Oil and gas might not seem like an industry that hackers would target. But they do—and the cybersecurity risks rise with every new data-based link between rigs, refineries, and headquarters. In an increasingly connected world, how can upstream oil and gas companies protect themselves?
Introduction: Risks—and Stakes—Keep Rising
For years, cyberattackers have targeted crude oil and natural gas companies, with attacks growing in frequency, sophistication, and impact as the industry employs ever-more-connected technology. But the industry’s cyber maturity is relatively low, and oil and gas boards show generally limited strategic appreciation of cyber issues.
Why is this so? Perhaps because the industry—engaged in exploration, development, and production of crude oil and natural gas—may simply feel like an unlikely target for cyberattacks. The business is about barrels, not bytes. In addition, the industry’s remote operations and complex data structure provide a natural defense. But with motives of hackers fast evolving—from cyberterrorism to industry espionage to disrupting operations to stealing field data—and companies increasingly basing daily operations on connected technology, risks are rising fast, along with the stakes.
Different areas of the oil and gas business, naturally, carry different levels of risk and demand different strategies. A previous article, "An Integrated Approach To Combat Cyberrisk: Securing Industrial Operations in Oil and Gas," looked at cyberrisks and the governance process at an overall oil and gas industry level; this follow-up explores the upstream value chain of the oil and gas industry (exploration, development, and production) to assess each operation’s cyber vulnerability and outline risk mitigation strategies.
Among the upstream operations, development drilling and production have the highest cyber risk profiles; while seismic imaging has a relatively lower risk profile, the growing business need to digitize, e-store, and feed seismic data into other disciplines could raise its risk profile in the future. A holistic risk-management program that is secure, vigilant, and resilient could not only mitigate cyber risks for the most vulnerable operations but also enable all three of an upstream company’s operational imperatives: safety of people, reliability of operations, and creation of new value.