Cybersecurity in process monitoring within Oil and Gas

Joe Morgan

I have been involved in the oil and gas industry in one form or another for over thirty-five years. This long tenure has enabled me to witness incredible changes in both the market and technology. There have been busts and booms, the discovery of new oil and gas fields and techniques to reach these reserves. I have seen the emergence of downhole instrumentation to give indications of factors – such as pressure, volume – as well as new stimulation techniques to draw out every ounce.

My experience has enabled me to recognize that we’re currently in the midst of great technological changes within the oil and gas industry; but with these advances come cybersecurity risks, which have been steadily increasing in this sector. This blog will look at how today’s oil producers are using new sensor technologies to improve efficiencies and reduce cost and examine how associated security risks can be mitigated.

From ‘keen ears’ to sensor technology

An oil producer’s main objective is to keep the well profitable and technology plays a significant part in operations. Where once the keen ear of a field service man could spot the sound of a failing bearing, local embedded sensors have taken over. Smart sensors and SCADA systems are helping companies to monitor and report on the operational aspects of oil and gas. These sensors can detect early changes and relay critical data across a facility to a plant manager or send it thousands of miles away to a remote control room. Until recently remote monitoring was too expensive, but innovations in LTE and similar cellular technologies (powered by solar and battery storage), allow sensors to send information across long distances. Smart sensors can also be programmed to send data when there is a problem, cutting operational costs significantly.

Producers are adapting these systems to remotely monitor well sites for security, process and health & safety, using these new combined technologies. This will move producers from a reactionary stance to a proactive stance, benefiting the operational aspects of a site and decreasing the need for some well services. Sensors working around the clock can detect abnormal activity, replacing random manual checks. This will ultimately save money and keep the well profitable. Many companies are bringing these capabilities into their networks, but with that comes potential cyber risks.

Battling cyber threats to critical infrastructure

Malware cybersecurity

The oil and gas sector forms an important part of a country’s critical infrastructure sector and cyber security is the number one concern for most operations. Successful attacks against critical infrastructure, the numerous subsectors, and the associated authorities could have catastrophic effects on organizations and citizens. In addition, it could also result in a cascading or domino effect: if one subsector goes down, other subsectors could follow.

It is crucial for organizations to defend against these attacks, which are continuing to morph and evolve. The industry has seen an increase in ransomware attacks against IoT devices, due to their inherent security vulnerabilities. This underscores the need for new sensors to be secure. In addition to traditional attacks demanding money, there are Trojan horse-type malware attacks that go through periods of dormancy and information gathering activity, to avoid detection. Once enough information has been gathered, hackers can then take over operational control. Imagine if this happened in an oil and gas plant. A malicious actor could trigger a false alert that a piece of machinery has malfunctioned. If not verified, an incorrect reactionary response could cause more damage than the actual event.

Implementing additional layers of security

Verification of sensor alerts or alarms can be achieved by additional sensors. Two types of evolving sensors are visual and thermal cameras. These can be positioned to determine if the sensor has indicated a problem correctly; thus, verifying if an event has happened. Real-time remote monitoring can add an extra layer of security, especially at a time when oil and gas companies are facing challenging circumstances. Fluctuations in oil prices have caused a reduction in manned sites and an increased reliance on infrequent visits by personnel.

Hackers are opportunistic and will look to exploit vulnerabilities in existing processes. In addition to verification, advanced sensor manufacturers have added more layers of protection and will look to third party cybersecurity partners to help reinforce their defenses. Therefore, supply chain due diligence has never been more important when we consider the associated risks of a cyberattack.

Evaluating the supply chain

Oil and gas producers should look beyond the operational benefits gained from new technology and focus on the cybersecurity maturity of the businesses within their supply chain, to protect their investment from potential attacks. A compromised solution within a critical sector could not only have dire consequences for the business, but for society as well. As countries rely on these services, the implications could be widespread. From a business perspective, a successful cyberattack could have negative impacts on their brand reputation, share price and profitability, as well as result in operational downtime and regulatory fines.

To support the evaluation of a business’s partners within its supply chain, the approach needs to go beyond the operational aspects of the technology itself. Areas to consider throughout the evaluation should be the process and policies that they have in place to demonstrate their own internal maturity, such as ISO27001. If these organizations can’t demonstrate what they are doing to protect themselves from cyberattacks, how can they protect their customers?

Oil rig evening sunset

With regards to the technology, what features and tools do they have in place to mitigate the risk of their products being the root cause of an attack? For example, features such as signed firmware and secure boot ensure that the device hasn’t been compromised prior to deployment. Does the technology follow a ‘secure by design, secure by default’ setup, where all the security provisions are enabled out of the box? Do they have commission aids to harden a device onto a network? How are they supporting the full life cycle management of the technology? What is secure today, doesn’t mean that it will be secure tomorrow. Do they offer a device inventory that will allow for firmware updates to be proactively managed in an efficient manner? It’s acknowledged with IT policies that firmware updates will become more valuable than a manufacturer’s hardware warranty; especially when considering the expected duration of usage and the risk posed by out of date firmware.

As the oil and gas sector enters a new technological era, the role of the technology partner will become even more pivotal to success. The solutions they provide will help improve efficiencies and reduce costs in the sector, especially from a remote monitoring perspective. However, careful cybersecurity evaluation of these businesses is critical and should be prioritized during the procurement process. From my experience, it would be a disaster if the technology that was deployed to improve business operations and improve profitability, resulted in the user’s systems being compromised. If we acknowledge that every business is only as strong as the weakest link, we need to make sure that cybersecurity falls within the evaluation process and isn’t an afterthought. Only then will oil and gas organizations be in a strong position to take advantage of emerging technology solutions.

To learn more on how Axis delivers three layers of cyber protection click here.

Three layers of protection