Information risk manager
Pål Børre Kristoffersen
Cyber attacks are growing in scale and complexity, becoming more difficult to detect and defend against, and costing companies increasing sums of money to recover from.
The energy and utilities industry, including oil and gas, suffers average annualized losses from cyber crime of USD13.2 million per sampled organization, according to a 2014 survey for Hewlett-Packard. This figure, 24% higher than the 2013 findings, represents the highest for all industries included in the IT company’s research. One incident by unknown hackers in 2014 affected around 300 energy companies in Norway, the country’s biggest such attack.
Upstream oil and gas responds“Consensus exists that cyber attacks are growing more significant and serious,” said Paul Reither, vice chair of the Security Committee of the International Association of Oil & Gas Producers (IOGP), the voice of the global upstream industry. “Furthermore, attacks against computer systems can produce a physical outcome that cannot be ignored.”
IOGP defines three key threats: theft of core intellectual property; disruption or destruction of a physical plant and other points of capital investment; and compromise of executives’ communications about key business decisions. “Within this context, cyber is now part of a holistic approach to security for the industry,” Reither commented.
Direct threats can, he explained, be either heterogeneous or advanced persistent threats; a combination of malware and hacker tools; or attacks from organized crime, rogue states and/or terrorist groups.
“Tactics can include ‘social enginering’, psychological online manipulation to trigger damaging actions or obtain confidential information,” he added. “Cyber is not a threat in itself, but an increasingly effective means to carry out threats.”
Principles developed in international standards such as ISO, IEC or NIST should be sufficient to tackle overall IT security risks and protect against homogenous IT/cyber threats not specific to the upstream industry, Reither suggested. “However, IOGP will support efforts to improve standards coordination and learning,” he added. “Member companies should develop mitigation based on risk assessment, and adopt international standards in line with the level of threat.”
IOGP sees a “very low” probability of a massive cyber attack disabling production, refining or distribution infrastructure. “It is very difficult to attack complete infrastructure by the means through which Shamoon malware hit Saudi Aramco in 2012,” Reither commented. “That compromised many homogenous computer systems designed to run a fairly broad set of applications. Luckily, it did not cross over to computers involved in the production of oil and gas."
It is, however, suspected that hackers injected malicious software into the control network of the Baku-Tbilisi-Ceyhan pipeline, Turkey, in 2008, causing a huge explosion.
Connectivity raises riskHeadline incidents are rare, but many lesser attacks go undetected or unreported. “Many organizations do not know that someone has broken into their systems,” said Pål Børre Kristoffersen, principal consultant, DNV GL - Oil & Gas. “The first line of attack is often an office, business or enterprise IT environment, which could help hackers to access more critical production networks, process control and safety systems.”
While office IT is segregated from industrial systems, separation mechanisms between a company’s internal networks are often weaker than against external networks, he explained.
Hackers may also use social engineering attempts on office domains to harvest passwords and other ways to access production networks.
Increased exposure of critical systems to external networks is a key reason for heightened digital vulnerability, according to DNV GL’s analysis of Norway’s maritime and oil and gas sectors (figure 1).
This reflects trends towards remote operation and maintenance, and management systems that transport large volumes of process data to the office domain. Due to limited fibre capacity and redundancy, networks are shared, introducing vulnerabilities. Supplying offshore power from onshore facilities introduces risk as electricity grids are digitally vulnerable.
DNV GL found that few Norwegian maritime and offshore oil and gas organizations use systematic approaches to preventing, detecting and protecting against cyber security challenges, whether sophisticated attacks or accidental breaches.
“Operators perhaps tend to think that cyber security is for technical devices and that firewall protection, virus security and passwords suffice; but eliminating cyber risks requires a defence-in-depth strategy beyond basic measures,” Kristoffersen said.
“Countermeasures can be established using a barrier management approach familiar from managing health, safety and environmental risks. Cyber security requires the same vigour as barrier management of HSE risks.”
Information risk manager
Pål Børre Kristoffersen