Security
Bennett Jones via Mondaq | 1 March 2016

Toward the Creation of IT Security Standards for the Alberta Oil and Gas Industry

In its first public report of 2016, the Office of the Auditor General of Alberta reviewed, among other things, information technology (IT) security for industrial control systems used in Alberta’s oil and gas industries. Forming part of the industry’s critical infrastructure, these systems consist of hardware and software technologies that facilitate the production and delivery of energy produced in Alberta (e.g., flow measurement and control products and pipeline leak detection solutions).

The auditor general’s office states the rationale for its audit is “… we believe Albertans may be at risk if [control standards] are unsecured or do not meet minimum IT security standards.”

Given that no entity within the government of Alberta has assessed the threats, risks, and effects of cyberattacks on control systems used in the Alberta oil and gas industry, the Alberta auditor general recommended that the Department of Energy and Alberta Energy Regulator work together to determine whether an assessment of such threats, risks, and effects should be undertaken.

Rigzone | 11 February 2016

Digital Shadows Offers New Defense to Oil, Gas Cyberthreats

As the oil and gas industry pushes toward greater use of automation and digital technologies to enhance operational efficiency, productivity, and safety, it must grapple with the cybersecurity threats that automation and digital technology present. With cyberthreats affecting energy operations, from upstream to energy trading, the traditional tools of perimeter monitoring make it challenging for oil and gas companies to gather and understand all of the information that lies in their digital shadows.

Digital Shadows’ technology goes beyond the perimeter, prowling through everything online, to find potential threats to oil and gas companies and their operations. These sources not only include the visibly open Internet that everybody uses but also sources not indexed by Google. Digital Shadows also monitors a subset of the Internet called the Deep Web, or Dark Web. This includes websites that that allow people to remain anonymous online. While much of this material is benign, forums and message boards where weapons, drugs, or company data can be bought and sold are found there.

Offshore Energy Today | 1 December 2015

Top 10 Cybersecurity Threats for the Oil and Gas Industry

With the exploitation of new cost-effective operational concepts, use of digital technologies, and increased dependence on cyberstructures, the oil and gas industry is exposed to new sets of vulnerabilities and threats, DNV GL writes in an article identifying the biggest cybersecurity threats to the oil and gas industry.

According to the company, cyberattacks have grown in stature and sophistication, making them more difficult to detect and defend against, and costing companies increasing sums of money to recover from.

DNV GL is delivering a cybersecurity study to the Lysne Committee, a body appointed by the Norwegian Ministry of Justice and Public Security to assess the country’s digital vulnerabilities. DNV GL’s study reveals the top 10 most pressing cybersecurity vulnerabilities for companies operating offshore Norway.

The top 10 cybersecurity vulnerabilities identified from the study are

  1. Lack of cybersecurity awareness and training among employees
  2. Remote work during operations and maintenance
  3. Using standard information-technology products with known vulnerabilities in the production environment
  4. A limited cybersecurity culture among vendors, suppliers, and contractors
  5. Insufficient separation of data networks
  6. The use of mobile devices and storage units including smartphones
  7. Data networks between on- and offshore facilities
  8. Insufficient physical security of data rooms, cabinets, etc.
  9. Vulnerable software
  10. Outdated and aging control systems in facilities

Read the full story here.

Rigzone | 19 November 2015

Oil, Gas Cyberattacks Increasing

Cyberattacks in the upstream oil and gas sector are increasing, according to Eric Knapp, the global director of cybersecurity solutions and technology for Honeywell Process Solutions.

At an annual meeting for Honeywell users in Europe, the Middle East, and Africa being held in Madrid , Knapp said that not only is the oil and gas industry seeing more cyberthreat activity but that threats of this nature are becoming more advanced.

“In those sites that we support directly, we have seen that there’s an increase in activity. We can extrapolate from that that globally there’s an increase … . Malware creation and the cyberthreat as an entity is an organization. Malware changes and evolves … . We’re seeing activity increase across the board.”

Rigzone | 17 November 2015

Changing Human Behavior Key To Thwarting Cybersecurity Attacks

Despite increased spending on technology to stave off cyberattacks, companies are getting compromised more and taking bigger hits.

The revenue of cybersecurity companies traded on the public market grew an annual average of 20% last year, said Rohyt Belani, cofounder and chief executive officer of PhishMe, during a keynote presentation at the API Cybersecurity Conference in Houston.

But a PricewaterhouseCoopers report found that the number of reported cybersecurity incidents rose by 48% this year and the number of companies reporting cyber-related financial hits of over USD 20 million grew by 92%.

“We love silver bullets in cybersecurity,” Belani said.

However, companies using this approach will likely fall flat on their face. Just like living a healthy lifestyle is no guarantee against a person getting cancer, cybersecurity is about mitigating risk and rapidly responding to events. But cybersecurity preparedness provides no guarantee that an incident won’t occur.

“Often what I find is that people equate compliance with security,” said Belani, but compliance isn’t enough. Instead, a threat-based approach is needed.

