The modern-day interconnected world is very vulnerable to cyber-attacks and industries are taking more and more countermeasures than ever to safeguard their systems and data. Across industries, companies have been accelerating the countermeasures as well as intensifying the focus on cyber security. This has come as a reflection of the role that digitization plays in daily business and operation. The oil and gas industry is not an exception. While the benefits of digitization are overwhelming, it has its own ill-effects which contributes to the increased risk of cyber security attacks. The internet facilities on an Offshore infrastructure, dynamic positioning navigation, GPS systems onboard – all these come with vulnerabilities that can be exploited by cyber criminals with the intent on causing operational disruptions, financial loss, reputational damage, etc.
Over the years, there have been many cyber security attacks on the offshore oil and gas sectors including the tilting of oil rigs, malware-infected platforms, industrial control systems being hacked. There have been also attacks that are related to insider misuse, miscellaneous errors, cyber espionage, etc. The countermeasures deployed in oil and gas platforms are a result of intensive cyber security assessments and audits that cover a wide area including physical security, environmental security, policies and procedures, safety on and offshore, host-based security, network security, etc.
Cyber Security Training and Awareness
The present-day scenario of globalization and interconnectivity, cyber security is a threat that must be taken with the utmost attention and the management need to take responsibility to inform its employees about it through various awareness and training. Almost 80% of cyber security attacks are related to incidents offshore are a reflection of human error. This is due to a lack of awareness training which is one of the biggest challenges or vulnerabilities faced by the industry. The offshore oil and gas fields are high profile targets for cyber criminals that pose such vulnerability. The absence of training for the employees clearly projects the lack of a clear cyber security policy which will direct the management about the countermeasures or the necessary defensive mechanism against cyber threats.
Unclear/Lack of Cyber Security Policies and Procedures
The process of establishing a clear, straight forward and self-explanatory policy for cyber security can take a tremendous effort but the importance and the results of cyber security policy are worthwhile. Whilst there are many standards and guidelines about how to develop such cyber security policies, it is the responsibility of the management to choose and implement them. Unclear cyber security policies are equal to none as it misleads the management and the employees about how the countermeasures are to be implemented. Companies need to create comprehensive security policies, plan for training to implement them, audit to ensure that the policies are being complied with and monitor systems to detect changes in real-time.
Outdated Industrial Control Systems
The ABI Research study describes the Industrial Control Systems in many oil and gas companies as “poorly protected against cyber threats. At best, they are secured with IT solutions that are ill-adapted to legacy control systems such as Process Control Network (PCN). The legacy Industrial Control Systems are a soft target for any cyber attack as it lies with the minimum protection. Advanced Persistent Threat (APT) – a type of attack which is often described as stealthy, dangerous and most importantly, often too successful. Such APTs directed towards a legacy Industrial Control System can cause huge damage in all aspects. An Industrial Control System has to work over extended lifecycles which puts premium stability and minimizes the opportunity for upgrades. This ultimately poses a threat, creates a free space for cyber threats to progress.
Inadequate separation of Industrial and IT networks
There are many Oil and Gas companies combining Industrial Control Systems (ICS) with much wider networks for the purpose of faster information exchange between the IT and OT environment. While this is cost-effective, it also creates more vulnerable links within the system which leave the OT systems open to the public on the internet. Any cyber attacks on such systems may lead to an eventual shutdown of the whole system. The internet access on an offshore platform for operational as well as leisure purpose sees a lot of threats and often comes with the increased risk of facing a cyber-attack. The dependencies of IT and OT systems opens a huge door for such cyber-attacks when they are safeguarded with very little protection. The growing use of Remote access from the IT domain to the OT comes with a certain risk, when not properly monitored and controlled becomes an easy target for cyber criminals.
Too little Network security measures- On- and Offshore
The use of IT protocols in Industrial Control Systems can make these systems vulnerable to network attacks and can open a backdoor into the company’s IT networks, putting both the systems at risk. Adding to the complexity of integrated systems, there are new technologies around the corner such as the usage of a cloud platform to perform operations, etc. which brings in vulnerabilities and requires adequate security countermeasures. The choice of implementing security measures depends on the type and the architecture of the Industrial Control System. The security measures also depend on the maturity of the company’s security program. The security program reflects the cyber security strategy of the company in response to the various threats and it should be an integral part of a company’s daily operational business.
