyber-attacks in the industry is yet another factor complicating the understanding of the size and true nature of various types of risks.
3. Align cyber security to your digital strategy for operations
The more you digitize, the more your cyber-risk footprint grows. Ensuring cyber is an active part of the digital design process will enable more technology to be implemented without adding additional operational risk. The US Department of Homeland Security says that oil and gas is the most attacked industrial sector.