The word “Digital transformation” has become part of our everyday life, cashless transactions to the touchless automation; industries are transforming rapidly.

Oil and gas industry which has played a pivotal role in the economic transformation of the world by providing, fueling the needs of mobility, light, and heat of world’s population is as well going through the digital transformation.  Following are main drivers for this transformation:

• In last few years drop in the oil prices has made this industry look inwards to improve operational efficiency.
• Dropping prices of sensors, technological improvements of analytical tools and internet connectivity

This business segment was ignored by the attackers because previously the Industrial Control Systems (ICS) and Operational Technology (OT) network were separated from the enterprise network and internet. In past, it was “business of Barrels and not Bytes”.

Digital Foot Prints Of Oil & Gas Industries

The oil and gas industry is mainly comprises of three segments Upstream, Midstream, and Downstream.  Growing digitization and interconnectedness in these segments has increased the cyber-attack vector tremendously. Any compromise or security breach to these systems can cost millions of dollars per day as a production loss.

Vulnerable Areas and Impact

Vulnerability in these segments would be function of  the attack surface includes number of vendors, users, and interfaces or the number and type of industrial control systems and operations; mode and flow of data (physical or digital and unidirectional, bidirectional, or multidirectional); and the existing state of security and controls in place

The Vulnerabities in these area if get exposed and used by attackers can cause:

• Plant shutdown
• Equipment damage
• Utilities interruption
• Production circle shutdown
• Inappropriate product quality
• Undetected spills
• Safety measures violation resulting in injuries and even death

Severity, on the other hand, includes both direct and in-direct costs in the form of health, environment, and safety incidents, business disruption, legal and regulatory issues, reputational damage, and intellectual property theft

Apart from the a above mentioned infrastructure, complex ecosystem of computation, networking, and physical operational processes spread around the world makes this industry highly vulnerable to cyber-attacks.

The research has proved that air gap between Industrial control Systems (ICS), OT and Enterprise network can be compromised. Read more on how airgap network can be hacked using Smart Phone.

In 2016, energy was the industry second most prone to cyber-attacks, with nearly three-quarters of US O&G companies experiencing at least one cyber incident

The enterprise applications such as Enterprise Resource Planning (ERP) , Business Intelligence (BI) are connected to multiple plant devices to collect the data from IoT devices and send it to enterprise for further analysis. Unsecured connections between IT and OT environments can lead to vulnerabilities.

Remote plant equipment are at risk of data manipulation, including temperature and pressure measurements. A hacker could implant false data into these sensors. The best example is attack on Turkish Oil pipeline, way back in 2008. The central element of the attack was gaining access to the operational controls to increase the pressure without setting off alarms. Because of the line’s design, the hackers could manipulate the pressure by cracking into small industrial computers at a few valve stations without having to hack the main control room.

 Stuxnet, a computer worm targeting industrial programmable logic controllers (PLCs) and SCADA systems. Despite the fact that it was not specifically designed to attack the petroleum industry, several oil and gas companies were infected with the virus.

Reducing the Impact

First and the most important thing is getting buy-in from the C-suite to include cyber security as an element to perform business risk and impact analysis. Defining the cyber security program with governance architecture which includes C-suite position (CISO). Perform regular security testing including vulnerability assessments, penetration testing, and security controls effectiveness analysis. Include the results of this as part of annual cyber security risk assessment.

Implement cyber security awareness programs that covers all areas of business including Industrial control Systems (ICS), OT and enterprise infrastructure.

Keep all Operating Systems and application up to date by patching or updating software including the systems in ICS and OT.

The Foundation of cyber security program should be

• Resilient – Have backup and archival mechanism to store data in encrypted manner
• Secure – All important data should be either encrypted all levels (in transit , at rest in process) , use format preserving encryption or tokenization which can maintain performance and needs minimal or no changes in the applications
• Vigilant – Keep monitoring your network and applications for anomalies.

You cannot stop attackers but by identifying security incidents at early stage and executing a well defined incident management process, you can reduce the disruption to the business.