Rigzone | 17 November 2015

Security Chief Says Cybersecurity Ranks as Top Long-Term Threat to Statoil

While terrorist attacks grab headlines, cybersecurity poses the greatest long-term threat to Statoil ASA’s global oil and gas operations.

The 2013 terrorist attack on Statoil, BP, and Sonatrach’s jointly held facility in El Amenas, Libya, prompted Statoil to set up an independent investigation to assess the risk of a similar attack occurring in the future. The company’s report on the incident, published in September 2013, concluded that the company lacked a security culture and the security it had in place was not fit-for-purpose for a company with international aspirations.

After completing its assessment, Statoil determined that the great long-term threat to its operations came not from physical attacks but from cybersecurity attacks, Adrian Fulcher, head of security threat assessment at Statoil, told attendees at the API Cybersecurity Conference in Houston.

While the company operates in a number of challenging environments worldwide, most of Statoil’s assets are on the Norwegian continental shelf, Fulcher said. As a possible consequence, the company has had a fairly easygoing security culture, which also extended to Statoil’s cybersecurity culture.

“If we were to suffer a major large-scale accident as a result of an attack on our industrial control systems, it is something that would shape and change the future course of the company in a big way,” Fulcher said.

Dark Reading | 5 November 2015

How Hackers Can Hack the Oil and Gas Industry With ERP Systems

Researchers at the Black Hat Europe conference in November will demonstrate how SAP applications can be used as a stepping stone to sabotage oil and gas processes.

Hackers can exploit weaknesses in enterprise resource planning (ERP) systems on oil and gas firms’ corporate networks in order to sabotage pipeline pressure or hide oil spills, researchers have discovered.

Researchers at Black Hat Europe, set for 10–13 November in Amsterdam, will demonstrate these and other attacks on oil and gas networks by abusing holes in SAP ERP applications used in the industrial sector. Oil and gas industrial networks rely on ERP software to help manage and oversee the oil and gas production and delivery processes.

“We want to show that not only Stuxnet-type attacks using USB are possible,” said Alexander Polyakov, chief technology officer and founder of ERPScan, who, with Mathieu Geli, a researcher with ERPScan, will demonstrate several proof-of-concept attacks at the conference. An attacker could hack the systems remotely over the Internet, he says, or from the oil and gas firm’s corporate network.

“SAP is a key to this kingdom because it has a lot of products specifically designed to manage some processes such as operational integrity or hydrocarbon supply chain. Since SAP systems are implemented in, if I’m not mistaken, about 90% of oil and gas companies, this key can open many doors,” he said. “SAP is connected with some critical processes which, in their turn, are connected with other processes, and so on.”

Valley News | 20 October 2015

Dartmouth College Receives USD 925,000 Cybersecurity Grant

Dartmouth College has received nearly USD 1 million from the Cyber Resilient Energy Delivery Consortium as part of its USD 28.1 million effort to create and foster cyberattack-resistant systems for electric power and oil and gas industries.

The consortium includes 11 national laboratories and universities and is led by the University of Illinois. It is a successor to earlier efforts to create trustworthy cyberinfrastructure for the power grid. Dartmouth has been a partner in the project since the beginning 10 years ago, according to a news release from the college.

The funding comes from the US Department of Energy.

Dartmouth’s USD 925,000 grant “will improve the protection of the US electric grid and oil and natural gas infrastructure from cyberthreats,” according to a statement from the Energy Department posted on Dartmouth’s website.

Rigzone | 20 October 2015

Security in Oil and Gas: The Threat From Within

Since the Second World War, one of the realities of the upstream oil and gas industry is that it often has to operate in dangerous parts of the world. Being a precious commodity that much of the modern world relies upon in order to function, access to oil itself is a driver of political turmoil and can be blamed—at least in part—for numerous conflicts from the Suez Crisis in 1950s through the Gulf War in the 1990s to today.

Right now, one of the major threats to oil and gas assets, and to engineers and other frontline staff, based in the Middle East and Africa is from Islamist terrorism. No single event comes closer to exemplifying this threat than the January 2013 attack against expatriate and local energy company workers at the In Amenas gas processing facility in Algeria.

That incident became a 4-day siege that resulted in the deaths of 39 foreign hostages and an Algerian security guard.

At the recent Offshore Europe conference in Aberdeen, the In Amenas atrocity was discussed in some detail by Adrian Fulcher, a British counter-terrorism specialist who served on Statoil ASA’s special investigation team that looked into the incident.

Taking part in a conference session on security of personnel and assets, Fulcher explained that the attack on In Amenas was extremely well planned and prepared and that it was carried out by people who had the ability to be flexible and think on their feet when dealing with contingencies.

The terrorists had navigated through the desert during the night to arrive at the break of day and then had complete control of a 10-square-kilometer area that encompassed the In Amenas gas facility. They separated out the foreign staff from the local employees, and they knew some of these expats workers and managers by name while they were able to identify others using documentation that they found at the facility. It was clear that they had had insider help.

