Managing cyber risk in the oil and gas sector
Author : Graham Bennett is Vice President – Oil & Gas at DNV GL
08 February 2018
Digitalisation has already brought far-reaching benefits to the oil and gas industry. This increased connectivity has signalled many benefits in measurable innovations and efficiencies. The potential downside is exposure to cyber risks. Dealing with cyber security challenges has become a key focus area for the oil and gas sector and there is greater awareness of the requirements that need to be in place.
Increasingly, the industry is seeing critical network segments in production sites, which used to be kept isolated, now connected to broader computer networks, making the operational technology more vulnerable.
Managing cyber risks
The frequency of attacks on oil and gas operational technology is almost certainly underestimated. Companies are reluctant to publicise them for fear that exposing vulnerability may invite further attacks. International survey findings show that senior oil and gas industry leaders agree about the need for greater focus on this aspect of cyber security. Therefore, a collective effort to mitigate risk is vital.
A survey conducted by the US-headquartered Ponemon Institute found almost 68 percent of oil and gas companies in the US were hit by at least one cyber incident in 2016. Additionally, they surveyed oil and gas professionals responsible for securing or monitoring cyber risks in the operational technology environment and found that 59 percent believed there is greater cyber risk there than in enterprise information technology. Additionally, 39 percent said they planned to spend more on digitalisation in 2017 compared to the previous year while 49 percent believe that their company should try and embrace new digital technologies.
Globalised projects and rapid digitalisation
The complexity and global nature of oil and gas field development projects, and rapidly increasing digitalisation across the supply chain, is increasing cyber risk by providing many different points at which cyber criminals could take advantage.
Facilities and topsides may be designed in London, and subsea equipment designed in Paris, for example. The shipyard building the hull may be in South Korea, and the fabrication yard in China or Singapore. A typical project involves multiple contractors and hundreds of information interfaces, requiring a high level of diligence to understand where risks might arise.
The industry encourages the sharing of information on digitalisation processes, software and control systems, and 3D virtual models. These, and other trends, create risks that may not yet be fully understood or appreciated. Determining who is responsible and accountable for such risks is not yet clear in all cases. Should it be the operator, the engineering, procurement and construction contractor, or the software vendor? Awareness of risks should certainly be a shared burden.
DNV GL guidelines
DNV GL recognises the need for industry-wide guidance and has launched the globally-applicable Recommended Practice (RP) DNVGL-RP-G108 Cyber security in the oil and gas industry, based on IEC 62443 to address how oil and gas operators, working with system integrators and vendors, can manage the emerging cyber threat. It outlines a tailored approach for the industry on how to build security, with the emphasis on operational technology.
As the title suggests, the new RP is based on the International Electrotechnical Commission’s standard IEC 62443 covering security for industrial automation and control systems. The guideline also embraces international practice and experience. It considers health, safety and environmental requirements as well as the IEC 61511 standard for specification, design, installation, operation and maintenance of a safety instrumented system.
The threat from cyber-attacks is constantly changing, with hackers continually looking for different ways to infiltrate systems and as such, the industry’s response must be equally as adaptive. To account for this, it is intended that the RP will remain dynamic to ensure that companies are always protected.
Protection from cyber attacks
One way oil and gas companies are guarding against cyber-attacks is by using cloud-based digital twins. A digital twin is a virtual model of an asset, maintained throughout the asset lifecycle and accessible from multiple locations at any time. The concept integrates data from many different software products and will enhance information management and collaboration, where the experts and operators can work together, preventing costly mistakes and rework. It is a central part of the digital asset ecosystem and will enable a new generation of advanced predictive analytics, allowing real-time optimisation and asset-centric engineering applications.
For both offshore and onshore assets, a digital twin is a risk management solution which combines diverse data sources such as sensor networks, databases, expert information, inspection data, and assessment methods in one unified platform. It can provide an entirely quantifiable and verifiable way to incorporate the effects of operating changes, mitigating actions and monitoring activities.
The digital twin allows engineers to test how various systems on an asset would perform in the event of a malicious cyber incident. Safety systems could be at the greatest risk of a potential attack with the consequences potentially proving catastrophic. Safety systems are used sporadically, so viruses can lay dormant and undetected until the system is activated in a real emergency. Having an undetected breach in a security system could potentially put people’s lives in danger, as countermeasures are compromised.
