Top Ten Cyber Risks for Oil and Gas

DNV GL has released a study that reveals the top ten most pressing cyber security vulnerabilities for companies operating offshore Norway that is relevant globally. 

Norwegian intelligence authorities are warning of an increase in digital threats aimed at Norwegian industry. Events over the past few years show that the energy and petroleum sectors are among the most vulnerable. The methods are becoming increasingly innovative and the attackers more sophisticated.

An international DNV GL survey of 1,100 business professionals found that, although companies are actively managing their information security, just over half (58 percent) have adopted an ad hoc management strategy, with only 27 percent setting concrete goals. 

“Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems,” says Petter Myrvang, head of the Security and Information Risk Section, DNV GL - Oil & Gas. 

The top ten cyber security vulnerabilities:

Lack of cyber security awareness and training among employees
Remote work during operations and maintenance
Using standard IT products with known vulnerabilities in the production environment
A limited cyber security culture among vendors, suppliers and contractors
Insufficient separation of data networks
The use of mobile devices and storage units including smartphones
Data networks between on- and offshore facilities
Insufficient physical security of data rooms, cabinets, etc.
Vulnerable software
Outdated and ageing control systems in facilities.

DNV GL believes cyber security vulnerabilities can be addressed through a risk-based approach, using the bow-tie model familiar in safety barrier management. This allows companies to identify the threats to and vulnerabilities of assets and operations and plan barriers to prevent incidents and mitigate the consequences of cyber risks. This includes procedures to maintain the barrier quality documented in performance standards. 

Digital vulnerabilities 

Industrial automation, control and safety systems used in the oil and gas sector are to a large extent digitized and dependent on digital technology. Formerly, such systems were proprietary, while they are now to a large extent based on commercially available components, such as a PC with a Microsoft Windows operating system. That means that the known vulnerabilities of such commercial standard products will also be exposed in the sector.

The networks used between process equipment and control systems were previously isolated and proprietary, but are now based on Internet technology. Industrial automation and control systems used to be physically separate from traditional information systems and open networks. The need to transfer production data to information systems, and for remote maintenance, means that such separation is no longer practically possible. There is an increasing use of remote operation from an onshore location or neighboring platform, and this may lead to the use of shared computer networks. This means that production equipment is exposed to network-related vulnerabilities.

Malicious codes are usually spread due to human error. An attachment in an email is opened, memory sticks are inserted, mobile phones are charged, laptops are connected to critical networks, etc. Mobile phones can also easily establish Internet connections. Users are tricked into revealing passwords, etc. Locating operations rooms onshore means that less attention may be paid and this increases the likelihood of both unintentional and intentional unwanted incidents. Human error is regarded as the greatest digital vulnerability in the sector.

The consequences of unwanted incidents based on digital vulnerabilities will primarily be of a financial nature. Production has to be shut down, and this means a loss of income for the industry. Society will see a decrease in direct and indirect taxes. Unwanted incidents will affect the companies' reputations and may affect Norway's reputation as a stable producer and transporter of energy. If saboteur and terrorist organizations manage to control vital production equipment, the consequences can be environmental destruction and the loss of human life.

Dependencies

In order to reduce the CO2 emitted due to power production on oil installations, new field developments are often based on a power supply from the shore (electrification). Most of these installations have to shut down production if there is a breakdown in the power supply from the shore. There has for a long time now been an increasing focus on digital vulnerabilities in electricity distribution systems. Such distribution systems are complex grid structures that are highly dependent on management and control systems.

Large distances and deep waters make it costly to establish a computer network for oil installations on the Norwegian continental shelf. Fibre-optic cables on the seabed are often used, and such cables are vulnerable to damage from building and fishing activities and erosion. It is challenging to establish redundant and completely independent network solutions. A lack of communication can mean the immediate shutdown of production on platforms that are operated from a shore-based location or neighboring platforms. This is also critical for pipelines where, among other things, it must be possible to regulate and monitor the pressure and volume throughout the system.

Emergency preparedness

An unofficial, international survey among companies in the sector concluded that only 40 percent of the companies have established an emergency preparedness plan that covers digital vulnerabilities. The crises and emergency preparedness focus is on fires, explosions, blowouts, etc.

The Norwegian Ministry of Justice and Public Security has a particular responsibility for coordinating emergency preparedness work, and the Norwegian Directorate for Civil Protection (DSB) supports the Ministry in this role. The DSB has little focus on digital vulnerabilities.

Future problems and trends

Many installations on the Norwegian continental shelf are designed to have a lifetime of between 15 and 25 years, and a number of these have been allowed to operate for longer. This means that a lot of the equipment and software is outdated and not very well adapted to today's digital vulnerabilities.

The digitization of the sector is taking place continuously. "The Internet of Things" will lead to more units with digital vulnerabilities. The volume of data to be transported is growing and standard IT equipment will increasingly be integrated with the specialized control systems.