“There was an impressive amount of intelligence, insider support and preplanning. I think that’s … a characteristic of the threat profile that, more widely, the industry has to face. That the people who threaten us, whether they’re terrorists, whether they’re cybercriminals or whether they’re organized criminals, they increasingly do their intelligence homework first,” Fulcher said.

“They look at us very hard, they seek to understand how we operate and where our vulnerabilities are, and they exploit those vulnerabilities against us. And how do they do that? Typically, with insider support.”

The implication is that oil and gas companies are going to have to spend a lot more time and effort vetting their employees—particularly those who work in politically sensitive parts of the world.

Houston Chronicle | 19 October 2015

Column: Oil and Gas Industry Must Face Challenge of Cybersafety

The oil and gas business is a significant part of Texas history and culture and a major economic contributor to our overall state economy. Houston and Dallas are widely recognized for their part in the industry, but many might be surprised at the substantial number and size of oil and gas companies in San Antonio, Austin, Midland, and smaller cities throughout Texas.

New production technologies have led to a recent boom of “unconventional” production in both older fields and new areas where drilling was previously untenable. The Texas economy has thrived with shale production and offshore exploration and drilling. But the current climate of low oil prices and decreasing global demand has already significantly affected our economy, and there are other, less visible threats.

I recently attended an oil and gas conference in Houston geared specifically toward the industry’s unique cybersecurity challenges. While oil and gas organizations share similar cybersecurity concerns with every information-technology organization, they also have the added responsibility of protecting the critical infrastructure-control systems that run many aspects of upstream and downstream operations. But, until recently, the industry has been slow to act on the risk.

We now live in a world where cyberattacks can result in physical, and possibly catastrophic, damage and loss of life if these control systems are compromised.

Offshore Engineer | 19 October 2015

The ISIS Threat

While much of SPE Offshore Europe focused on the North Sea, there was also a strong global focus, via UK Trade and Investment’s country briefings, as well as keynote sessions looking at global security issues.

Oil and gas assets in the Middle East and Africa are facing an increase threat from ISIS, a security expert has warned, as the group grows and seeks to acquire new territory.

Al-Qaida and jihadist expert Aymen Ali Dean told delegates on Day 2 of SPE Offshore Europe during one of the keynote sessions how Al-Qaida has become more dangerous since 2004–06 when its ideology prompted a change in strategy.

“If you took 10 Al-Qaida leaders in 2004–05 and asked what they wanted, you would get 20 different answers,” Dean told show delegates. Today, he said, the organization has featured a lack of discipline and commitment from recruits.

But its approach has been refined, and today the Islamic State group (ISIS) and jihadists pose a threat to the security of the energy industry, delegates heard.

But the organization’s logic has dictated that no jihad—holy war—can exist without an imam, and an imam cannot exist without a state and that, therefore, a state and an imam have to exist first, before a jihad—directed against the West—can be pursued, explaining why ISIS is now seeking to establish a caliphate, or Islamic state, within Syria and Iraq.

Rigzone | 15 October 2015

Life in Libya: The Endurance of Eni

Eni has faced a spate of security threats in Libya since the beginning of the revolution that ousted Muammar Gaddafi in 2011. The most recent incident occurred 31 August, when a car bomb exploded in front of the headquarters of Mellitah—a joint oil and gas venture between Eni and the Libyan state oil firm National Oil Corp. (NOC). The attack  caused damage to the facility that Islamic State militants claimed in a twitter statement the next day.

In July of this year, the Italian foreign ministry (Farnesina) reported that four Italian employees of oil services firm Bonatti had been kidnapped in the vicinity of the Mellitah compound, and Reuters revealed in June that Yousef al-Shoumani, a manager at the Mellitah oil and gas consortium, had also been taken by abductors. Other notable incidents since the start of the 2011 revolution include:

  • A strike in April 2015 by Libyan security guards protecting the El Feel oilfield, co-owned by NOC and Eni, which forced the facility to close
  • A firefight in 2013 between former rebel fighters from Zuwara and those guarding Mellitah, which led to Libya temporarily stopping gas exports to Italy from the Mellitah complex
  • The 2011 civil war, which forced Eni to temporarily halt production at almost all of its Libyan facilities early that year

A range of companies have scaled back upstream operations in Libya because of the country’s political instability. Royal Dutch Shell abandoned two exploration blocks in Libya in 2012, blaming the decision on disappointing exploration results, although reports at the time indicated the company was also concerned about the insecure situation in the North African country. In September 2013, Exxon Mobil cut back its staff and operations in the region following its decision that the security situation in Libya no longer justified a large presence, Reuters reported, and Marathon Oil was considering the sale of its stake in Libya’s Waha Oil company, before its efforts were blocked. Total said in its first quarter 2015 results, released 28 April, that it halted production in the country in February because of the “deteriorating security conditions in Libya,” and BP announced 28 July that it had written-off USD 600 million of exploration costs in the region, “primarily due to circumstances in the country.”