88.56 F
Houston, TX
September 18, 2020

The Cybersecurity Manual for Refineries and Oil Companies

North America Crude Oil Exports Virtual Summit

Cybersecurity signifies the protection of data, networks, and systems from potential cyber attacks with the help of a plethora of technologies, controls, and processes. With the help of an effective cybersecurity program, the risks of cyber attacks can be significantly reduced. Once these attacks have been prevented, organizations and their stakeholders will have been saved from all kinds of unauthorized exploitation of valuable networks and systems.

Chapter One: What Is Cybersecurity?

A robust form of cybersecurity will involve implementing such controls that are based on 3 vital pillars. These include controlling the organizations’ people, processes and technologies. With this three-pronged approach, any organization can defend itself against anything that ranges from internal threats like human errors or accidental breaches and all the way up to highly organized cyber attacks.

The 3 Pillars of Cybersecurity

1.      People

Every respective employee in the organization needs to know about their role in the prevention of cyber attacks. The technically specialized cybersecurity staff, on the other hand, needs to stay up-to-date about all the latest qualifications and skill that effectively respond against cyber threats.

2.      Processes

Cybersecurity processes are extremely crucial in order to define how risks against activities, documentation, and roles in the organization can be mitigated. Cyber threats also tend to change quite quickly – which is why organizations need to keep adapting their respective processes continually.

3.      Technology

Once the cyber risks of your organization have been identified, cybersecurity will involve employing technologies that counter potential threats. All the dangerous impacts of cyber risks can be reduced or prevented with the help of these technologies. Of course, all of this will depend entirely on the risk assessment of the organization in question.

Why Is Cybersecurity Important?

Other than the fact that the costs faced by organizations because of dangerous data breaches are soaring, the EU General Data Protection Regulation (GDPR) is now also a regulatory force. Any company that doesn’t adhere to their regulations could face fines of up to €20 million or even a portion of their global turnover for particular kinds of infractions.
Another reason why cybersecurity is a necessity is that these attacks are becoming exponentially sophisticated as time passes us by. Attackers can be seen using newer tactics in order to exploit their victims such as ransomware, malware or even social engineering. Some of the most famous cases from the past year include the cyber attacks carried out by the name of NotPetya, Petya and WannaCry.
With the help of a strong cybersecurity program in any organization, the company can check-off all kinds of cyber failures, errors, and malicious cyber attacks. In order to do so, these organizations will have to implement certain elements of cybersecurity.

The Elements of Cybersecurity

1.      Application Security

A common intrusion point identified by cybercriminals are the vulnerabilities in the companies’ web applications. This is so because web applications tend to play a very critical role for businesses nowadays. Therefore, by focusing their security on web applications, organizations will be protecting all their assets, interests and valued customers.

2.      Information Security

Information is the heart of every organization and comes in all shapes and sizes – whether it is their business records, intellectual properties or even their personal data. That said, in terms of the best practices for ISMS (Information Security Management Systems), companies need to follow ISO 27001.

3.      Network Security

Network security signifies the security of integrities and usability of organizational networks and data. This can usually be implemented with the help of network penetration tests. These tests have the sole purpose of assessing company networks for potential security issues or vulnerabilities such as issues in network devices, hosts or servers.

4.      Business Continuity Planning

BCP is a cybersecurity measure which is put in place in order to prepare for any form of disruption in productivity. All companies will have to do here is to identify potential threats before they happen and analyze how they could possibly affect their daily operations.

Chapter Two: Assessing Oilfield Security Applications

All the activities of oil and gas organizations are subject to the risk caused by cyber threats and vulnerabilities. These include a plethora of unwanted incidents that can be both unintentional and intentional. In either case, however, they can dangerously affect the oil and gas sector, its employees and even the whole society at large.
The Norwegian Intelligence Authority had previously warned the Norwegian oil and gas sector about a hurricane of digital threats coming their way. This and so many events in the past couple of years in the petroleum and energy sector have identified that they are quite vulnerable to cyber attacks which are increasingly innovative and sophisticated.

The Digital Vulnerabilities of the Oil and Gas Sector

Industrial safety, control, and automation systems are usually used in the oil and gas industry and are either completely digitized or depend largely on digital technologies. Earlier, these systems used to be proprietary, but now they tend to be commonly available because of common and commercial components such as operating systems like Microsoft Windows. This, however, also points to the fact that these commercial products are quite vulnerable to cyber threats in the sector.
The networks used in these organizations to link control systems and process equipment also used to be proprietary and isolated. Now, however, these networks are completely based on internet technologies. Due to this, industrial control systems and automation are not physically separate from open networks like it used to be before. That being said, it is clear that all the production equipment being used in oil and gas organizations are completely exposed to their network’s vulnerabilities.
So how does production equipment get affected by cyber threats in the first place? Well, malicious codes tend to usually spread simply because of human error. Human error could be anything from opening a malicious attachment in the email, inserting an affected memory stick or establishing problematic internet connections. It could even be as simple as users being tricked into revealing valuable password!
All of the above stated human errors could then lead to both intentional or unintentional unwanted incident in oil and gas operation rooms. This is exactly why human errors have been termed the greatest form of digital vulnerability in this sector. The consequences of these incidents will then most likely be in the form of financial losses due to production being disrupted or being completely shut down.
Other than financial losses for the victim organization, these unwanted incidents will also cause decreases in indirect and direct taxes. Not only will this be the case, but the victim company’s reputation will have been significantly shattered. What’s more? If the terrorist or saboteur groups manage to compromise production equipment, then this could even result in the loss of human life or environmental destruction.

