Deloitte’s hacking report underscores cybersecurity threat to oil and gas companies

 

Cyber-attacks are developing into formidable threats within the oil and gas industry, and according to a recent study by Deloitte, the industry may not be regarding these threats with the respect that they deserve.

The study indicated that 75% of U.S. oil and gas companies were attacked by a hacker, at least once in 2016. Yet, “only a handful” mentioned cybersecurity as a major concern in their annual filings from 2016, said the accompanying report by Deloitte’s Anshu Mittal, Andrew Slaughter, and Paul Zonneveld. Instead, most organizations have lumped together cyber threats with a long list of other challenges, like weather disruptions and labor disputes. A large chunk of international companies have simply ignored the cybersecurity threat in the filings, without any acknowledgment of the word “cyber.”

However, unlike bad weather or workforce disruptions—which have more well-defined and familiar solutions—cybersecurity is still a somewhat nebulous term, with differing meanings between organizations. The consequences of cyber breaches can also be wide-ranging, although the full extent of such threats is unclear. Deloitte has made a fair attempt at characterizing what cyber-attacks on the E&P sector can look like. The firm has presented several possible scenarios in its report, which could take place in the exploration, development and/or production stages.

Exploration. One example that Deloitte outlines is exploration and bidding data theft. Deloitte cites the 2011 Night Dragon cyber-attack, when hackers disabled proxy settings and stole exploration data from several operators, and the firm warns that others are susceptible.

“Companies are increasingly using advanced gravity wave sensors to improve accuracy of subsurface imaging, and putting more and more terabytes of seismic data to use by digitizing, storing, and processing it on supercomputers,” the report said. “Expanding such software-based, high-performance computing and storage advancements would, no doubt, exponentially enable IoT-based value creation. But when this exploration data starts feeding, in real time, into cross-discipline upstream operations, such as drilling plans of nearby fields, completion designs, and reserve estimations, a cyber-attack’s impact would multiply, from a potential revenue loss to a significant business disruption.”

Development. The report states that development drilling operations are extremely vulnerable to severe cyber-attacks. “From hackers drifting a floating unit off of a Gulf of Mexico wellsite, to tilting an oil rig off the coast of Africa, to making network subject-matter resources take 19 days to delete malware from an oil rig on its way from South Korea to Brazil, the phase has already seen many incidents,” the authors said. “Whether it is an asset loss, business disruption, regulatory fines, reputation damage, IP theft, or a health, environment, and safety incident, this phase has the highest future opportunity cost across all the risk categories.”

Production operations are most at-risk of cyber-attacks in the upstream sector, according to Deloitte, “mainly because of its legacy asset base, which was not built for cybersecurity but has been retrofitted and patched in bits and pieces over the years, and lack of monitoring tools on existing networks.” While 42% of the globe’s offshore oil and gas facilities have been operational for more than 15 years, less than half of these companies are equipped with network monitoring tools. Of that group, just 14% have “fully operational” security monitoring systems, the study indicates.

The uniformity of security from well to well is also concerning. For instance, if an operator has more than 25,000 wells in its portfolio, it likely has many different industry control systems from a variety of different vendors for each well. If these disparate systems are all connected to a company’s main enterprise network, then a hacker has many different ways to attack the enterprise and its resource planning systems—which are used by companies to control 75% of global oil and gas production, the report said.

“Thus, the consequence of a cyber-attack on oil and gas production could be severe, promptly affecting both the top and bottom lines,” the authors state. “Unlike more complex and specialized seismic and drilling data, production parameters (typically consisting of temperature, flowrate, pressure, density, speed, etc.) are relatively easy to understand, allowing hackers to go for high-consequence breaches.”