Reuters | 10 May 2016

Union Says Shell Workers Evacuated From Bonga Field After Militant Threat

Shell workers at Nigeria’s Bonga oil field in the southern Niger Delta are being evacuated following a militant threat, a senior labour union official said on 9 May.

“We are aware of the development, and the evacuation is being done in categories of workers and cadres,” Cogent Ojobor, chairman of the Warri branch of the Nupeng oil labor union, said. “My members are yet to be evacuated.”

He gave no numbers.

Shell said earlier on 9 May that oil output was continuing at its oil fields in Nigeria despite local media reports of a militant attack near its Bonga facilities.

“Our operations at Bonga are continuing,” a spokesman for Shell Nigeria Exploration and Production Company said in a statement. It said it would continue to monitor the security situation in its operating areas and take all possible steps to ensure the safety of staff and contractors.

Last week, militants attacked a Chevron platform in the Delta where tensions have been building up since authorities issued an arrest warrant in January for a former militant leader on corruption charges.

The Associated Press | 10 May 2016

Militants Attack Chevron Oil Facililty in Nigeria

Armed militants attacked a major Chevron oil and gas facility off Nigeria’s southern coast, the military said on 6 May, and the US-based multinational said it was forced to shut production there but its exports will continue.

A new group called the Niger Delta Avengers said it bombed Chevron’s Okan platform on 4 May and warned international companies that “the Nigerian military can’t protect your facilities.”

“This is what we promised the Nigeria government. Since they have refused to listen to us, we are going to bring the country’s economy to zero,” a statement said, threatening more attacks including in Abuja, the capital, and Lagos, the commercial center.

Rigzone | 3 May 2016

Jobs Set to Grow in Oil, Gas: Cybersecurity

The increasing use of the Internet of Things and Big Data in oil and gas is bound to lead to further concerns about cybersecurity among companies that operate in the sector. Indeed, it is a problem that already plagues the industry. Several organizations focused on cybersecurity see the energy industry as being especially susceptible to cyberattacks.

The US Department of Homeland Security (DHS) frequently highlights the energy sector as being the target of cybersecurity incidents. In 2015, DHS reported that of the 245 incidents reported to it by asset owners and industrial organizations during the previous year, 79 of these, about 32%, were reported by the energy sector. Another report, Trend Micro’s Report on Cybersecurity and Critical Infrastructure in the Americas, which was based on a survey conducted in 2015 of companies and government bodies in the Americas, found that 47% of energy organizations had experienced cyberattacks that attempted to delete or destroy their information.

DHS identifies the cyberthreat coming from what it calls “sophisticated actors” (code for state-sponsored hacking) as well as hacktivists, insiders, and criminals.

The oil and gas industry itself appears to be concerned about the threat. Ernst & Young stated in 2015 that 61% of oil and gas organizations surveyed believed they would be unlikely to be able to detect a sophisticated cyberattack. Only 13% thought that their information security function met their organizational needs.

Bennett Jones via Mondaq | 1 March 2016

Toward the Creation of IT Security Standards for the Alberta Oil and Gas Industry

In its first public report of 2016, the Office of the Auditor General of Alberta reviewed, among other things, information technology (IT) security for industrial control systems used in Alberta’s oil and gas industries. Forming part of the industry’s critical infrastructure, these systems consist of hardware and software technologies that facilitate the production and delivery of energy produced in Alberta (e.g., flow measurement and control products and pipeline leak detection solutions).

The auditor general’s office states the rationale for its audit is “… we believe Albertans may be at risk if [control standards] are unsecured or do not meet minimum IT security standards.”

Given that no entity within the government of Alberta has assessed the threats, risks, and effects of cyberattacks on control systems used in the Alberta oil and gas industry, the Alberta auditor general recommended that the Department of Energy and Alberta Energy Regulator work together to determine whether an assessment of such threats, risks, and effects should be undertaken.

Rigzone | 11 February 2016

Digital Shadows Offers New Defense to Oil, Gas Cyberthreats

As the oil and gas industry pushes toward greater use of automation and digital technologies to enhance operational efficiency, productivity, and safety, it must grapple with the cybersecurity threats that automation and digital technology present. With cyberthreats affecting energy operations, from upstream to energy trading, the traditional tools of perimeter monitoring make it challenging for oil and gas companies to gather and understand all of the information that lies in their digital shadows.