Dependencies

To reduce CO2 emissions caused by power production at oil installations, power supplies are usually based on the shore. If there is an interruption in the shore power supplies, then most oil and gas installations naturally are caused to cease production. While this is the case, there has been an increasing concern in the oil and gas sector about the electrical distribution systems being digitally vulnerable. This is because these distribution systems are made up of complex grid-like structures which highly depend on IT control and management systems.
In some oil and gas companies, like those in Norway, deep waters and large distances usually make it difficult for oil installations to establish computer networks for electrification. In order to counter this, fiber-optics are employed which usually have an independent set of network solutions and security against cyber attacks. If, however, communication is disrupted due to malware, then offshore oil structures will experience an immediate shutdown. The very same problem can be seen in the case of cross-country pipelines which need to monitored and regulated in terms of oil and gas pressures and volumes.

Chapter Three: Protecting Oilfield IT Infrastructure

Now that that the boundary between Information Technology (IT) and Operational Technology (OT) is quite blurred, Industrial Control Systems tend to be a huge risk for the global oil and gas sector. Companies in this sector can be continually seen to increase their efficiencies with the help of automation – which is why they are simultaneously increasing their defenses against cyber attacks.
The specific areas where the oil and gas industry can be seen to lose its competitive advantage include the loss of bidding and exploration information. This is because of cyber threats which are intended for intellectual property theft. One such wake-up call was experienced by the oil and gas sector in 2012 when the ‘Shamoon’ attack occurred on Aramco in Saudi Arabia. Due to the destructive nature of this attack, something close to 30,000 machines that were Windows-based was completely overwritten. If this doesn’t seem like much, these machines were responsible for 10 percent of the oil supply all over the world!

What Can the Oil and Gas Industry Do?

The popular opinion is that cloud adoption and technological advancements can completely cyber risk. Well, they’re not wrong nor are they right. These technologies can only shift responsibilities and roles in the respective organizations that are intended to mitigate cyber risks. These changes, especially in the case of larger oil and gas corporations, could even result in opening further opportunities for cyber attackers to gain access to vital assets.
This is exactly why it is safe to say that a set of standard cybersecurity rules for the oil and gas sector seem to be nonexistent. Organizations, however, can start by fulfilling basic sets of requirements which restrict malicious access and breaches. These include:

  1. Isolating (or forming an ‘air gap’ in) OT and IT systems – especially those that are connected to the web.
  2. Employing the latest and most advanced cybersecurity technologies to keep in pace with the innovation of cyber threats.
  3. Ensuring higher levels of security over data backups in terms of how often they are accessed and where they have been located.
  4. Employing and enforcing a kind of ‘least privilege’ culture in the oil and gas organizations. This means that very few employees have access to vital networks and data.
  5. Limit all the avenues that lead to the most important forms of data such as exploratory, production or sales data.
  6. Enact focused and specialized forms of security monitoring programs that protect the most critical network systems and segments.
  7. Vigorously test your network protection and reactive measures.

Chapter 4: Monitoring Oilfield Facility Threats

The oil and gas industry is braced for an increase in cyber attacks in 2019. This is solely due to the rising trend of exploitation of digital technologies, cost-minded concepts for operations, and increased dependence on cyber infrastructures.
Cyber attacks in the oil and gas industry have also been known to be increasing in terms of complexity which means they are much more difficult to detect and defend against. This is exactly why cybersecurity and monitoring systems need to have remedies ready for 10 of the most notable cybersecurity threats. These threats include:

1.     Lack of Training and Awareness

Rig-related tasks that are known to be a huge risk for on-site employees have now been completely replaced by drone-based technologies. There is still a multitude of tasks in these areas that require hands-on attention – which is why employees need awareness and training.
If these employees lack the right kind of training, they will be more likely to cause errors which will make the operating systems more vulnerable to cyber attacks. Examples of this include how employees use their mobile technologies to communicate and monitor equipment. If these mobile devices get compromised, then the production facility will have been affected by proxy.

2.     Remote Work

Thanks to mobile and drone-based technologies, working remotely is now more real than ever before. Even though employees are now safely at a distance from harmful locations their remote work networks are making things easier for potential cyber attacks. In order to monitor and counter this threat to the oilfield facility, the oil and gas sector should implement strict network usage protocols for remote mobile devices.

3.     Using IT Products That Have Known Weaknesses

As a measure of cutting costs, some companies in this industry tend to opt for products that are known to have weaknesses in terms of cybersecurity. These IT products allow cybercriminals to find weak links in companies’ supply chains. This is why oil and gas vendors need to be quite selective about their choice of IT products – even if this means increasing costs.

