By Amira S. Badawey
Information systems and technologies play an important role in the oil and gas industry. Firms perpetuate information technology (IT) into their global operations in order to promote tighter controls, unleash productivity, and boost efficiency.
With the ever temperamental barrel prices, international oil and gas companies (IOCs) are motivated to roll out hi-tech solutions at upstream sites, as well as throughout their entire value chain. Despite recent attempts to revive global oil prices with initiatives such as the Organization of Petroleum Exporting Countries (OPEC’s) efforts to cut their collective production, IOCs remain adamant on transforming operations and creating additional profits from existing capacity through digital technologies.
However, recent cyber-attacks on the UK’s National Health Services, which held patient data hostage for ransom payments, and Russia’s alleged role in hacking the US elections have sparked global concerns on the vulnerability of IT networks. The involvement of hacktivists and foreign governments in similar incidences highlights the scope of IT security threats, as it spans beyond organizational and industrial borders into the geopolitical realms.
Accordingly, state entities are held responsible for securing infrastructures, national resources, and domestic economies, both physically and in cyberspace. Fossil fuels remain a prevalent source of energy used to power the prosperity of nations, especially so in Egypt and the Middle East. The dichotomy between productivity enhancements via IT and the cost of securing the industry’s IT networks, or more notably the cost of neglecting to secure digital exposure, raises the question of whether IT in oil and gas is a flywheel or an Achilles heel.
The Role of IT in Oil and Gas
The oil and gas industry was among the first businesses to embrace technology. During the 1980s and 1990s, way before terms such as Big Data and the Internet of Things (IoT) become common in everyday vocabulary, IOCs relied on 3-D seismic, linear program modeling of refineries, and advanced process control for operations. The use of such technologies unleashed new hydrocarbon resources and delivered operational efficiencies across the value chain.
In August 2016, McKinsey & Company (McKinsey) stated that “the effective use of digital technologies in the oil and gas sector could reduce capital expenditures by up to 20%; it could cut operating costs in upstream by 3-5% and by about half that in downstream.” Moreover, the use of advanced analytics for predictive maintenance decreased maintenance costs up to 13%. In addition, the use of this technology led to preemptive equipment maintenance, where mission critical machinery was repaired before it broke down and, therefore, companies were able to avoid production halts.
This comes as IT uniquely leverages operations within the oil and gas industry as they expand beyond multiple regions. The use of heavy capital investments and extended global supply chains position the industry to take advantage of visibility and clarity delivered by digital technologies and advanced analytics. According to McKinsey, this provides IOCs “granular views into operations, increase agility, and support better strategic decision making. Digital enablers, from process digitization to robotics and automation, can also help realize this potential by supporting processes in dynamic ways.”
Furthermore, the fifth Upstream Oil and Gas Digital Trends Survey, which is commissioned by Accenture and Microsoft, showed that IOCs are sustaining their investments in digital technologies. The survey further stipulates that 80% of companies plan to continue investing the same or more in digital technologies over the next 3-5 years, with the largest resources targeting robotics, wearables and artificial intelligence. The survey concluded that “oil and gas companies are focusing their digital investments on areas where they see tangible business value. This includes lowering the cost of operations through increased worker productivity with mobility, lower infrastructure costs through the use of cloud and better asset management through analytics.”
As such, IT plays a vital role in better controlling operations at upstream sites. Companies can realize more control and better efficiencies at offshore site that represent hazardous safety risks for staff and crew. Deploying technologies and linking multiple location to a centralized onshore site to monitor operations can prevent the need for physical on-site inspections.
PWC’s Strategy& shows that adopting latest technologies was a clear trend in the oil and gas industry in 2016. The global team of strategists stated that the oil major, BP “is already adopting drone technology to inspect pipelines at its remote Prudhoe Bay field in Alaska.”
Moreover, IOCs rely on IT structures and advanced new technology to innovate, minimize costs, and help contribute to achieving a lower-emissions environment, with companies such as ConocoPhillips, Eni, and Neste back-fitting existing equipment for refining and producing renewable energy. These companies invest in refining processes to replace diesel with fuel from soybean, palm, and canola oils as well as fats and animal tallow in airplanes and commercial transportation.
Resilience in Oil and Gas IT Networks
As technology and digital solution further extend to various aspects of industries, economies, and our lives in general, the more appareling these networks become to hackers. Exploiting technology’s vulnerability has surpassed the scope of mere information security, which is concerned with preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
Hackers attack IT networks in deliberate acts of sabotage, with the aim of disrupting services and causing massive losses. In May 2016, NPR reported that “more than 200,000 computers in some 150 countries have been hit by a cyber-attack using ransomware called WannaCry or WannaCrypt, which locked the data and demanded payment in bitcoin.” This story marked the heightened use of ransom ware, which is a maleficent computer program that hijacks IT networks and vital data with the aim of holding services and information hostage for ransom payments.