Digital Shadows’ technology goes beyond the perimeter, prowling through everything online, to find potential threats to oil and gas companies and their operations. These sources not only include the visibly open Internet that everybody uses but also sources not indexed by Google. Digital Shadows also monitors a subset of the Internet called the Deep Web, or Dark Web. This includes websites that that allow people to remain anonymous online. While much of this material is benign, forums and message boards where weapons, drugs, or company data can be bought and sold are found there.

Offshore Energy Today | 1 December 2015

Top 10 Cybersecurity Threats for the Oil and Gas Industry

With the exploitation of new cost-effective operational concepts, use of digital technologies, and increased dependence on cyberstructures, the oil and gas industry is exposed to new sets of vulnerabilities and threats, DNV GL writes in an article identifying the biggest cybersecurity threats to the oil and gas industry.

According to the company, cyberattacks have grown in stature and sophistication, making them more difficult to detect and defend against, and costing companies increasing sums of money to recover from.

DNV GL is delivering a cybersecurity study to the Lysne Committee, a body appointed by the Norwegian Ministry of Justice and Public Security to assess the country’s digital vulnerabilities. DNV GL’s study reveals the top 10 most pressing cybersecurity vulnerabilities for companies operating offshore Norway.

The top 10 cybersecurity vulnerabilities identified from the study are

  1. Lack of cybersecurity awareness and training among employees
  2. Remote work during operations and maintenance
  3. Using standard information-technology products with known vulnerabilities in the production environment
  4. A limited cybersecurity culture among vendors, suppliers, and contractors
  5. Insufficient separation of data networks
  6. The use of mobile devices and storage units including smartphones
  7. Data networks between on- and offshore facilities
  8. Insufficient physical security of data rooms, cabinets, etc.
  9. Vulnerable software
  10. Outdated and aging control systems in facilities

Read the full story here.

Rigzone | 19 November 2015

Oil, Gas Cyberattacks Increasing

Cyberattacks in the upstream oil and gas sector are increasing, according to Eric Knapp, the global director of cybersecurity solutions and technology for Honeywell Process Solutions.

At an annual meeting for Honeywell users in Europe, the Middle East, and Africa being held in Madrid , Knapp said that not only is the oil and gas industry seeing more cyberthreat activity but that threats of this nature are becoming more advanced.

“In those sites that we support directly, we have seen that there’s an increase in activity. We can extrapolate from that that globally there’s an increase … . Malware creation and the cyberthreat as an entity is an organization. Malware changes and evolves … . We’re seeing activity increase across the board.”

Rigzone | 17 November 2015

Changing Human Behavior Key To Thwarting Cybersecurity Attacks

Despite increased spending on technology to stave off cyberattacks, companies are getting compromised more and taking bigger hits.

The revenue of cybersecurity companies traded on the public market grew an annual average of 20% last year, said Rohyt Belani, cofounder and chief executive officer of PhishMe, during a keynote presentation at the API Cybersecurity Conference in Houston.

But a PricewaterhouseCoopers report found that the number of reported cybersecurity incidents rose by 48% this year and the number of companies reporting cyber-related financial hits of over USD 20 million grew by 92%.

“We love silver bullets in cybersecurity,” Belani said.

However, companies using this approach will likely fall flat on their face. Just like living a healthy lifestyle is no guarantee against a person getting cancer, cybersecurity is about mitigating risk and rapidly responding to events. But cybersecurity preparedness provides no guarantee that an incident won’t occur.

“Often what I find is that people equate compliance with security,” said Belani, but compliance isn’t enough. Instead, a threat-based approach is needed.

Rigzone | 17 November 2015

Security Chief Says Cybersecurity Ranks as Top Long-Term Threat to Statoil

While terrorist attacks grab headlines, cybersecurity poses the greatest long-term threat to Statoil ASA’s global oil and gas operations.

The 2013 terrorist attack on Statoil, BP, and Sonatrach’s jointly held facility in El Amenas, Libya, prompted Statoil to set up an independent investigation to assess the risk of a similar attack occurring in the future. The company’s report on the incident, published in September 2013, concluded that the company lacked a security culture and the security it had in place was not fit-for-purpose for a company with international aspirations.

After completing its assessment, Statoil determined that the great long-term threat to its operations came not from physical attacks but from cybersecurity attacks, Adrian Fulcher, head of security threat assessment at Statoil, told attendees at the API Cybersecurity Conference in Houston.

While the company operates in a number of challenging environments worldwide, most of Statoil’s assets are on the Norwegian continental shelf, Fulcher said. As a possible consequence, the company has had a fairly easygoing security culture, which also extended to Statoil’s cybersecurity culture.

