As Oil and Gas Data Multiply, so do the Cybersecurity Threats
The downside of the proliferation of data-fueled digital technologies in the oil and gas industry is the accompanying deluge of new cybersecurity threats.
Internet of Things (IoT) devices are becoming commonplace as sensors and edge processing pervade the oil field. Data lakes now hold petabytes upon petabytes of reservoir and operational data in the cloud. Digital systems are being integrated across different wellsites, different business units, and different companies, including legacy systems that were not designed with security in mind. And with these changes come more opportunities for threat actors to gain access to critical information and equipment.
The industry is increasingly becoming a target of attacks because “data is becoming more valuable, perhaps the most valuable commodity in the world right now,” and oil and gas companies are oozing with data, said Ben Dickinson, global cybersecurity lead for ABB’s oil, gas, and chemicals unit, at the recent SPE Offshore Europe conference in Aberdeen. Underscoring the industry’s appeal to attackers is its economic and geopolitical significance. Threats range from attempts at financial gain by groups or individuals to espionage or sabotage among nation-states.
Dickinson spoke as part of a cybersecurity panel discussion during the September conference that included Saudi Aramco, BP, and Schlumberger, three industry giants at the leading edge of operational advancements and technology development. Keeping these complex, at times unwieldy, organizations secure is a monumental task that requires hypervigilance from an army of cybersecurity experts. But even that is not enough.
“I have bad news for you: Everybody will be hacked,” said Raed Shaikh, Aramco division head, information security. “If you’re not hacked already, you will be hacked.” There’s no such thing as 100% secure, he warned, especially for companies such as Aramco, BP, and Schlumberger.
Breadth of the Challenge
Recent attacks on the oil and gas industry include cyberespionage group APT34, or OilRig, posing as a researcher at Cambridge University to send invites on LinkedIn, spreading malware on customer systems in the UK. Threat group Xenotime’s Triton/Trisis cyberattack first targeted a Saudi petrochemical facility, shutting down industrial safety systems, and then expanded to electric utilities in the US and Asia-Pacific region. Cybercriminals have also used ransomware to target European oil and gas firms via phishing emails.
The defense strategy for oil and gas companies begins with solid threat intelligence and knowledge of their own systems. More than 60 potential offenses to Aramco’s upstream datacenter, EXPEC Computer Center (ECC), are analyzed each day with the purpose of ensuring business continuity. ECC is where the company performs its upstream high-performance computing, including reservoir simulations and seismic processing.
BP has more than 150 industrial sites around the world, and its security operation center “evaluates about 4 billion events a day—so data is king,” said Emilie Hudson, BP project manager.
But operators “can only secure what we know about,” Hudson said, as there is almost always integrated connected equipment at BP’s sites that needs to be accounted for and protected. “There is always a wireless endpoint that was unknown. There is always an IoT device that was a proof of concept 2 years ago that has become part of the wallpaper,” she said.
Companies must keep a robust inventory of their equipment that is updated religiously. That means, she said, “not just knowing what is there, but knowing the state it is in” along with other key information.
They must also ensure their vendors are including security in the design and deployment of equipment. “Without a very integrated and coordinated effort by the oil and gas operators as well as with our industrial vendor partners, we together don’t really stand a chance,” she said. “We cannot protect ourselves in isolation.”
ABB has requirements for products, services, and relationships with third parties using industry best practices to ensure “cybersecurity is baked into the whole process” in earliest phases of the software development lifecycle, Dickinson said. Aramco extends cybersecurity checks to its vendors and partners, using a consolidated platform to share threat intelligence or incident information.
Schlumberger’s Security Basics
Schlumberger has consolidated groups that previously worked in silos through its cybersecurity operations centers in Houston and Kuala Lumpur. Those facilities bring together IT infrastructure, cloud services, industrial control systems, industrial IoT, and business applications as well as physical security such as door access systems and closed-circuit television cameras.
The world’s largest oilfield services company has focused on simplifying and automating its security processes, making them repeatable. This includes leveraging tools and processes to minimize the amount of time it takes to react to an incident. “In the past, the average level one analyst would take around 45 minutes before they could actually act on an alert,” said Mario Chiock, Schlumberger fellow for IT security. Now, “with a lot of automation,” it takes 5 minutes.