The oil and gas industry is coming to terms with a cyber threat landscape that has expanded beyond data breaches and the theft of intellectual property. The latest battlefront is in the field where critical drilling and production assets are at risk of being disrupted or destroyed, thanks to their highly vulnerable control systems.
The industry has experienced only a few cases of these so-called cyber-to-physical attacks but the US Department of Homeland Security predicts that by 2018 cyber attacks against oil and gas infrastructure around the world will cost almost USD 1.9 billion. One of the most dire warnings comes from the multinational risk adviser and insurance firm Willis Group, which in 2014 reported that “a major energy catastrophe, on the same scale as Piper Alpha, Phillips Pasadena, Exxon Valdez, or Deepwater Horizon, could indeed be caused by a cyber attack.” The company noted in its report that insurance providers generally will not cover such events. The concern over control systems has come to the forefront because of the widespread use of digital oilfield technology that began about 2 decades ago. Driven by significant gains in efficiency and production, companies eagerly moved to tether nearly every facet of operational networks to the Internet, either directly or through corporate networks. On the plus side, the industry gained invaluable real-time data, various operations became automated, and engineers working in office buildings could remotely control offshore operations.
But the computer hardware that makes all of this possible was never designed to be connected to the Internet. Known collectively as Industrial Control Systems (ICS), they were built to run in isolation and thus have no security measures that guard against run-of-the-mill malware, let alone a targeted cyber attack launched by a sophisticated hacker.
“Security was not important for anyone; what was important was to have those systems operational,” said Ayman Al Issa, chief technologist and senior adviser of industrial cyber security at Booz Allen Hamilton. He added, “Based on our experience, it is easy to attack those systems—it is easy to attack thousands of them.”
Al Issa explained that the control systems are used not only in the oil and gas industry but in nearly every industry and utility sector around the world. Recent attacks on control systems in Europe prove that the digital oil field is at risk. The long list of assets using these exposed control systems includes drilling rigs, subsea wellheads, flowmeters, production facilities, pipelines, and artificial lift installations.
The industry is working on multiple fronts to address vulnerabilities, but cybersecurity experts working in the industry say it will be years before adequate safeguards are in place. Until then, oil and gas companies must face the reality that the hacker community has the advantage.