With legacy assets ill-equipped for battle for the most part, oil and gas production operations are the most vulnerable to potential cyberattacks, according to a report released by the Deloitte Center for Energy Solutions.
“Approximately 42% of offshore facilities worldwide have been operational for more than 15 years, fewer than half of [oil and gas] companies use monitoring tools on their networks, and of those companies that have these tools, only 14% have fully operational security monitoring centers,” Deloitte said.
Complicating matters are operating environments with a vast number of producing wells run on different industrial control systems purchased from various vendors and connected to off-the-shelf technologies. Such was the case for one company mentioned in the report.
The cyber threat is not new, considering Deloitte said nearly three-quarters of U.S. oil and gas companies experienced at least one cyber incident in 2016. Hackers have shut down power, infected workstations and swiped proprietary information.
On June 27, Rosneft, the top oil producer for Russia, said it was hit by a “massive” cyberattack.
“The cyberattack could lead to serious consequences; however, due to the fact that the company has switched to a reserve control system, neither oil production nor preparation processes were stopped,” Rosneft said on Twitter.
The attack was one of many that have hit the oil and gas industry.
But as Deloitte pointed out in its report “only a handful of energy companies cite cyber breaches as a major risk,” despite their potential to cause harm to operations, worker safety and financials.
The report was released June 26 as some companies in the oil and gas sector continue to expand their digital oil field capabilities, seeing the benefits of advanced sensor technology, the Internet of Things and other analytical and automated tools. Such progress could lead to a better understanding of assets and greater efficiency with the potential for cost savings and higher profits, yet each comes with vulnerabilities, which vary based on the operations at hand.
While production operations were said to be the most vulnerable, development operations were next on the list given drilling activities’ need for infrastructure and services from various engineering, equipment, drilling and supply companies.
“Diverse business objectives of all stakeholders make it challenging for operators to have a single cybersecurity protocol, and then there may be a systemic concern of already-infected rigs and devices entering the ecosystem,” Deloitte said.
Exploration was considered the least vulnerable because seismic imaging and geological and geophysical surveys, crucial pieces of the exploration puzzle, utilize data acquisition systems or models with little connectedness such as geophones and hydrophones.
Still, cyber concerns for the industry as a whole are plentiful. As explained in the report,
- Joint operations take place across regions with multiple vendors, which varying security guidelines;
- Cyber ownership and responsibility among companies are fragmented;
- Firewalls could introduce latency into time-critical internet connection-sharing systems facing operational constraints;
- Use of proprietary and non-proprietary technologies creates challenges in consistency of cyber standards; and
- Many systems have irregular security patching and more than 10-year-old life cycles that were not built with cybersecurity in mind. Upgrades can be costly and impact operations.
To help mitigate cyber risks, Deloitte suggested companies focus just as much on gaining insight into threats as responding effectively to reduce their impact.
“Put simply, an effective cyber strategy needs to be secure, vigilant and resilient,” Deloitte said, later giving a production and abandonment scenario to consider.
Imagine a worm, or a computer program that infects an operations system by spreading malicious code, slithering undetected into an onshore industrial control system. Capable of masking “the condition of the gearbox in control rooms,” the worm can change the speed of pumps, hastening or slowing oil production as the hacker pleases.
To guard against this, Deloitte said a company could conduct a detailed assessment to determine the vulnerability for each of its asset, and then prioritize and schedule updates for critical assets. An alternative would be to replace legacy devices with new hardware.
Becoming more vigilant in combating cyberattacks involves not only staying informed of potential threats from external sources but also sharing information, Deloitte added.
“For rapidly containing the damage, or being resilient, a company can regularly practice responding through cyber war gaming and simulations,” the report said. “Staging simulations, especially with people involved in responding to incidents offshore or working in remote locations, creates better understanding of threats and improves cyber-judgment at the lowest possible level.”
Recognizing the risks and knowing how the technical offensive and defensive moves are only one part of the game. Getting the “boardroom buy-in,” as Deloitte called it, is another. This requires getting executives to see how cybersecurity could impact:
- Assets, people and the environment;
- Availability and reliability of assets; and
- Creating new value.
“The current period of low oil prices has provided upstream companies—weary after years of chasing high growth—with the much-needed breathing space to focus on internal processes and systems,” the report said. “The industry has made a great beginning by focusing on efficiency; now it needs to close by safeguarding operations from cyber-attacks. We believe that cyber, like automation and digital oil fields, can quickly mature from a cost item to an essential investment.”
Velda Addison can be reached at vaddison@hartenergy.com.
Recommended Reading
Range Resources Holds Production Steady in 1Q 2024
2024-04-24 - NGLs are providing a boost for Range Resources as the company waits for natural gas demand to rebound.
Hess Midstream Increases Class A Distribution
2024-04-24 - Hess Midstream has increased its quarterly distribution per Class A share by approximately 45% since the first quarter of 2021.
Baker Hughes Awarded Saudi Pipeline Technology Contract
2024-04-23 - Baker Hughes will supply centrifugal compressors for Saudi Arabia’s new pipeline system, which aims to increase gas distribution across the kingdom and reduce carbon emissions
PrairieSky Adds $6.4MM in Mannville Royalty Interests, Reduces Debt
2024-04-23 - PrairieSky Royalty said the acquisition was funded with excess earnings from the CA$83 million (US$60.75 million) generated from operations.
Equitrans Midstream Announces Quarterly Dividends
2024-04-23 - Equitrans' dividends will be paid on May 15 to all applicable ETRN shareholders of record at the close of business on May 7.