According to a 2017 survey by the Ponemon Institute, cyber attacks are on the rise. Successful breaches per company each year have risen more than 27%, from an average of 102 to 130. The energy and utilities industry, including oil and gas, suffered average annualized losses from cyber crime of $17.2 million per sampled organization, just behind the financial services sector at $18.2 million.
In June 2017, the NotPetya computer virus affected many companies around the world, including the Russian oil and gas giant, Rosneft. In the same year, another report stated that almost three-quarters of US oil and gas companies had a cyber incident, yet only a handful cited cyber risk as a major concern in their annual reports.
As the global oil and gas industry grasps the benefits that digitalization, automation, machine learning, and artificial intelligence can bring to production and profitability, its relatively immature cyber systems are making it an attractive soft target for hackers.
The traditional focus of cyber security has been on IT, such as the office IT infrastructure. Now, there is an increasing trend for networks on production sites to be connected to wider corporate networks, to allow remote monitoring and control. This increases vulnerability. Managing operational technology, such as control and automation systems, requires both oil and gas operational domain competence, as well as proficiency in general information security.
The level of threat depends on the level of communications. Cybersecurity can be simplest when data is moving in just one direction, for instance, from the production system into the corporate network. However, if using a remote or centralized control room, the need for protection becomes more pertinent and problematic, as control rooms must be able to alter critical offshore systems. The complexity and challenge for fail-safe security deepens if vendors are able to access and perhaps control equipment on the plant via corporate systems.
As each rig operation involves a significant number of suppliers and contractors, all deploying safety critical systems, it is vital that the industry introduces controls and security barriers to eliminate any weaknesses.
Without the understanding and knowledge of how to implement and integrate such systems securely, unnecessary risk and expense can be added to a project. Breaches can lead to lost production; raised health, safety, and environmental risk; costly damages claims; breach of insurance conditions; negative reputational impacts; and loss of licence to operate. Therefore, cybersecurity needs to be a consideration throughout the lifecycle of any project, especially across digital transition activity.
A Guest Editorial