Oil and gas companies have been the target of cyberattacks for years. As the industry continues to interconnect its technology, however, attacks will likely rise in frequency, sophistication, and impact, according to a recent report, entitled "Protecting the Connected Barrels-Cybersecurity for Upstream Oil & Gas," from Deloitte Center for Energy Solutions.
According to the report, industry will have to meet this rise in the risk and severity of attacks with an increase in cyber maturity. Why is the oil and gas industry, particularly upstream, so lacking in its preparedness? "Perhaps because the industry-engaged in exploration, development, and production of crude oil and natural gas-may simply feel like an unlikely target for cyberattacks," say report authors Anshu Mittal, Andrew Slaughter, and Paul Zonneveld. In addition, "the oil and gas industry's remote operations and complex data structure provide a natural defense."
Or, put another way, the upstream business suffers from a false sense of security, the report implies. When in fact, as an industry, energy was found to be the second most-prone to cyberattacks in 2016, the report states, with nearly 75% of all US oil and gas companies experiencing at least one "cyber-incident."
The report found that the average energy company's annualized cost of cybercrime is $15 million but a "major" incident could easily incur costs running into hundreds of millions of dollars and-more importantly-risk people's lives and the nearby environment.
Strategies and risk
The type of cyberattack defense strategy enlisted by any oil and gas company should differ depending on the area of the business on which it focuses, the report says. Different areas of the oil and gas industry carry different levels of risk.
"Among the upstream operations, development drilling and production have the highest cyber- risk profiles," the report says. Seismic imaging, meanwhile, has a relatively lower risk profile, but "the growing business need to digitize, [electronically] store, and feed seismic data into other disciplines could raise its risk profile in the future."
As an example, the report states, "A large oil and gas company uses a half-million processors just for reservoir simulation; generates, transmits, and stores petabytes of sensitive and competitive field data; and operates and shares thousands of drilling and production control systems spread across geographies, fields, vendors, service providers, and partners."
Ultimately, the report says, "A holistic risk-management program that is secure, vigilant, and resilient could not only mitigate cyber-risks for the most vulnerable operations but also enable all three of an upstream company's operational imperatives: safety of people, reliability of operations, and creation of new value."
Levels of vulnerability
The report found that the various stages involved in the upstream business "have a distinct cyber-vulnerability and severity profile."
Ranking highest on this list of vulnerability is production and abandonment. With roughly 42% of offshore facilities worldwide having been in operation for more than 15 years, fewer than half of oil and gas firms use monitoring tools on their networks, the report notes. And of those companies with such tools, "only 14% have fully operational security monitoring centers."
Particularly exposed to cyber-incidents are oil and gas development wells, the report notes. "The development drilling operation involves similar techniques to those used in exploratory and appraisal drilling but has a much bigger cyberattack vector due to higher drilling activity, expansive infrastructure and services both above and below the surface, and a complex ecosystem of engineering firms, equipment and material suppliers, drillers and service firms, partners, and consultants."
Lowest on the list of cyber-vulnerability and with a low risk profile is exploration because "the first two operations-seismic imaging and geological and geophysical surveys-have a closed data acquisition system and a fairly simple ecosystem of vendors," the report states.
The report concludes, "The current period of low oil prices has provided upstream companies...with the much-needed breathing space to focus on internal processes and systems. The industry has made a great beginning by focusing on efficiency; now it needs to close by safeguarding operations from cyberattacks."