Cybersecurity is no longer a concern just for tech experts in the information technology (IT) department. It is also top of mind for executives in the board room and operators in the oilfield.
And for good reason. More frequent, sophisticated and high-profile cybersecurity attacks on oil and gas operations have put the industry on edge.
Not only are breaches disruptive and expensive—costing some companies hundreds of millions of dollars—but also incidents like the 2017 Ukraine ransomware attack that affected transportation and logistics company Maersk, among others, remind us that an attack in the digital world can have dangerous consequences in the real world.
Without a doubt, users need comprehensive security as operations become more digital. But this security does not need to come at the expense of business-improvement goals. In fact, quite the opposite. The same digital capabilities that can help users better compete—like seamless connectivity, production intelligence and remote support—can also help fortify operations.
When planning and designing an oil and gas cybersecurity strategy, users should capitalize on the aspects of connected operations that have shared security and operational benefits. Five key examples include:
1 - Dynamic Asset Inventory
It is hard to mitigate threats if it is unknown what they might target in user operations. That is why a comprehensive, real-time understanding of connected equipment and systems is essential.
Historically, taking inventory of equipment required physically sending someone to all the production sites. This process is time-consuming, especially if there are dispersed and remote operations. It is also limiting because the data captured only gives users a snapshot in time of their inventory.
The industrial internet of things (IIoT) is changing this. Now, using software or connected services, users can use the same communications path as their control systems to gather asset data. With a continuous, real-time inventory of operational equipment, users can stay on top of risks to their production environments. For example, users can quickly see if security advisories, firmware updates or new patch releases are relevant to an installed base. Users can also better manage their operations. The data can be helpful, for instance, for tracking life cycle risks and informing modernization strategy.
2 - Real-Time Process Visibility
It is not enough to know what equipment is available. Users also need real-time visibility into how, when and where people are accessing or manipulating it. A threat-detection service can identify normal behavior across oil and gas networks and monitor operations 24/7 for deviations from that baseline. Operators can then be alerted of any irregularities or potential threats in real time.
This visibility can help users uncover a threat like an outsider security attack at multiple stages, including:
- when they first gain a foothold on the network
- when they are moving around the network to do recon on operations
- when they are making changes to assets (systems, equipment, networks) to carry out an attack
The service can also help users detect more common human errors and operational issues that, while lacking nefarious intent, can still disrupt operations. For instance, it could reveal that an OEM remotely accessed and made changes to a controller in the wrong location.
3 - Life Cycle Management Support
According to the 2019 Global Energy Talent Index report, 40% of oil and gas respondents said a skills crisis has already hit the industry. And nearly 30% said the crisis would take hold in the next five years. To lessen the impact of the skills shortage, more companies are looking to outsource the responsibility of managing their oil and gas production systems. And who better to monitor, maintain and modernize the systems than the companies that supply them?
One major oil and gas producer turned to a diagnostic reliability service to reduce its cybersecurity risks and lower its business costs. As part of the service, the provider continuously scans the process-control network of the oil and gas producer to identify, interrogate and monitor control hardware. It captures key data—such as its part number, series version and firmware version—and tracks status, health and parameter changes. The service helped the producer comply with a new corporate cybersecurity policy and led to operational improvements, such as more proactive maintenance that helped reduce manpower costs in the field and pump more barrels of oil per day.
4 - Disaster Recovery
In the event of a security incident, users need plans and policies in place to help them recover as quickly as possible. This will help minimize the impact of security incidents and maximize uptime.
A response plan can help users contain, eradicate and quickly recover from threats to operations. It should include the steps workers need to take to get back to a fully operational state.
Policies are just as crucial. For example, they should define a method for backing up critical operational assets. Without backups, users could be the victims of ransomware and have to decide: Should we pay someone to reengineer our systems or pay the attacker to get them back?
One policy solution that can be required is asset-management software. It can automatically back up application code and configurations for devices like controllers, drives and operator terminals.
5 - Good Security Fundamentals
There are security best practices—known as security fundamentals, and sometimes hygiene—that oil and gas companies should use to achieve a basic level of security. Some are simple, like changing the default logins used in any new network equipment users purchase. Software with authentication and authorization is another best practice. It allows the IT or security team to define who can access the software, what actions they can take and where those actions can be performed.
Other security fundamentals are more complex. For instance, control and enterprise traffic should not be treated the same on a network. If the network infrastructure that handles both of these traffic types goes down, then the entire enterprise is no longer functional. That is why users should use an industrial demilitarized zone (IDMZ) to segment control and enterprise traffic.
In addition to securing operations, these best practices can also have operational benefits. Segmentation, for example, allows users to connect remote employees and partners with on-site workers to more quickly troubleshoot and resolve downtime issues.
Know Before You Go
Getting the most from connected operations and securing them can go hand in hand. But before doing anything, users need a strategy to identify where they can be more competitive and where their threats lie. Then, users can see where these two areas share common ground. If uncertain of what to do or where to start, reach out to a service provider that can help plan, deploy and optimize connected oil and gas operations.
Also, make use of freely available resources. These resources can help users create more competitive operations using the latest technologies and security best practices.