As concern about climate change grows, it’s not always easy to think about what the oil and gas industry has given the world. There’s a legitimate sense of urgency about the negative impact that hydrocarbon-based fuels have had and are continuing to have on the environment and on the atmosphere. Even so, an honest accounting reveals that the modern world would be considerably poorer without them.
We burn natural gas to heat our homes and fire the power plants that provide us with electricity. We process crude oil to make the fuels that power our automobiles, buses, trains, airplanes, and ships, and it also serves as raw materials for the lubricants that keep engines and machinery of all types running smoothly. We use both as feedstock for petrochemicals and other substances that have changed the way we live – plastics, artificial fabrics, fertilizers, detergents, and many more.
And for the moment, we remain dependent on them. Renewable energy technologies have not yet reached the point of being able to replace fossil fuels. As a result, oil and gas companies still have to look for, produce, transport, process, and sell their resources, and the service companies that support them still have to perform tasks such as drilling wells, collecting seismic data and supplying equipment.
Moreover, the companies involved in these activities are looking to turn a profit. And inevitably, if they’re looking to turn a profit, they’ll look for ways to cut expenses and increase efficiency while also meeting regulatory requirements.
Improvements in efficiency and profits come with a cost
Technology can help with that – and has already done so, several times over. Mechanization, automation, and computerization have all made drilling and other core activities easier, faster, safer, and less labor-intensive, and the new digital technologies of the 21st century promise to do the same. Industrial Internet of Things (IIoT) devices are already helping companies to develop and maintain a clear and comprehensive understanding of their operating environments. They will also collect and generate large amounts of data that can be analyzed with artificial intelligence (AI) solutions and other tools so that companies can learn more from past experiences, extract as much as possible from subsurface reservoirs, prevent accidents, and reduce downtime.
But these innovations also make oil and gas operators and their service providers more vulnerable. Wired IIoT devices aren’t just sources of useful data. They’re also potential points of entry for cybercriminals intent on disrupting operations or breaching corporate confidentiality – and they’re connected to other vulnerable systems, including the operational technology (OT) and information technology (IT) networks used to support these companies.
Vital industries can’t afford to ignore their vulnerabilities
These vulnerabilities shouldn’t be ignored, as cybersecurity breaches in the upstream, midstream, and downstream parts of this sector have the potential to wreak havoc. On a macro level, it’s worth noting that the Cybersecurity & Infrastructure Security Agency (CISA) has included the oil and gas industry on its list of 16 types of critical infrastructure “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
But there are also dangers on a micro level. A cyberattack on a small upstream company that only operates three wells at a marginal field in the Permian basin may not have the same impact as a cyberattack on a pipeline operator that supplies large volumes of gas to power plants and municipal utilities in multiple states, but it can have an immediate, concrete impact on that company. It can have physical consequences, such as disrupting production – and if it happens often enough or on a large enough scale, it can be financially ruinous as well.
So what’s the best way for oil and gas operators to address these risks?
Acknowledging the sector’s unique risks is part of the solution
A place to start might be acknowledging some of the particular vulnerabilities faced by the sector. We’ll look at two of them here.
First, there’s the fact that many of the oil and gas operators that are making use of innovations such as IIoT monitors are trying to integrate their new solutions with tried-and-true machinery, industrial control systems (ICS) and OT networks. In other words, they’re working with aging equipment that has already proven its worth on an operational level but may not be compatible with (or friendly to) the latest digital standards. If so, they’re leaving themselves open to more cybersecurity threats.
Then there’s the fact that oil and gas companies often operate in conditions that are in a constant state of flux and also subject to rapid changes. Jon Taylor, an assessment and testing services manager and principal consultant for Revolutionary Security, a subsidiary of Accenture, pointed out last July that cyberattacks were not always easy to spot for companies carrying out complex tasks such as drilling wells or maximizing output from subsurface reservoirs, since there were so many variables involved and so much potential for fluctuations in data streams.
More visibility = less vulnerability
Visibility can lessen the impact of these vulnerabilities.
As we noted above, an oil and gas company may be using multiple systems of varying provenance, age, compatibility, protocols, and level of sophistication all at once. It may, for example, be saddled with legacy switch SPAN ports that aren’t secure, reliable, or available. If so, it probably has difficulty keeping track of everything – every machine, every device, every sensor – connected to its network. Therefore, it needs a cybersecurity solution that can provide it with a visual representation of every component of the entire system. Otherwise, it won’t be able to monitor its system properly. (Remember, you can’t secure what you can’t see.)
And then there’s the complexity and variability inherent to tasks such as the drilling of wells or production from subsurface fields. Visibility helps here too, because it allows operators to keep an eye on anything and everything that might be an irregularity or a problem – and to determine whether those irregularities and problems are the result of intrusions or malicious activity on the network. In technical terms, it eliminates potential blind spots and allows security tools to analyze packet data visibility by deploying network TAPs (test access points), air-gapped virtual TAPs, and data diodes along with the wider security and infrastructure strategy.
But implementing best practices in visibility fabric architecture isn’t the only necessity. Oil and gas companies also need cybersecurity solutions that allow for real-time, continuous monitoring of threat detection and anomalies such as malfunctioning devices. They need solutions that allow them to practice for, predict, and prevent security breaches. They need solutions that can detect, manage and prioritize the vulnerabilities of the devices and firmwares of their IT and OT networks (including the reporting of common vulnerabilities and exposures, or CVEs).
What’s more, they need solutions that allow them to implement fundamental best practices for cybersecurity. According to the American Petroleum Institute (API), the best way to achieve this goal is for oil and gas operators to “orient their information technology (IT) and industrial control systems (ICS) cybersecurity programs to leading frameworks and best-in-class standards, especially the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the ISA/IEC 62443 Series of Standards on Industrial Automation and Control Systems (IACS) Security.”
If you’re ready to provide a higher level of visibility to your your oil and gas company and are unsure of where to start, join us for a brief network Design-IT consultation or demo. No obligation – it’s what we love to do.
