Enables security measures in land-based and offshore oil and gas

Control systems in the oil and gas industry are highly vulnerable to cyber attack. But the extent of the problem - and its potential consequences - are not sufficiently recognised.

"Cyber attacks, of course, do occur. Daily - and in their tens of thousands. Most are not aimed at the energy sector. But some are, and can be highly sophisticated," said Houston-based Dr. Richard Parliman, who is the Lead Technical Specialist in this area at Lloyd's Register Energy.

"Cyber warriors are hackers with an agenda and are a major risk," says Dr Parliman. "They attack facilities for fun, for the challenge, for information, or for a cause. They can be led by turmoil groups, mischievous individuals, or disgruntled ex-employees."

ABI Research senior cyber security analyst, Michela Menting, was recently reported in www.oilandgasiq.com as saying most of the energy sector is not adequately prepared - at least where industrial control systems (ICS) are concerned: "A serious lack of drive exists in tackling the problem of ICS vulnerabilities in any comprehensive or thorough way. The industry perception that cyber risks are low because few and limited attacks have occurred on ICS is not just misguided, but highly dangerous."

Last year there were around 700 offshore oil and gas rigs in operation, but onshore there were many more. In addition, the United States alone has over 150 refineries, 200,000 miles of oil pipelines and 2 million gas pipelines. The industry is built on a highly decentralised infrastructural network, and older technology that was not designed with hacking or malicious coding in mind.

"It is different to terrorism, but the overall results are the same: financial loss, equipment loss, and possible loss of life," said Dr. Parliman.

Today's rigs use increasing levels of automation - a complex of sub-systems that are all interconnected: operational, hydraulic, mechanical, electrical. Shore-based system monitoring, inventory control, and information / business systems. But, because of this integration, a problem in one system can have a cascading failure effect on the entire operation and result in non-productive time - something no-one wants.

"Software has probably more functional complexity than any mechanical systems on a rig, yet is the least understood, and least inspected asset. OEMs do not always have total control of software source code, and so software and integrated systems represent one of the largest unguarded threats to the safety and reliability of operations."

"One brand new rig, straight from the ship-yard, took 19 days to clear of its viruses - at an operational cost of $3m a day." Such risks are rarely talked about - because they don't look good. Yet downtime for an offshore rig is costly.

The type of inspections that the specialist cyber experts' from Lloyd's Register Energy's Houston carry out include examinations in three main areas of threat including logical, physical and operational.

"We can quickly identify operations which are most at risk of being victimized and work with the client to develop protective security measures tailored to the individual, the operation or the organization," said Dr. Parliman.

A primary goal of Parliman's team is to provide added value to a cost-conscious industry facing some tough economic challenges. Lloyd's Register Energy claims that the specialist expertise from its cyber specialists' based out of Houston will help to protect America's oil and gas industry from potential cyber threats and attacks. It also covers land-based infrastructure.

This latest initiative comes at a time when investment in cyber protection is forecast to increase. According to the New York-based consultancy ABI Research, cybersecurity spending on oil and gas critical infrastructure will reach $1.87 billion a year by 2018.

Source: Lloyd's Register Energy