Digital technologies are transforming the UK offshore sector, but they also open the industry to new cybersecurity risks. Wireline explores the scale of the issue, and how businesses can help ensure they are protected.
As digitalisation progresses in the North Sea, it brings the power of the internet closer to the operational environment. Yet that proximity also increases exposure to the kind of digital threats and security challenges faced by most connected businesses. While many may be generic and well-known risks – scattergun email phishing attempts, for example – others are highly specific to industry, and may even target particular companies or facilities. In that regard, no company working in the sector can afford to be complacent or underprepared.
Historically offshore assets have been designed with less attention to cybersecurity, largely because of their remote nature, both geographically and in terms of operational control. Now, in pursuit of greater autonomy and efficiency most have embraced internet-enabled technologies for their ability to provide new forms of remote monitoring, control and data.
With this connectivity come risks that must be managed. Cyber-attacks, in the case of offshore oil and gas, have the potential to do serious damage, given the already hazardous nature of exploration and production activity. Even new facilities – which are designed and built with these threats in mind – require constant attention to ensure adequate defences in a fast-evolving environment. Meanwhile, older assets may have legacy vulnerabilities that must be identified and protected accordingly, all of which require serious time and resources.
According to professional services consultant PricewaterhouseCoopers (PwC), the primary perpetrators of cyber-crime (in terms of the risks posed) are state-sponsored agencies with specialised hackers at their disposal, or organisations engaging in corporate espionage. Outside the interests of nation states, the main motives for this sort of attack on oil and gas-related companies are likely to be the acquisition of intellectual property (IP), reservoir information or research and exploration data.
Beyond attempts to access information however, in the worst-case scenario, a sophisticated hacker could interfere with operations – posing a risk to life, assets and the environment. By accessing control systems intruders could, for example, cause the flow of natural gas through a pipeline to grind to a halt, trigger an explosion at a petrochemical facility or do damage to an offshore drilling rig that could lead to an oil spill, according to EY.
“We’ve seen attackers trying to gain access to safety systems, as was the case with the Triton malware incident in the Middle East,” said Matthew Freeman, global cyber-security manager at DNV GL. “The implications of this sort of attack are considerable…the only thing that stopped it from being a major event was an error in the hacker’s software that caused the safety system to shut down.”
DNV GL global service line leader for cyber security, Mate Csorba, noted some examples of major attacks closer to home too, including one on the Norwegian oil industry in 2014 by a “threat actor with extensive resources”. At the time, National Security Authority Norway (NSM) said 50 companies were hacked and 250 more were put at risk. “Reportedly, the attackers were looking for ways to persist inside corporate networks and install additional malicious code for further stages of attacks,” Csorba explained.
In its annual report for 2017, NSM concludes that multiple cyber espionage campaigns, possibly state-backed, continue to target the Norwegian industry. “Attackers are becoming more sophisticated and there are a wider range of targets as digitalisation spreads,” said Csorba. He pointed out that terrorism was another risk, citing the hostage crisis at the In Amenas gas facility in Algeria in 2013 which, although saw no element of cyber-crime, “proved that assets operated by the largest Norwegian energy company may be targeted by international terrorist organisations.”
However, Freeman said most attacks were not of this sort and represented a lower level of risk: “In the North Sea there are a variety of perpetrators – some intrusions appear to be targeting intellectual property and business strategies, either by rival companies or syndicated crime… Sometimes information is simply collected and sold on. Hackers do not always know the nature of the systems they are attacking – often they are just exploring or testing for vulnerabilities, and a lot go undetected,” said Freeman.
“Alternatively, the threat can be internal from a disgruntled employee or sometimes there is no real intent, they are just random,” he added. For example, loading operations at Equinor’s Mongstad facility were brought to a standstill in 2014 by an IT technician accessing the wrong server remotely inside the production environment. “This incident led to the company revising its outsourced IT services,” said Csorba.
Simon Daykin, UK chief technology officer at Leidos – a system and service integration organisation involved in cybersecurity across all areas of critical national infrastructure, including the US government – echoed the notion that attacks may be targeted or opportunistic, and that the industry must be prepared for both. “As last year’s ransomware campaigns have shown (including the WannaCry attack whose victims included the NHS), companies no longer have to be targeted to suffer downtime and financial consequences of insufficient cyber-resilience,” he said.
“Companies need to take a strategic rather than tactical approach; preventative rather than reactive. Cyber-security should no longer be just an add-on to the digital transformation.”
Until recently there had been a lack of awareness of cybersecurity in the industry, according to Freeman. “It’s a cultural issue – there’s a need to increase cultural awareness in the industry,” he said. To that end, and following the 2014 attacks in Norway, DNV GL and companies from within the oil and gas and cybersecurity industries set up a Joint Industry Project (JIP) to establish common recommended standards. “We needed countermeasures for the various risks – addressing the technology, design and operation; looking at both people and processes,” he explained.
The JIP would go on to produce the standards set out in DNV GL’s RP G108 guidelines. Freeman said that by “adhering to recommended practice it has been possible to set expectations and tighten culture. Organisations can check behaviour and enforce correct procedures with their own staff and contractors… The JIP helped raise awareness – larger companies are furthest ahead.”
Adhering to the guidelines helps reduce insurance premiums and avoid fines, including under new European regulations such as the EU Directive on Security of Network and Information Systems (NIS) directive, which is designed to enforce common minimum standards across critical infrastructure.