Although such attacks have so far targeted civilian data through healthcare providers or commercial websites, the oil and gas industry was not spared. In 2012, a virus called Shamoon obliterated files from 30,000 corporate computers at Saudi Aramco, one of the world’s largest oil exporter. A subsequent attack targeted Qatari natural gas company RasGas. Compounding the issue that the oil and gas sector is an attractive target for hackers is the fact that industrial control systems across the sector are woefully unprepared to protect themselves against attackers.
The 2017 WannaCry attacks highlighted a severe weakness in some oil IT networks, as the maleware exploited security gaps in an outdated version of Windows operating system. The Houston Chronicle informed that that very same operating system was still used at many US refineries, offshore platforms and other energy stations. This exposed these facilities to similar attacks. The publication added, “The stunning attack revealed the fragility of the technology that keeps the economy running, and security professionals warned US oil companies could be among the potential targets of sweeping online assaults that attempt to disrupt global order.”
The attack further revealed additional vulnerabilities IT networks in the oil and gas industry. Cyber security experts explained that oil and gas would be an easy target for hackers because oil companies often delay patching their computer controls at refineries and offshore upstream sites, as these lagged updates do not disrupt production.
Moreover, the oil industry does nott have specific cybersecurity regulations, and oil companies are not required to disclose their cyber-attacks, whether failed or successful ones, to authorities. Therefore, the public does not have clear visibility of the resilience of IT networks and digital systems at oil and gas facilities. Yet, the WannaCry incidents have motivated US oil company boards to demand that IT managers prove refineries and drilling rigs are protected against cyber-attacks.
Israeli cybersecurity firm Indegy’s CEO, Barak Perelman, stated, “Increased awareness of industrial cyber threats seem to have spurred new corporate-level maneuvers to secure computer controls that run energy facilities.” Pereleman clarified that specific tactics are required to combat cyber-attacks in the oil industry beyond those used with Windows and Apple systems, as oil and gas facility rely on a diverse array of technologies from companies such as Siemens, Honeywell and Emerson.
However, the severity of cyber-attacks in the oil and gas industry go beyond production disruption. If hackers accessed drilling sites’ safety control, they could cause catastrophic events that impact countries’ national security.
IOCs and Governments – Hand in Hand
At the time of the WannaCry attack, Microsoft’s President, Brad Smith, wrote in a follow-up blog that “the governments of the world should treat this attack as a wake-up call. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.” He added, “We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks.”
Moreover, former US Defense Secretary, Chuck Hagel, commented on the Aramco and RasGas attacks, calling them a “a serious wake-up call to everyone.” He added that “the United States will continue to help build the capacity of partners and allies to defend their critical infrastructure from cyber-attack, especially major energy, infrastructure, and telecommunications facilities.” Yet, the irony of the WannaCry malicious hack is that the malware was built on a cyber weapon stolen from the US National Security Agency.
This highlights the importance of IOCs and governments collaborating to secure oil and gas sites and reserves on both the physical and logical levels. This is not a new sentiment. Global Cyber Alliance’s Head, Philip Reitinger, has been calling for proactive prevention measures through a commitment to proper government funding, similar to other national security threats, the development of new legislations to govern IT controls across industries, regulation of attacks reports, and promoting incentive programs to enforce good behavior by companies.
However, the global oil and gas community, lead by oil majors, will have to mobilize their efforts to pioneer IT security prevention and correction within the industry, lobbying for cross-border collaboration between governments. Accordingly, the US Department of Energy (DOE) held a summit in 2015 to discuss the vulnerability of industrial control systems across the energy sector.
Additionally, the DOE tasked the Industrial Control Systems Cyber Emergency Response Team with the responsibility of coordinating control systems-related security incidents and information sharing with Federal, State, and local agencies and organizations, the intelligence community, and private sector constituents.
Although hacking in high profile businesses like financial, healthcare and retail sectors make news headlines regularly, the less reported breaches in the oil and gas industry can have dire consequences, more dangerous than the theft of personal data.
In the era of industrial IoT and increasingly complex cyber-threats, attacks on public infrastructures, particularly in the energy sector, are becoming frequent. The risks go beyond operability, financial losses and credibility. Cyber-attacks on industrial systems can cross the line into threatening human lives.
Moreover, those working with industrial control systems in the oil and gas industry are aware of the pressure to increase productivity and reduce costs through network integration. The demand for remote support has made many pipeline control systems accessible via Internet-based technologies. These new technologies are enabling companies to implement agile, cost-effective business practices.
Nevertheless, these efficiencies come with a price: pipeline control systems are now exposed to cyber-security threats they were never designed for. This increased connectivity of ICS presents a huge vulnerability, and there is an increasing body of information available to adversaries about what to look for in terms of vulnerabilities in the oil and gas sector. Still, securing vital systems from multiple attack vectors is a serious challenge that requires joint efforts from international organizations, the private sector, the civil society and, especially, governments. It also presents a set of unique difficulties.