Cyber security vulnerabilities for the oil and gas industry

Lysne Committee study

Executive summary

Any activity in the oil and gas sector is subject to risks caused by threats and vulnerabilities. This increasingly also applies to risks due to digital vulnerabilities.  Unwanted incidents, both intentional and unintentional, can affect individuals, companies and society at large.

Norwegian intelligence authorities are warning of an increase in digital threats aimed at Norwegian industry. Events over the past few years show that the energy and petroleum sectors are among the most vulnerable. The methods are becoming increasingly innovative and the attackers more sophisticated.

1.1 Digital vulnerabilities in the oil and gas sector

Industrial automation, control and safety systems used in the oil and gas sector are to a large extent digitized and dependent on digital technology. Formerly, such systems were proprietary, while they are now to a large extent based on commercially available components, such as a PC with a Microsoft Windows operating system. That means that the known vulnerabilities of such commercial standard products will also be exposed in the sector.

The networks used between process equipment and control systems were previously isolated and proprietary, but are now based on Internet technology. Industrial automation and control systems used to be physically separate from traditional information systems and open networks. The need to transfer production data to information systems, and for remote maintenance, means that such separation is no longer practically possible. There is an increasing use of remote operation from an onshore location or neighbouring platform, and this may lead to the use of shared computer networks. This means that production equipment is exposed to network-related vulnerabilities.

Malicious codes are usually spread due to human error. An attachment in an email is opened, memory sticks are inserted, mobile phones are charged, laptops are connected to critical networks, etc. Mobile phones can also easily establish Internet connections. Users are tricked into revealing passwords, etc. Locating operations rooms onshore means that less attention may be paid and this increases the likelihood of both unintentional and intentional unwanted incidents. Human error is regarded as the greatest digital vulnerability in the sector.

The consequences of unwanted incidents based on digital vulnerabilities will primarily be of a financial nature. Production has to be shut down, and this means a loss of income for the industry. Society will see a decrease in direct and indirect taxes. Unwanted incidents will affect the companies' reputations and may affect Norway's reputation as a stable producer and transporter of energy. If saboteur and terrorist organisations manage to control vital production equipment, the consequences can be environmental destruction and the loss of human life.

1.2 Dependencies

In order to reduce the CO2 emitted due to power production on oil installations, new field developments are often based on a power supply from the shore (electrification). Most of these installations have to shut down production if there is a breakdown in the power supply from the shore. There has for a long time now been an increasing focus on digital vulnerabilities in electricity distribution systems. Such distribution systems are complex grid structures that are highly dependent on management and control systems.

Large distances and deep waters make it costly to establish a computer network for oil installations on the Norwegian continental shelf. Fibre-optic cables on the seabed are often used, and such cables are vulnerable to damage from building and fishing activities and erosion. It is challenging to establish redundant and completely independent network solutions. A lack of communication can mean the immediate shutdown of production on platforms that are operated from a shore-based location or neighbouring platforms. This is also critical for pipelines where, among other things, it must be possible to regulate and monitor the pressure and volume throughout the system.

1.3 Cooperation

The responsibility for preventive ICT security in the oil and gas sector is fragmented. There is no common contact point for the sector that the authorities can, for example, use to warn of net-based attacks. There are also few formal forums where the sector can exchange experiences.

The government decided in 2002 that the Norwegian Petroleum Directorate was to be divided so that safety supervision was assigned to a separate body. The Petroleum Safety Authority Norway, which today reports to the Ministry of Labour and Social Affairs, is the authority responsible for safety, emergency preparedness and the working environment in petroleum activities on the Norwegian continental shelf as well as in some onshore facilities. In 2013, the Petroleum Safety Authority Norway was also assigned responsibility for security, as stated in section 9-3 of the Petroleum Activities Act. The Petroleum Safety Authority Norway does not have an operational focus on digital vulnerabilities exploited for acts of terrorism, sabotage or hacking. This is the business of the Norwegian National Security Authority (NSM), the Norwegian Police Security Service (PST) and the Norwegian Armed Forces. These organisations do not directly interact with the oil and gas sector unless an individual company has established a separate agreement on this.