“If we were to suffer a major large-scale accident as a result of an attack on our industrial control systems, it is something that would shape and change the future course of the company in a big way,” Fulcher said.

Dark Reading | 5 November 2015

How Hackers Can Hack the Oil and Gas Industry With ERP Systems

Researchers at the Black Hat Europe conference in November will demonstrate how SAP applications can be used as a stepping stone to sabotage oil and gas processes.

Hackers can exploit weaknesses in enterprise resource planning (ERP) systems on oil and gas firms’ corporate networks in order to sabotage pipeline pressure or hide oil spills, researchers have discovered.

Researchers at Black Hat Europe, set for 10–13 November in Amsterdam, will demonstrate these and other attacks on oil and gas networks by abusing holes in SAP ERP applications used in the industrial sector. Oil and gas industrial networks rely on ERP software to help manage and oversee the oil and gas production and delivery processes.

“We want to show that not only Stuxnet-type attacks using USB are possible,” said Alexander Polyakov, chief technology officer and founder of ERPScan, who, with Mathieu Geli, a researcher with ERPScan, will demonstrate several proof-of-concept attacks at the conference. An attacker could hack the systems remotely over the Internet, he says, or from the oil and gas firm’s corporate network.

“SAP is a key to this kingdom because it has a lot of products specifically designed to manage some processes such as operational integrity or hydrocarbon supply chain. Since SAP systems are implemented in, if I’m not mistaken, about 90% of oil and gas companies, this key can open many doors,” he said. “SAP is connected with some critical processes which, in their turn, are connected with other processes, and so on.”

Valley News | 20 October 2015

Dartmouth College Receives USD 925,000 Cybersecurity Grant

Dartmouth College has received nearly USD 1 million from the Cyber Resilient Energy Delivery Consortium as part of its USD 28.1 million effort to create and foster cyberattack-resistant systems for electric power and oil and gas industries.

The consortium includes 11 national laboratories and universities and is led by the University of Illinois. It is a successor to earlier efforts to create trustworthy cyberinfrastructure for the power grid. Dartmouth has been a partner in the project since the beginning 10 years ago, according to a news release from the college.

The funding comes from the US Department of Energy.

Dartmouth’s USD 925,000 grant “will improve the protection of the US electric grid and oil and natural gas infrastructure from cyberthreats,” according to a statement from the Energy Department posted on Dartmouth’s website.

Rigzone | 20 October 2015

Security in Oil and Gas: The Threat From Within

Since the Second World War, one of the realities of the upstream oil and gas industry is that it often has to operate in dangerous parts of the world. Being a precious commodity that much of the modern world relies upon in order to function, access to oil itself is a driver of political turmoil and can be blamed—at least in part—for numerous conflicts from the Suez Crisis in 1950s through the Gulf War in the 1990s to today.

Right now, one of the major threats to oil and gas assets, and to engineers and other frontline staff, based in the Middle East and Africa is from Islamist terrorism. No single event comes closer to exemplifying this threat than the January 2013 attack against expatriate and local energy company workers at the In Amenas gas processing facility in Algeria.

That incident became a 4-day siege that resulted in the deaths of 39 foreign hostages and an Algerian security guard.

At the recent Offshore Europe conference in Aberdeen, the In Amenas atrocity was discussed in some detail by Adrian Fulcher, a British counter-terrorism specialist who served on Statoil ASA’s special investigation team that looked into the incident.

Taking part in a conference session on security of personnel and assets, Fulcher explained that the attack on In Amenas was extremely well planned and prepared and that it was carried out by people who had the ability to be flexible and think on their feet when dealing with contingencies.

The terrorists had navigated through the desert during the night to arrive at the break of day and then had complete control of a 10-square-kilometer area that encompassed the In Amenas gas facility. They separated out the foreign staff from the local employees, and they knew some of these expats workers and managers by name while they were able to identify others using documentation that they found at the facility. It was clear that they had had insider help.

“There was an impressive amount of intelligence, insider support and preplanning. I think that’s … a characteristic of the threat profile that, more widely, the industry has to face. That the people who threaten us, whether they’re terrorists, whether they’re cybercriminals or whether they’re organized criminals, they increasingly do their intelligence homework first,” Fulcher said.

“They look at us very hard, they seek to understand how we operate and where our vulnerabilities are, and they exploit those vulnerabilities against us. And how do they do that? Typically, with insider support.”

The implication is that oil and gas companies are going to have to spend a lot more time and effort vetting their employees—particularly those who work in politically sensitive parts of the world.