With the expansion of intelligent networked devices in the oil and gas industry, and the increasing rate of connectedness, energy companies have become a target for cyber attackers.
As the frequency, sophistication and the impact of cyberthreats increase around the globe, a policy action that is strongly coordinated and comprehensive is of utmost importance to mitigate the destructive impact of cyberattacks.
However, due to a limited understanding and appreciation of cyber issues, cyber maturity has remained low in oil and gas companies since many of the board members still feel that oil and gas business is about barrels, not bytes.
Amid the increase in oil prices, many oil and gas companies started to increase their investment in technology to cut overall costs. The Industrial Internet of Things (IIot) in particular, has been a strong measure in harnessing the power of big data and to cut major costs and replace manpower.
The number of connected devices, equipment and electrical appliances has further grown in the industry, with the weaknesses inherent in these equipment paving the way for various cyberattacks.
The value and information generated through the Internet of Things technology has brought many advantages as well as risks. Interconnectedness and the ever- increasing digitalization in the oil and gas industry has opened up the sector to an unknown territory of cyberthreats that the attackers can easily operate in real time.
While over 60 percent of oil and gas companies have profited from investing in digital transformation, budget spared for cybersecurity has remained well under the average level compared to other sectors. Almost two thirds of the U.S. oil and gas companies reported at least one cyber incident in 2016. Despite the apparent threat, only a handful of companies around the world have openly described cybersecurity as their priority.
The main problem with cyber intrusion is related to the fact that cyber attackers are rarely pinpointed. Many attacks remain undetected and almost more than a third of reported attacks on critical infrastructure are untraceable. The fact that the motivation of cyber attackers is usually obscure has further complicated the mitigation efforts.
A major incident could easily risk people's lives, environment and cost up to millions of dollars. Hackers could impose various threats during the oil production phase by changing speed commands, varying motor speed, and changing thermal capacity through taking charge of internal controllers.
While the industry progresses slowly in terms of cybersecurity, hackers are swiftly getting more sophisticated, using spyware-targeting data and malware to infect control systems and utilize coordinated attacks to block the flow of information. More than 50 oil and gas companies in Europe were the targets of a massive phishing campaign in 2014.
Oil and gas companies that are mostly involved in upstream mostly shrug off cybersecurity. Exploration, production and development phases --the three major stages of upstream activity in oil and gas value chain-- have their own distinct levels of cyber vulnerability. Of the three stages, exploration is the most secure phase against cyberattacks due to low connectivity in seismic imaging and geological surveys.
At the production phase, however, cybersecurity becomes a more significant threat due to the involvement of diverse business objectives. The involvement of suppliers, drillers, service firms, engineering firms, and various other services all add up to cyber vulnerability. Across the entire risk category in the upstream value chain, production phase has the highest opportunity cost that needs to be well-planned and invested appropriately.
In development, on the other hand, cyber risk is relatively much lower. However, it should be noted that during real-time connections at this phase, which crosses disciplines, a hacker's intrusion into GPS coordinates or confidential field design data might lead to fatal mistakes, ending up wasting millions of dollars.
In a fast-evolving environment, automation, digitalization, and the Internet of Things technology create new value for companies like never before in history.
These technological developments also bring major risks with them, creating an open target for cyberattacks. However, automation and connectedness should not be blamed for this. While innovative technologies offer safer, more efficient and less costly options, it is worth to clarify that it is ignorance which creates the most significant cyberthreats.
Only through acknowledging cybersecurity as part of an essential investment rather than a cost item, can we achieve the needed maturity in cybersecurity.