The Object Security Regulations are managed by the NSM and regulate "property that must be protected against activity that threatens security in order to protect the nation's or allies' security or other vital national security interests". None of the oil and gas installations are currently defined as an object worth protecting.

The electricity plants that supply the oil and gas installations are not covered by the regulations regulating protective security and emergency preparedness in energy supply (Emergency Regulations) that are administered by the Norwegian Water Resources and Energy Directorate (NVE).

1.4 Emergency preparedness

An unofficial, international survey among companies in the sector concluded that only 40% of the companies have established an emergency preparedness plan that covers digital vulnerabilities. The crises and emergency preparedness focus is on fires, explosions, blowouts, etc.

The Norwegian Ministry of Justice and Public Security has a particular responsibility for coordinating emergency preparedness work, and the Norwegian Directorate for Civil Protection (DSB) supports the Ministry in this role. The DSB has little focus on digital vulnerabilities.

1.5 Future problems and trends

At the time of writing this report, the oil price is below USD 60 per barrel and there is a great deal of uncertainty about future price developments. This means that the sector must reduce its costs to maintain profitability. The fact that these savings measures may affect the continuous improvement of security is a major challenge. The increased focus on cost/benefit assessments and new ways of working are important elements going forward.

Many installations on the Norwegian continental shelf are designed to have a lifetime of between 15 and 25 years, and a number of these have been allowed to operate for longer. This means that a lot of the equipment and software is outdated and not very well adapted to today's digital vulnerabilities.

The digitization of the sector is taking place continuously. "The Internet of Things" will lead to more units with digital vulnerabilities. The volume of data to be transported is growing and standard IT equipment will increasingly be integrated with the specialized control systems.

The risk of key critical functions, essential infrastructure, information that must be protected for security reasons and people being affected by espionage, sabotage, terrorist acts and other serious acts is increasing, writes the NSM in its annual report, Risiko (Risks) 2015/1/. At the same time, the NSM dealt with a larger number of serious hacking attacks than ever before in 2014.

1.6 Main risk-reducing measures

In order to reduce risk, barriers are implemented, partly to prevent an unwanted incident from occurring and partly to reduce the consequences of an unwanted incident that has occurred. There has been an increasing focus on barriers that prevent an unwanted incident, but the quality of these barriers has to little extent been tested and verified. It is not enough to simply base protection on a firewall. Other barriers, including the opening/closing of accesses, procedures and work processes, must also be established.

There is a greater need for barriers that reduce the consequences if an unwanted incident has occurred. There is not enough equipment and routines for detecting that a threatening party has ongoing activities aimed at an installation. In addition, there is a lack of practised routines to prevent negative consequences when there is a suspicion that an unwanted incident may occur.

The supervisory authorities should issue functional requirements stipulating that barriers to digital vulnerabilities must be established. Digital vulnerabilities must be included in relevant risk analysis.

Companies must create a culture for reducing digital vulnerabilities in the same way as there is a culture for preventing fires and explosions. Awareness-creating work must be prioritized both within the sector and in the general public. Schools must focus on behaviour when using digital media.

1.7 The top ten cyber security vulnerabilities

  1. Lack of cyber security awareness and training among employees
  2. Remote work during operations and maintenance
  3. Using standard IT products with known vulnerabilities in the production environment
  4. A limited cyber security culture among vendors, suppliers and contractors
  5. Insufficient separation of data networks
  6. The use of mobile devices and storage units including smartphones
  7. Data networks between on- and offshore facilities
  8. Insufficient physical security of data rooms, cabinets, etc.
  9. Vulnerable software
  10. Outdated and ageing control systems in facilities.

The full report (in Norwegian) can be downloaded here

Lysne Committee study (front cover of the report: Digitale sårbarheter olje & gass)