Cybersecurity for Upstream Operations

Fig. 1—The steps of risk management as applied to a simulated cyberattack scenario.

During well drilling and completion, cybersecurity is critical for securing data to prevent hacking or the loss of software programs. Paying attention to data flow, with the goal of protecting the data as well as the facility, while developing capabilities to deal with intrusions is important. This is the essence of cybersecurity and operational leadership. This paper emphasizes the value gained by investing in cybersecurity for drilling, workover, and completion operations.

Introduction
Countless engineering and research projects have addressed cybersecurity for downstream operations. Other works have discussed remote upstream operation models along with data flow and information management that have been implemented to digitize the upstream industry, moving it to a new level of automation, efficiency, and improved overall performance. The benefits of the transforming digitization include assurance, cross-organizational collaboration, leveraging of knowledge, and safer operations with minimal human presence on the well site because of remote control. On the other hand, sensors, controls, and networks are added when intelligence is added. This digital expansion creates vulnerability and more entry points—back doors—to exploit defects and weaknesses. One of the reasons for this proliferation of weaknesses is that no logical system can describe a physical system perfectly because too many pieces are involved.

The Pressing Threat
Upstream oil and gas represents the world’s largest supply chain, involving numerous subcontractors who supply equipment, fluid, and other services to the operating company. The life of upstream assets and resources lasts for decades with multiple time scales for different facilities.

Threats and security defenses continuously evolve and change, but much of a facility does not. This makes cybersecurity of long-lived assets very complex, especially because decisions taken will last a long time and be costly. Additionally, the extended reach of oil and gas infrastructures into remote operational areas creates vulnerability and security exposures alongside environmental risk. Accidents in such extended facilities result in liability increases, revenue losses, and the loss of safety standing with society and authorities.

While substantial emphasis has been placed on physical security for decades, cybersecurity is still evolving and is building an experience curve as threats keep moving.

Cybersecurity attacks on energy companies are also capturing headlines. The root of the problem is that many of the control systems are connected to a company’s business network and, therefore, to the Internet. Three prominent factors in the digital oil field create vulnerability. The first is increased connectivity, which raises the threat for extended facilities. Metcalf’s Law says that the number of possible cross-connections in a network grows as the square of the number of computers increases. Conversely, the resulting increase in traditional security systems is not squared, which raises the security threat in extended facilities. As more sensors are added, the connectivity rises rapidly (is squared) because these instrumentations depend on connectivity to function. Second, the adoption of commercial information platforms carries risk. Third, social engineering, defined as using a system’s weakness and cracks to phish for sensitive information, targets the larger population of computer-using employees.

Experience has shown that an iterative security strategy is effective in the detection, mitigation, and prevention of cyberthreats because those threats are constantly changing. The iterative strategy, as defined by the Center for Chemical Process Safety, strives to bring about more-secure operations by first eliminating a hazard completely; then reducing the likelihood or severity of a hazard by means of equipment, operation, or process redesign; and finally substituting a less-hazardous material or using a less-hazardous process to reduce the potential or consequences of human error, equipment failure, or intentional harm. Also, the iterative approach accounts for the entire life cycle of a system, including all the associated hazards and risks as well as economic feasibility.

Integrated Cyber- and Physical Security Systems
Cyber- and physical security is concerned with the management of unintended events. The complexity of the energy business stems from the multiple interacting parts of the energy system, producing behaviors that would be expected. The system approach helps create a more-accurate understanding of the cause-and-effect pattern, enabling analysts to predict outcomes and deal with surprises better.