4.     Cybersecurity Cultures Are Limited

Even in the most technological environments, cybersecurity is still classified as a niche function. This is why employing a culture for cybersecurity in oil and gas corporations can mean reducing the risk of employees unintentionally misusing systems. As a result, the avenues that pose as threats are significantly decreased.
Instilling a culture for cybersecurity can be as easy as hosting a seminar which focuses on the importance of cybersecurity in oil and gas companies. These seminars can also particularly highlight how cyber attacks can be damaging for production, revenues and even employees’ jobs.

5.     Separation of Data Networks Is Insufficient

Insufficient levels of separation in data networks are another reason why more and more avenues for cyber attacks are introduced to cybercriminals. Again, a lack of separation amongst data networks tends to be less costly for oil and gas companies, but it also provides a boatload of access to valuable information for potential hackers. This is why the sector should definitely consider the necessity for investment into the separation of data networks. Without a doubt, they will realize that the expense is worth every penny in the long term.

6.     Insufficient Physical Security for Data Rooms

It may be clear by now that if a hacker gains access to the data room of an oil and gas organization, they can wreak havoc. Hackers have also been found to be looking for any political or financial gain and it doesn’t matter whether the data is related to the oil and gas sectors or from other industries. This is why the oil and gas organizations should be planning to implement strict physical securities in their respective data rooms.
This can be done by issuing security key cards to a group of employees or even assigning security to these areas of oilfields. It is important to mention here that physical security and cybersecurity go hand-in-hand when it comes to securing oil and gas data rooms.

7.     Software Weaknesses

When companies are looking for software that is meant to aid their cybersecurity measures, they should be cautious of low bids. Some of the latest and up-to-date software is usually quite costly, but their stauncher security and additional features can save these companies from millions of dollars worth of losses posed by cybersecurity threats. In simple terms, a software that makes oil and gas operations systems vulnerable to cybersecurity threats are not going to be of value in the long term.

Chapter Five: Responding to a Cyberattack

The responses to all kinds of cyber attacks need to be multilayered and should be repelling common forms of cyber attacks alongside a nuanced approach for emerging threats. In order to protect critical forms of data and information, these organizations must not simply be looking to address OT and IT security issues, but should also be dealing with the complex environments of the Internet of Things. While doing so, they should also be integrating their security functions with innovative process disruptors like artificial intelligence, blockchain, and robotic process automation.
It has never been as important as now to ensure the most effective security efforts in every little facet of oil and gas operations. In the oil and gas sector, these efforts are coming to be known as ‘cyber fusion’.

How to Implement Cyber Fusion

1.      Basic Defense

Defense against common forms of attacks would involve some point solutions which are key elements of all types of cybersecurity resilience. This includes tools like antivirus software, intruder/malware detection and protection software (IPS and IDS), encryption technologies, consistent forms of patch management and many more standard technologies.
Another crucial form of frontline defense is employee awareness, password discipline, and cybersecurity cultures and consciousness. As was said before, this can be done with the help of phishing and relentless malware campaigns.

2.      Advanced Defense

Defense against advanced forms of attacks will only be achieved if oil and gas corporations know how to detect intrusions quickly. In order to do this, these organizations should employ Security Operations Centers (SOC’s) in the heart of their cybersecurity functions.
Employing these as the starting point to their cyber attack capabilities, oil and gas companies will have a structured and centralized hub to coordinate all their cybersecurity activities. In the world of cybersecurity, SOC’s are moving beyond passive practices and are taking shape of deliberately targeted and continuously executed campaigns. Campaigns such that have the ability to simultaneously target and remove all kinds of hidden attackers in order to defeat every threat scenario.

3.      Defense Against Emerging Attacks

In order to do this, oil and gas corporations should first accept that some cybersecurity threats will most definitely be unknown. Once this has been done, these corporations will have to design their practices in such a manner that they will be able to react swiftly whenever the threat scenario calls for it.
Every organization that has great governance under its cyber fusion operations will have the ability to implement ‘security-by-design’. This means that such organizations will have employed systems and respective process that have the ability to respond to every unknown and unexpected risk – no matter how emerging and innovative it is.
Oil and gas organizations know for a fact, that it is only going to be a matter of time before they face their first cybersecurity breach. Breaches such that their defenses would successfully have been penetrated.
That said, having effective cybersecurity response plans in place has the power to minimize the impact of victim organizations. These plans can be put in place with the help of our guidelines and should be tested on a regular basis. It should also be lead by a team that has the relevant knowledge and experience to manage strategic operational responses.
This is why preventative cybersecurity efforts will work to keep in pace with all types of threats way before they even occur. If cybersecurity trends are right, then 2019 is going to put the oil and gas sector’s cybersecurity to the test. This is why now a better time to gear up than ever!

Newsletter Sign-up

Subscribe to OILMAN Today, our industry newsletter covering oil and gas business news, events, information and trends shaping the market, delivered to your inbox.

Related posts

Subscribe to OILMAN TodayDelivered right to your inbox

Subscribe to OILMAN Today, a biweekly newsletter delivered to your inbox covering oil and gas business news, current events and industry information you need to know about.