Reducing Cyber Risk to  Oil and Gas Assets

Improving Security Practices to Secure Energy Assets from Cyberthreat

Assets in the Oil & Gas industry used in exploration, drilling, transportation and production depend on a myriad of inter-connected industrial automation and control systems. Today, this industry is undergoing a massive digitalization process offering new insight, efficiency, optimization and the ability to keep people away from harmful tasks. Taking advantage of digitalization and increased connectivity, however, also means opening up OT systems to cyber threats.

The energy industry represents a target rich environment for cyber-attacks by criminals, terrorists, and hacktivists. While their respective goals may differ, the risks and potential consequences of a successfully executed cyber-attack may be severe—even if the attacker did not intend to cause such major consequences.
Many energy workers have experienced how quickly and easily malware and viruses can be accidentally transferred to OT systems. For example, through e-mail or unsecure websites, via infected devices brought in from the outside. Along with increasing levels of digitalization and automation, the potential for damaging consequences increases equally. Even more disturbing is the fact that many cyber-attackers today are extremely well financed and organized, capable of launching highly sophisticated attacks. Hacker tools are available for sale on the black market, providing perpetrators with a comprehensive toolbox to build from.
The people worker women engineer work control at power plant energy industry manufacturing.

Better security practices and solutions are required

At the same time as personnel in most professions today are increasingly impacted by digitalization, they are also equally impacted by the risk of cyber-attacks. Protecting both the IT and OT systems controlling industrial assets requires a new way of thinking amongst all categories of personnel, not only those responsible for IT security.

International and national standardization and regulatory activities to protect OT systems in the Oil and Gas industry have taken form. Examples are voluntary guidelines issued by or referred to by regulators. The goal of these guidelines is to ensure a common adequate level of security in all parts of the supply chain affecting Oil and Gas assets. Often, they reference industry generic internationally recognized standards.

  • NOG 104 – Norwegian Oil and Gas recommended guidelines on information security baseline requirements for process control, safety and support ICT systems, (Norway).
  • ISA/IEC 62443 Standard series – a cybersecurity standard aimed at securing OT systems against cyberthreats. This standard is becoming increasingly more adopted and recognized across industries.
  • The NIST Cybersecurity Framework (NIST CSF) – originally a U.S. standard aimed at operators of critical infrastructure. Now internationally recognized and widely used in various industries.

A few examples relevant for Oil and Gas asset.

International Association of Drilling Contractors

Several industry groups are working to help asset owners and operators manage the threat of cyber-attacks and meet current and future regulatory demands. As an example, the International Association of Drilling Contractors (IADC) are developing guidelines for drilling assets based on the five core functions of NIST CSF. This work is performed in close cooperation with other industry groups, like the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), the American Petroleum Institute (API) and the International Association of Oil & Gas Producers (IOGP) as well as regulators like the U.S. Coast Guard.

The IADC guidelines provide asset owners and operators with building blocks to develop their own Cybersecurity Programs taking relevant industry and international guidelines into account.

Lowering a pipe column into a deep foundation

Secure-NOK chaired the IADC Cybersecurity Committee for several years from its beginning as a Work Group in 2014.

We and others have contributed our expertise in developing policies, processes and technology to ensure security. In close cooperation with the industry, it is made sure everything we propose is practical and can be realistically utilized in a driller’s environment and mode of operation. The result of this effort is a series of user-friendly guidelines designed to help drillers becoming more secure:

  • Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets.
  • Guidelines for Minimum Cybersecurity Requirements for Drilling Assets.
  • Ongoing work: Guidelines for Network Segmentation.
  • Ongoing work: Guidelines for Cybersecurity Training.
  • Ongoing work: Guidelines for Hardening of Control Systems Focusing on Existing Drilling Assets.
  • Ongoing work: Guidelines for security Monitoring and Audit.