Industrial-Sized Cyber Attacks Threaten the Upstream Sector

Topics: Data and information management Risk management/decision-making
Image courtesy of ElbPresse.
Malware designed to infect operational networks that control oilfield machinery is on the rise, and security flaws make addressing the situation difficult.

The oil and gas industry is coming to terms with a cyber threat landscape that has expanded beyond data breaches and the theft of intellectual property. The latest battlefront is in the field where critical drilling and production assets are at risk of being disrupted or destroyed, thanks to their highly vulnerable control systems.

The industry has experienced only a few cases of these so-called cyber-to-physical attacks but the US Department of Homeland Security predicts that by 2018 cyber attacks against oil and gas infrastructure around the world will cost almost USD 1.9 billion. One of the most dire warnings comes from the multinational risk adviser and insurance firm Willis Group, which in 2014 reported that “a major energy catastrophe, on the same scale as Piper Alpha, Phillips Pasadena, Exxon Valdez, or Deepwater Horizon,could indeed be caused by a cyber attack.” The company noted in its report that insurance providers generally will not cover such events.

The concern over control systems has come to the forefront because of the widespread use of digital oilfield technology that began about 2 decades ago. Driven by significant gains in efficiency and production, companies eagerly moved to tether nearly every facet of operational networks to the Internet, either directly or through corporate networks. On the plus side, the industry gained invaluable real-time data, various operations became automated, and engineers working in office buildings could remotely control offshore operations.

But the computer hardware that makes all of this possible was never designed to be connected to the Internet. Known collectively as Industrial Control Systems (ICS), they were built to run in isolation and thus have no security measures that guard against run-of-the-mill malware, let alone a targeted cyber attack launched by a sophisticated hacker.

“Security was not important for anyone; what was important was to have those systems operational,” said Ayman Al Issa, chief technologist and senior adviser of industrial cyber security at Booz Allen Hamilton. He added, “Based on our experience, it is easy to attack those systems—it is easy to attack thousands of them.”

This article is reserved for SPE members and JPT subscribers.
If you would like to continue reading,
please Sign In, JOIN SPE or Subscribe to JPT

Industrial-Sized Cyber Attacks Threaten the Upstream Sector

Trent Jacobs, JPT Senior Technology Writer

01 March 2016

Volume: 68 | Issue: 3