As more oil & gas operations become digitised, cybersecurity has become a natural cause for concern. Digitalisation has the potential to automate operations, increase efficiency and cut costs, but it exposes oil & gas companies to cyber-risk.
In a press release, Schneider Electric, which won our Oilfield Services Company of the Year 2018 award, outlined key cybersecurity threats and steps to counter them.
The first threat is employee exposure to outside emails. Over 400 businesses are exposed to email “spear-phishing” schemes every day, draining three billion dollars from businesses over the last three years, according to a study by Symantec.
But oil & gas facilities, which are increasingly considered critical national infrastructure, are also subject to attacks on infrastructure by organized groups. Cyberattacks can be used as weapons to weaken nation states and other global institutions.
Another threat is the widespread use of mobile phones; since most employees have phones, laptops or tablets which may be connected to their work environment or may have sensitive information, outsiders who are able to get into these devices could enter the company's online ecosystem with relative ease.
But there are steps that oil & gas companies can take to minimize the risk of business continuity disruption due to cyberattacks, .
Step 1: Build firewalls
Build firewalls to keep outsiders from entering the corporate network and gaining access to control systems. This will work in environments where entry points into the system are somewhat limited. However, in an IIoT world, cybersecurity will need to be built into every control system hardware and software component, protecting every node that has computing capability.
Step 2: Strengthen cybersecurity infrastructure
Take a gradual approach to strengthening cybersecurity infrastructure. Responsible control systems manufacturers are now designing cybersecurity into every module they build and deliver so that clients don’t have to concern themselves with building in cybersecurity after they purchase a new product.
Some manufacturers apply a Secure Development Life Cycle (SDL) approach to their product development. Within the context of SDL, secure architecture reviews are performed, threat modeling of the conceptual security design takes place, secure coding rules are followed, specialized tools are utilized to analyze code, and security testing of the product is performed. These actions help to ‘harden’ products, making them more resilient against cyber-attacks. In this way, as new products replace old, entire systems evolve to become more cyber secure.
Step 3: Educate employees
Develop a cybersecurity-aware culture within oil & gas organizations to help employees understand and appreciate the key risks, so that operations can be run in a secure manner (including basic password management or changeover management).
Such an environment should audit and enforce cybersecurity best practices on a consistent and effective basis, utilizing available supervision and detection tools, so that exposure to risk can be minimized. In such a cybersecurity-aware process culture, the priorities of the IT and industrial control departments need to be aligned. Both employees and vendors coming in need to be aware of the security policies or risk being denied access to sensitive equipment and operations software.