Utilising the digital twin software means processes can be replicated and run in a digital, simulated environment to the complete specifications and coding of the physical asset. This means that any weaknesses brought on by a cyber-attack will be highlighted in a safe environment, before there is a real emergency.
However, it is not just the assets that are at risk from cyber threats – companies can come under attack through their general IT systems. One of the most common methods used to infiltrate IT systems is spam mail, with hackers able to conceal pieces of code in images embedded within an email. These phishing emails are designed to appear as though they have been sent from a colleague to maximise the likelihood the attack will be successful. This means that companies and individuals must be extremely vigilant, installing multiple barriers to ensure that confidential data cannot be stolen and that it remains secure.
To do this, DNV GL recommends that companies change the way they receive and transmit data. Cloud-based solutions, which use blockchain, or similar security software packages, prove to be much more effective than traditional methods. By staying a step ahead of the hackers, companies can ensure that no private information is lost.
It is important to determine the risk associated with the data or system and how best to guard against this threat without having a negative impact on the efficiency of the organisation’s business systems.
Changing the mindset
Currently, the oil and gas industry is active in sharing information relating to health and safety best practice or accidents on offshore installations, but this approach is not implemented for malicious cyber incidents, meaning there is no readily available information which the industry can use to learn, adapt and improve its security measures and systems.
Furthermore, many cyber-attacks are not immediately reported by oil and gas companies as they are seen as embarrassing and there is a fear that it may have a negative impact on their reputation in the eyes of their stakeholders.
The growing use of IT systems has now led to a level of trust where employees will refuse to question any suspicious data they find. This means that by the time the threat is identified, there is potentially no time to undertake any form of effective countermeasure.
Industry collaboration pays off
There have previously been several different guidelines relating to cyber security, resulting in uncertainty amongst contractors and the supply chain. The recent work on DNVGL-RP-G108 has allowed companies to work together to cut through the noise and provide direction.
The RP is the result of a joint industry project (JIP) conducted over two years with partners ABB, Emerson, Honeywell, Kongsberg Maritime, Lundin, Shell Norway, Siemens, Statoil, and Woodside Energy. The Norwegian Petroleum Safety Authority has observed the work and exchanged experiences with the JIP group from a regulatory perspective.
Until now, there has been a lack of guidance for the oil and gas industry on how to implement these requirements. The new RP, developed in collaboration with key players, puts operational technology in the spotlight alongside IT, so the industry can protect its operations. It is not only for new installations. Existing and older installations may not be prepared for the new connected reality – and need to be updated with respect to the new risk picture.
Industry players need confidence that countermeasures can deal with more frequent and sophisticated cyber-attacks, which are becoming increasingly costly and harder for companies to recover from. The RP goes someway to providing the assurances required.
Benefits delivered for the future
Feedback from industry participants in the JIP revealed that they benefitted from the collaborative approach.
“The process leading to this Recommended Practice has enabled our team to leverage industry best practices, share learnings, and grow capability,” said Woodside Energy’s Julie Fallon, Senior Vice President Engineering. “Aligning our operational technology cyber security approach to IEC 62443 enables us to learn from and contribute to industry knowledge and capability. The RP provides practical guidance on applying the standard to oil and gas.”
In a joint statement, vendors involved in the JIP commented: “Our customers in the oil and gas industry are to a large extent facing the same types of cyber threats found in information technology systems. Being able to standardise what we deliver to our customers is important in reducing cyber risks and reducing cost. Above all, it will increase the safety, availability and reliability of the operational technology systems.
“The organisations operating the systems can also manage cyber risks by following and implementing the identification, protection, detection, response and recovery steps defined in the standards to withstand cyberattacks. In the process of defining this RP, we have collaborated with both our competitors and our customers on guidance to the IEC 62443 series of standards.”
A full copy of the RP can be downloaded at: https://www.dnvgl.com/oilgas/download/dnvgl-rp-g108-cyber-security-in-the-oil-and-gas-industry-based-on-IEC-62443.html
The original article can be found on the HazardEx website: http://www.hazardexonthenet.net/article/141198/Digitalising-the-oil-and-gas-sector.aspx
Contact Details and Archive...