The future is brighter than ever for the hydrocarbon industry – particularly with the recovery of unconventional resources such as shale oil and gas, and coal bed methane. Yet this also brings with it some controversy, and this is just one reason for the industry’s increased vulnerability to cyber attack.

Political espionage, malicious attack for financial gain, disgruntled employees, even human error; all have the potential to significantly disrupt processes at rigs and refineries. With a typical oil pipeline pumping $3m oil per hour, effective digital data management keeps revenues flowing¹. But it’s not just the hydrocarbons – a large refinery produces an average 1TB of data per day².

TRANSITION TO THE DIGITAL OILFIELD
More and more oil and gas companies are experiencing the benefits of transitioning to the Digital Oilfield. By converging IT and operational technology (OT), these companies are realising huge gains from real-time visibility of operations, including - increased productivity, reduced operational costs, improved safety, and regulatory compliance.

But the combination of open standard based IP protocols and integration into back office systems also exposes oil and gas companies to the threat of cyber attacks.

THE RAPID RISE OF CYBER CRIME
So it's hardly surprising that the prevention of control system security incidents is a hot topic, and one that's been heightened by the effect of serious cyber attacks on the energy sector in the Middle East during recent years. Threats are becoming more inventive and more insidious.

The Stuxnet virus, which targeted programmable logic controllers (PLC) and SCADA systems in 2010, was one of the first examples of cyber-sabotage. Typically introduced by infected USB flash drives, it subverted industrial process control systems, collecting system information and causing them to self-destruct³.

These are complex, intelligent viruses: Stuxnet was notable for including code to fake control sensor signals to prevent the precautionary shutdown of an infected system due to detected abnormal behaviour, and also for making itself inert if the specific SCADA software wasn't found on the infected machine.

Even two-way radio systems that are considered "isolated" from the enterprise IT network are vulnerable to attack. Indeed, the source of computer virus that infected the radio dispatch system of an Australian ambulance service in 2011 was thought to have been a compromised USB stick⁴.

Back to the present day, and global security experts are currently investigating the Shellshock bug which appears to primarily target Unix servers⁵. Early indications show that the level of vulnerability has yet to be fully understood but could be uncommonly wide-ranging.

WIDESPREAD VULNERABILITY NEEDS SYSTEMATIC PROTECTION
The IDC Energy Insights whitepaper issued in 2013 highlighted that 40% of the total number of cybersecurity incidents were attacks against the energy sector, costing $19.8m annually⁶. Protection from such threats requires an organisational culture change as well as an enterprise information security architecture: from systems and data, to processes and people. Yet only 50% of oil and gas companies have a robust information security strategy in place.

Successful attacks show that companies often underestimate the vulnerability of digitally enabled technology and devices⁷. 45% of oil and gas companies responding to the IDC security survey were unclear just how many security events happened during the last 12 months, and of that percentage, half didn't know the nature of the breaches⁶.

A CYBER SECURITY FRAMEWORK ALIGNED TO GLOBAL SECURITY STANDARDS
So what should the oil and gas industry be doing to maintain a secure, intelligent and responsive digital oilfield, while mitigating the risk of cyber threats and malware? A 2013 study by the CSIS found that 96% of successful breaches could have been avoided if simple controls were put in place⁸, and as a result the NIST Cybersecurity Framework was established to provide a common mechanism for organisations to improve their security position.

In response to these changing conditions, we've published Protecting Operations in the Energy Sector Against Cyber Attacks. The whitepaper discusses the threats in detail and presents a best practice cybersecurity strategy that is consistent with the NIST Framework. We've also included a handy checklist so you can assess your company's current levels of protection.

If, after reading, you find that your operations are indeed vulnerable to attack then we do offer a cyber assessment service, details of how to arrange the assessment can be found on the back page of the whitepaper.

If you'd like to join the conversation about protecting oil and gas operations from cyber threats, we'd be delighted to welcome you to the Motorola Solutions Community EMEA LinkedIn Group.

¹ Motorola Solutions White Paper “TETRA – Enabling Critical Communications in the Oil and Gas Sector”
² Journal of Petroleum Technology – October 2012 “Data Mining and Analytics, Data Mining Applications in the Oil and Gas Industry”.
³ BBC News Technology Article “Struxnet ‘hit’ Iran nuclear plans”.
⁴ IEEE Spectrum: Virus Hits Australian Ambulance Service.
⁵ BBC News Technology Article “Web attacks build on Shellshock bug”.
⁶ IDC Energy Insights, 2011 “Worldwide Oil and Gas Top Predictions, 2012”.
⁷ Security in Upstream Oil and Gas, Microsoft Corporation, March 2013.
⁸ Center for Strategic and International Studies, 2013 “Raising the Bar for Cyber Security”.