Today's cyber attack brings back memories of cyber security for the oil and gas sector too. Back in August 2014 more than 50 businesses in the oil industry experienced a hacking attack. According to the Norwegian National Security Authority (NSM), it was the biggest hacking attack against the Norwegian oil and energy sector of all time.
The only certainty is that the sector will be subject to new and tougher attacks.
The oil industry is going digital
In the oil and energy sector IT solutions are linked by computer networks and are an integrated part of the production systems. Everyone knows you shouldn't click on attachments in spam e-mails, but is your business safe in a digital future?
Higher likelihood of cyber attacks
Traditional security analyses describe the likelihood of errors that can lead to undesired incidents. These analyses form the basis when barriers are designed to reduce the likelihood of errors occurring, and to reduce the consequences if errors nevertheless should occur. “When the barriers are based on software and IT operated systems with both sensors and actuators linked in a network, the likelihood that these security barriers are subjected to cyber attacks increases,” explains Boye Tranum, Senior Expert Security Services with DNV GL Oil & Gas. This means that several barriers may be compromised and neutralised at the same time.
Cyber attacks can lead to loss of human life “Several of the barriers may then not work as expected,” Tranum says. In the oil and gas sector errors can have serious consequences, both for human life, the environment and assets.
Here is where the oil and energy is most vulnerableDNV GL has long experience in analysing what can go wrong with regard to cyber attacks. The company has identified the following areas where industrial systems in the oil and gas sector are most vulnerable:
- Lack of training and knowledge about cyber threats among employees
- External login for operation and maintenance
- Use of standard products with known vulnerabilities
- Inadequate system updates and virus protection
- Use of mobile data storage devices
- Inadequate separation of computer networks
- Increasing use of networks between offshore and onshore installations
- Inadequate physical protection of data rooms and cabinets.
- Ensure that relevant security barriers against cyber vulnerabilities are in place
- Provide training and information to employees on cyber threats
- Reduce cyber vulnerability related to the use of and contact with smaller companies and subcontractors, who often represent a significant risk due to less expertise and capacity in cyber security.
It's annoying to have to update software, but...
It's also important to have maintenance procedures that ensure that software-based systems are up to date (such as patching, backup and antivirus protection), and for technical enhancement of network architecture (better segregation and network maintenance). It's not all about technology “But it's usually not only the technical solutions that need to be improved. There is a strong link between technology, work processes and the people in an organization. All of these factors are important in order to reduce cyber vulnerabilities,” Boye says.