One of the key aspects in understanding security is recognizing that the logical system is not a perfect representation of the physical system and knowing where the resulting weaknesses will show up. Network security consists of activities and policies designed to safeguard timely access to services, the integrity of data flow, and the levels of trust between systems and users. One company that offers information-management and data-acquisition support for major industrial infrastructures has proposed a defense system with three threat-interaction categories: visibility, access, and trust (VAT). In terms of visibility, targets should not be visible and advisories should be highly visible. In the access category, access should be reduced to the absolute minimum necessary to achieve system deliverables. Regarding trust, spreading trust among multiple administrators rather than trusting one point of failure in the architecture is desirable. All secure deployment-architecture patterns revolve around these three categories. Selecting the appropriate deployment architecture is critical. The wrong architecture can cause problems because of potential two-way communication, creating pathways for bad actors to access the system.

A demilitarized-zone (DMZ) network is recommended for secure plant-information-system deployment patterns. The most important function of the DMZ network is to enforce termination of network traffic within the DMZ. The intent is to avoid a single point of failure that results in a potential breach of the control system.

In addition to avoiding a single point of security failure—because of configuration error or actions by a disgruntled administrator—multiple firewalls provide another quick-disconnect point.

The security posture can be improved by providing application servers within the corporate network. Essentially, a server is allocated for groups of users or for specific kinds of service. For example, the top plant-information server is the primary server and is used only by administrators. The middle server is the default for the corporate domain. The bottom server is allocated to the protected control network. Fail-over priorities can be configured and further enforced by firewall rules.

Visibility is reduced as corporate users see only the corporate data streams. Access is reduced as fewer corporate users need to have access to the DMZ network, and, with two independent plant-information systems, trust in a single administrator is also reduced.

No matter how advanced the technology, individuals and organizational culture—represented in the way that security is communicated—remain the most crucial defense against cyberattacks.

Information Risk Management
The risk-management exercise is a useful tool to understand the problem context, identify risks and causes, assess potential consequences, and evaluate treatment strategies that will eliminate and reduce hazards; it also suggests how to communicate lessons learned for improvement opportunities. Fig. 1 represents the steps of risk management as applied to a general cyberattack scenario. The simulated scenario involves cyberattack risks coming from social-engineering phishing with web-based delivery that succeeds in corrupting the user’s hard drive and losing all its information or phishing with web-based delivery that succeeds in letting hackers into the user’s computer system where they can see all personnel/secured/sensitive materials and use that to harm the user or the company. The risk matrix will close gaps and assign responsibilities that will increase the difficulty of a cyber breach, increase detection capability, and abate negative consequences.

Conclusions and Recommendations

  • Industrial-data-flow and control-logic models are the digital brains that monitor, manage, and control the vast interconnected networks of upstream operations.
  • Once an advanced system is infected with a persistent threat, removing the bug is difficult; even reformatting will not remove it. This further highlights the need for a proactive and iterative approach to cybersecurity in upstream digital operations.
  • A cyberattack can be discovered by observing off-nominal events or sudden changes in measurements, including pattern deviation. The solution after discovering an attack is to stop its replication.
  • Inevitable flaws in software create vulnerabilities when someone finds that crack in the system. Generally, proprietary software is more secure than commercial software.
  • Company cultures that have clear responsibilities for employees at different levels experience fewer security gaps; every employee is aware of his or her area of responsibility in terms of risk management. The risk matrix is a useful tool for assigning responsibilities. This will also boost the company’s defense base against hacks.
  • Also essential is recognizing that, when making a cybersecurity recommendation, the outcome cannot be computed perfectly because of uncertainty but decisions can influence the direction in a way to make the outcome of future events more positive than it is now.

This article, written by Special Publications Editor Adam Wilson, contains highlights of paper OTC 28121, “Cybersecurity for Upstream Operations,” by Mohammed A. AlGhazal, SPE, and Mohammad J. AlJubran, SPE, Saudi Aramco, prepared for the 2017 Offshore Technology Conference Brasil, Rio de Janeiro, 24–26 October. The paper has not been peer reviewed. Copyright 2017 Offshore Technology Conference. Reproduced by permission.

 

 

HSE Now is a source for news and technical information affecting the health, safety, security, environment, and social responsibility discipline of the upstream oil and gas industry.