New technology has improved efficiency across the oil and gas industry: improving safety and increasing productivity to secure the future of the sector however, the introduction of connected systems has also introduced potential weaknesses which could compromise security.
Compared to the old ‘manual’ days, today’s automated industry is vastly different, with digital information platforms, including spreadsheets; databases; and handheld technology increasingly important as tools of the trade.
As assets – including vessels, installations and process plants, are connected to the internet in some form, protecting their digital infrastructure against cyber-attack is vital in ensuring safe operations and protecting production.
Managing a physical threat is not new, however many of these assets are decades old and were installed at a time when the online threats faced by today’s operators could not be foreseen. Taking infrastructure from another era and giving it security fit for the 21st century poses challenges.
Combining the way we handle the cyber threat along with traditional physical security allows us to build a resilient all-encompassing plan to combat issues. Engaging a command and control room as a single platform for handling the IT security information, event management (SIEM) and the physical security information management (PSIM) provides a holistic approach where all elements of the security programme are monitored and managed. This cohesion is crucial in building a full picture that covers all aspects of the security package.
Cyber security vulnerabilities can be addressed through a risk-based approach, using the same bow-tie model implemented across the wider safety and security picture, to establish both risk management and emergency response plans. Following this methodology allows companies to identify threats to and vulnerabilities within existing assets and operations. Pinpointing the threats allow businesses to then plan barriers to prevent incidents and mitigate the consequences of cyber risks. Practically this means a vulnerability assessment and penetration test should be carried out.
Without appropriate safety functions, the software used to improve efficiencies and provide smooth working procedures can also become a weakness for an operator.
The top cyber security vulnerabilities include:
Lack of cyber security awareness and training among employees e.g. access to a system via social engineering
Not managing use of IT products where there are known vulnerabilities e.g. hard coded user credentials
A limited cyber security culture among supply chain: vendors, suppliers and contractors e.g. lack of focus on logical security
Insufficient separation of data networks e.g. lack of centralised IT coordination
The use of mobile devices and storage units including smartphones
Insufficient physical security of data rooms, cabinets, etc.
Outdated and ageing control systems in facilities
Educating security teams and facility managers on the important of regular self-assessment as a means to improving preparedness is especially important, particularly in high risk regions or where there is a dynamic threat profile.
Bespoke security risk assessment tools can be designed to cover the specific needs of individual operators with training provided to their teams to support proactive risk management.
Each region and the countries therein are different and it pays to focus on the challenges posed by the location. Identification of trends and underlying risks differ from place to place and infrastructure, such as pipelines, which may span an entire country can be vulnerable to malicious damage or theft. This is especially true in the case of remote assets.
In terms of detecting physical issues, the latest technologies aid the identification of potential attacks better than ever before. As an example, long-range thermal imaging is effective for wide area surveillance and intruder monitoring whilst unmanned aerial vehicles are effective for surveillance and investigating on remote assets. These can also play a role in detecting emerging threats, such as airborne contamination.
The increasing capability of smart phones lends itself to protecting security through integrated personal credentials. It is likely that phones will eventually replace traditional access tokens or cards, providing access control details and e-wallet capabilities.
Finance plays a major role in what we can or can’t do however, cyber security protection costs haven’t changed greatly in recent years. As expectation increases into what a system should be able to do so does the fee, but this has been balanced by the proliferation of consumer technology such as smart phones that have allowed us to do more.
Empowering oil and gas companies to utilise appropriate risk assessment methodologies and act on their recommendations will go a long way to ensuring the security of operations onshore and offshore. Just as our systems improve, so do the capabilities of those who may be planning cyber-attacks.
Key to stopping this and securing the safety of our assets is a fully rounded security approach which ties in all cyber and physical aspects. Knowing where the vulnerabilities may lie and understanding what is required to address them allows us to deliver a package that will keep the oil and gas industry safe.