With legacy assets ill-equipped for battle for the most part, oil and gas production operations are the most vulnerable to potential cyberattacks, according to a report released by the Deloitte Center for Energy Solutions.

“Approximately 42% of offshore facilities worldwide have been operational for more than 15 years, fewer than half of [oil and gas] companies use moni­toring tools on their networks, and of those compa­nies that have these tools, only 14% have fully operational security monitoring centers,” Deloitte said.

Complicating matters are operating environments with a vast number of producing wells run on different industrial control systems purchased from various vendors and connected to off-the-shelf technologies. Such was the case for one company mentioned in the report.

The cyber threat is not new, considering Deloitte said nearly three-quarters of U.S. oil and gas companies experienced at least one cyber incident in 2016. Hackers have shut down power, infected workstations and swiped proprietary information.

On June 27, Rosneft, the top oil producer for Russia, said it was hit by a “massive” cyberattack.

“The cyberattack could lead to serious consequences; however, due to the fact that the company has switched to a reserve control system, neither oil production nor preparation processes were stopped,” Rosneft said on Twitter.

The attack was one of many that have hit the oil and gas industry.

But as Deloitte pointed out in its report “only a handful of energy companies cite cyber breaches as a major risk,” despite their potential to cause harm to operations, worker safety and financials.

The report was released June 26 as some companies in the oil and gas sector continue to expand their digital oil field capabilities, seeing the benefits of advanced sensor technology, the Internet of Things and other analytical and automated tools. Such progress could lead to a better understanding of assets and greater efficiency with the potential for cost savings and higher profits, yet each comes with vulnerabilities, which vary based on the operations at hand.

While production operations were said to be the most vulnerable, development operations were next on the list given drilling activities’ need for infrastructure and services from various engineering, equipment, drilling and supply companies.

“Diverse business objectives of all stakeholders make it challenging for operators to have a single cybersecurity protocol, and then there may be a systemic concern of already-infected rigs and devices entering the ecosystem,” Deloitte said.

Exploration was considered the least vulnerable because seismic imaging and geological and geophysical surveys, crucial pieces of the exploration puzzle, utilize data acquisition systems or models with little connectedness such as geophones and hydrophones.

Still, cyber concerns for the industry as a whole are plentiful. As explained in the report,

  • Joint operations take place across regions with multiple vendors, which varying security guidelines;
  • Cyber ownership and responsibility among companies are fragmented;
  • Firewalls could introduce latency into time-critical internet connection-sharing systems facing operational constraints;
  • Use of proprietary and non-proprietary technologies creates challenges in consistency of cyber standards; and
  • Many systems have irregular security patching and more than 10-year-old life cycles that were not built with cybersecurity in mind. Upgrades can be costly and impact operations.

To help mitigate cyber risks, Deloitte suggested companies focus just as much on gaining insight into threats as responding effectively to reduce their impact.

“Put simply, an effective cyber strategy needs to be secure, vigilant and resilient,” Deloitte said, later giving a production and abandonment scenario to consider.

Imagine a worm, or a computer program that infects an operations system by spreading malicious code, slithering undetected into an onshore industrial control system. Capable of masking “the condition of the gearbox in control rooms,” the worm can change the speed of pumps, hastening or slowing oil production as the hacker pleases.

To guard against this, Deloitte said a company could conduct a detailed assessment to determine the vulnerability for each of its asset, and then prioritize and schedule updates for critical assets. An alternative would be to replace legacy devices with new hardware.

Becoming more vigilant in combating cyberattacks involves not only staying informed of potential threats from external sources but also sharing information, Deloitte added.

“For rapidly containing the damage, or being resil­ient, a company can regularly practice responding through cyber war gaming and simulations,” the report said. “Staging simulations, especially with people involved in responding to incidents offshore or working in remote locations, creates better understanding of threats and improves cyber-judgment at the lowest possible level.

Recognizing the risks and knowing how the technical offensive and defensive moves are only one part of the game. Getting the “boardroom buy-in,” as Deloitte called it, is another. This requires getting executives to see how cybersecurity could impact:

  • Assets, people and the environment;
  • Availability and reliability of assets; and
  • Creating new value.

“The current period of low oil prices has provided upstream companies—weary after years of chasing high growth—with the much-needed breathing space to focus on internal processes and sys­tems,” the report said. “The industry has made a great beginning by focusing on efficiency; now it needs to close by safe­guarding operations from cyber-attacks. We believe that cyber, like automation and digital oil fields, can quickly mature from a cost item to an essential investment.”

Velda Addison can be reached at vaddison@hartenergy.com.