Back in 2013, the New York-based ABI Research consultancy said that cyber-attacks against oil and gas infrastructure will drive $1.87 billion in cybersecurity spending by 2018. Here we are today. Just imagine the amount of money that the industry spent during this five-years period on IT networks, industrial control systems and data security; counter measures; policies and procedures. Indeed, cyber-crime proved that it can cost offshore oil and gas companies millions both in business and damaged equipment. The moral of the story? Despite the money spent, Cyber-attacks do still occur! Daily!
Following Mirai, WannaCry and NotPetya attacks that caused substantial damages across many sectors in the past, safeguarding the ONG sector has been proved of foremost importance. Specifically, a cyber-attack in the ONG may lead to plant shutdown, equipment damage, undetected spills or safety measures violation that may result in injuries and even death. After several high-profile attacks, including the 2012 Saudi Aramco attack which unleashed a virus that affected 30,000 workstations, ONG companies have established their own protocols and prevention procedures. Nonetheless, according to EY Oil and Gas Global Information Security Survey 2017-18 (GISS), 60% of ONG organizations have experienced a recent significant cybersecurity incident, up from 41% last year.
Are these figures the after-effects of automation and integration? Undoubtedly, we are moving towards a data dominated world. Benefits of new smart grid technologies in the offshore ONG industry are numerous, so are their security implications; such technology could create another avenue for cyberattacks. Hackers offense systems using malicious code to alter code, logic or data to facilitate information and identity theft, system infiltration, intellectual property theft and unauthorized access. Most of the ONG companies are in the initial stages of their digital transformation. Understanding the threats recent technologies bring is critical for building resilience of sector operations. Attacks show that security threats are becoming more elaborate; oil is a lifeblood even for hackers!
It goes without saying that some of the most dangerous forms of cyber-attacks are those that target critical infrastructure; ONG facilities, or nuclear plants are two of them. With oil and gas accounting for over 50% of the world’s energy consumption, in case of success, an attack would be catastrophic not only for the environment, but also severely compromise governments and national security as well.
Among the major top cyber security vulnerabilities, we see:
- Lack of cyber security awareness and training
- Working remotely during maintenance operations
- Modest cyber security culture
- Vulnerable software and outdated systems
Responding to these challenges, DNV GL has established a Joint Industry Project (JIP) together with Shell, Statoil, Lundin, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime, while the Norwegian Petroleum Safety Authority will also take part as an observer. The JIP will produce a guideline for protecting oil and gas installations against cyber-security threats.
As ONG sector is constantly changing and digitization across the sector is expected to accelerate in the next decade, the concept of a resilient approach is the key. Did you know that careless members of staff are the most likely source of an attack? Companies should understand their risk and then deploy resources to mitigate it.