Responding to these increased priorities, Oil & Gas UK held its first ever cybersecurity event in Aberdeen in September. During the conference, the Department for Business, Energy and Industrial Strategy’s head of energy cybersecurity noted that the effects of these new policies would be felt by the supply chain, as well as operators. “This directive covers a small number of operators, but it does put pressure on the rest of the supply chain to act accordingly and I would expect those operators to be asking more prodding questions of their supply chain going forward,” she said. “I think in that context there will be an expectation on some of the large players in the industry but also for the supply chain to up their game a bit.”
IT vs OT
There can be a disconnect between IT systems (which are regularly updated and patched by specialists) and operational technology (OT) systems, which are normally in the hands of the engineers who run and maintain facilities. According to Freeman, this can make systems on oil and gas installations more vulnerable: “We need operational knowledge combined with vendors and IT experts – all bring a different perspective and all need to communicate.”
Leidos’ Daykin said there had been some convergence, but that “IT and OT are still often run by different parts of the organisation… There are cross-over threats from IT into OT, and organisations need to understand the risks they have and what they need to do… they need to take a strategic approach – where, what and how to mitigate risks.”
He said vulnerabilities were often already present in older devices and these needed to be identified by testing, and then dealt with. “More companies are requesting ‘penetration testing’, which can identify where some of the holes are, including in operational/behavioural matters. Those with older technology embedded in their systems are more vulnerable to random attacks,” he explained. “Companies need to take a strategic rather than tactical approach; preventative rather than reactive. Cyber-security should no longer be just an add-on to the digital transformation.”
DNV GL’s Freeman agreed: “Any project, retrofit, upgrade involving business or safety critical ICS/OT systems or components should pay special attention to potential zero-day vulnerabilities within the systems or devices being used; plus any emerging threats arising from IT/OT integration activities; plus the humans that come into contact with them.”
Only a very small proportion of attacks get much publicity, which restricts the ability of the industry to learn from past attacks: “It’s important to know about and learn from key attacks. Specialist publications give some detail, along with organisations like the SANS Institute. Much of this comes from the IT side, rather than OT, which whilst having crossovers is often industry specific in implementation,” said Daykin.
“We can use intelligence from attacks to spend money smartly – learning from lessons in oil and gas and other sectors… There are also several techniques, such as foot-printing, finger-printing, honey-potting and sink-holing, that can be used to detect a threat early on and confine it to a space where you can understand its anatomy and behaviour safely, away from sensitive assets… This enhances security and builds up an understanding of the different methods of attack,” he continued.
The anatomy of cyber attacks can be understood in terms of the process that needs to be completed by the attacker to undertake their mission, and Leidos uses a so-called ‘cyber kill chain’ to model the steps involved in a successful attack, to build a ‘defence in depth’ protection strategy. “Good defences can mitigate each step and gain intelligence from what’s going on,” said Daykin. This approach allows defenders to be more proactive and engaged, as opposed to mounting a tactical response that addresses threats as they appear.
Both attackers and defenders are evolving quickly, said Daykin, but the battle now favours the latter – provided they employ a “strategic preventative, proactive and collaborative” approach. “As long as companies understand the environment and take a strategic view, the balance is absolutely tipping towards the defender… But companies need to absorb cybersecurity into the culture of their business. It needs to be part of people, processes and technology across the business to effectively combat the more advanced threats we are facing,” said Daykin.
But while defence practices may be improving, more needs to be done following attempted attacks. For one thing, these intrusions are rarely prosecuted, and victims do not always want information about the attempt passed onto police. Daykin added that: “Cyber Forensics needs to be a key element designed in, because it is important to understand what is going on.”
“As long as companies understand the environment and take a strategic view, the balance is absolutely tipping towards the defender… But companies need to absorb cybersecurity into the culture of their business.”
With such a broad scope of threats out there, and a sector made up of a diverse range of companies, devising a robust strategy can be daunting. Yet even small companies can take proactive measures. As Freeman noted: “When budgets are relatively limited, perhaps the first thing to think about is which area would benefit from an improvement in the cyber security posture. Organisational cyber security awareness-raising, procedural reviews and policy improvements may be low-hanging fruit, an organisation can handle, or get help with relatively easily.”
Speaking during Oil & Gas UK’s seminar, ABB cyber security consultant Ben Dickinson outlined how companies could manage such strategies, breaking the process down into various categories, designated: Identify, Protect, Detect, Respond and Recover. This process involves understanding the type of threats posed to your business, exploring where vulnerabilities may be and using risk assessments to determine which security controls should be adopted. Once these are in place, any intrusions should be detected, logged and investigated.
If breaches do occur, Dickinson also highlighted the importance of a robust response and recovery plan, which should include both technical elements – such as backing up and restoring data – and a communications plan to inform customers, suppliers, the media and government of what is happening.
Although this is important work, DNV’s Freeman does not believe that security strategies should be prohibitively expensive: “On the technological front, retrofitting of systems, additional hardware costs, or software licences might be significant expenditures. However, in most cases compensating actions can be put in place immediately and provide improvements of cyber security, if the company is aware of where and how to deploy these best.”
Exactly what these new threats might look like remains uncertain. But what is clear is that as digitalisation continues, well-designed cyber security infrastructure and proactive security management will become ever more important in all industries, not least oil and gas.