While the advent of real-time data and analytics in the oil patch has its advantages, such technology could create another avenue for cyberattacks if defenses are not shored up.

Weak control over remote access to a company’s control system and even smartphones are among the points of entry to E&P and operational data such as future drilling sites, optimal times to reserve a rig or equipment and personnel information, according to a recently released report by the Boston Consulting Group (BCG).

“To fortify the security of their upstream operations and related information, companies must add a broad and effective security layer on top of their existing upstream defenses,” BCG said in the report. “Such a layer, which would allow companies to proactively detect intrusions and other forms of attack, should consist of such elements as firewalls, network-monitoring equipment and network use rules that can secure systems and also enable the infrastructure to detect intrusions and associated patterns.”

Potentially high-risk security gaps exist at several points in upstream operations, including when data is transmitted from old or unsecured equipment without taking security precautions, BCG pointed out.

But the global management consulting firm also acknowledged moves the industry has made to protect itself against cybersecurity threats. Efforts have included the creation of the Oil and Natural Gas Information Sharing and Analysis Center Oil (ONG-ISAC) to combat cyberattacks and following frameworks created by the government, such as the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which works with international and private sector computer emergency response teams to share information about control systems-related cyber incidents and mitigation tactics.

RELATED: Information Sharing Is Key To Cyber Security

Oil and gas companies have also taken a proactive stance by establishing their own protocols and prevention procedures following several high-profile attacks, including the infamous 2012 Saudi Aramco attack which unleashed a virus that affected 30,000 workstations. Intrusion methods have included use of malware, phishing emails, compromised credentials and infected USB sticks.

In 2015, the U.S. Securities and Exchange Commission accused two Ukrainians of leading a scheme that involved using advanced techniques to hack into newswire services between 2010 and 2014 to steal hundreds of corporate earnings announcements before the newswires released the information publicly.

In February, ICS-CERT issued an alert about a cyberattack in Ukraine that resulted in power outages. Although the agency said that the role of BlackEnergy malware was unknown in this incident, it indicated that the “malware was found in Ukrainian companies in a variety of critical infrastructure sectors.”

“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies [Oblenergos] impacting approximately 225,000 customers,” ICS-CERT said in the alert. The cyberattacks reportedly happened within 30 minutes of each other and access was gained via VPN connections using legitimate credentials believed to have been acquired beforehand.

The threat of cyberattacks remains a risk today and according to a study by Tripwire Inc., which provides threat, security and compliance solutions, concern remains among industry professionals. Results of a study conducted by Dimensional Research on behalf of Tripwire showed that:

  • 65% of the respondents said their organization does not have the ability to accurately track all threats targeting their operational technology;
  • 78% believe their organizations are potential targets for a cyberattack; and
  • 82% believe a cyberattack on their organizations’ operational technologies could cause physical damage.

To defend against such an attack, BCG suggested taking a risk-based approach centered on:

  • Developing an understanding of the precise risk to the company’s assets and resources necessary to mitigate them. “An effective detection and response scheme will aim at addressing the largest threats first;”
  • Building and sustaining a multilayered defense system. Identifying vendors with proven technology and methods to defend against attacks, while also being able to pinpoint the source of the attack, appropriate response, continually monitor infrastructure and prioritize threats, are required; and
  • Consistently managing cybersecurity risks. This means staying up to date on risks and response techniques, according to the report.

In addition, efforts should include conducting frequent audits to identify and secure vulnerabilities, heighten employees’ ability to recognize changes to the normal flow of data, make sure that partners such as vendors and oilfield service companies follow the company’s cybersecurity guidelines and understand the organization’s critical assets so they can be protected.

“Recognize and act on knowledge that, in many cases, people are a company’s weakest links. Most attackers target systems that have been made vulnerable through use apathy, inattentiveness and ignorance,” BCG said in the report, adding training and awareness are critical. “An organization may have the very best technologies and processes, but if its people are unable or unwilling to comply with established security measures, the effectiveness of its defenses is greatly diminished.”

Velda Addison can be reached at vaddison@hartenergy.com.