Oil & Gas Industry: Time To Get Serious About Cybersecurity

Brent Potts

Cyberattacks currently cost businesses as much as $400 billion a year globally, and experts predict the costs could reach $90 trillion by 2030 (Cybersecurity Market Report, 2015). Malicious cyberattacks are on the rise and the Internet of Things (IoT) revolution is only adding to the concerns of security threats. In fact, research has shown IT leaders are even delaying implementing IoT initiatives due to security concerns of increased exposure of data and information security (IT Pro, 2016). This is understandable considering documented evidence of sophisticated attacks launched by governments, corporations, and individuals.

At a national level, governments with near limitless resources have retrieved sensitive data through unauthorized network access. In the case of Petrobras, for example, the United States National Security Agency has been accused of using malware and covert implants to access data from Petrobras private network. While the U.S. government acknowledges it conducts surveillance in the interest of national security, it denies the information gathered on Petrobras was illegal espionage.

In addition to gathering data on unsuspecting targets, cyberattacks have also been conducted with the intention of causing harm or destruction. Sony Pictures was the victim of such an attack in late 2014, when hackers accessed its computer systems, stole confidential documents, and then leaked the information to the public. While some believe the attacks came from the North Korean government, most researchers believe it was the work of a professional hacking group with assistance from a disgruntled insider.

Finally, there are the untargeted attacks, or what some call “Internet background noise.” These type of cybersecurity threats come from hackers who care more about the challenge of hacking into a system than what is actual on the system. These attacks usually can be stopped by standard security practices or off-the-shelf tools.

Oil and gas companies have always been serious about security, mainly because their facilities are a critical part of a society’s infrastructure and the potential for catastrophic damage is very real. For example, consider the devastating impact a compromised refinery in northern California could have to the surrounding areas. For this reason, most oil and gas companies previously have used physically wired, proprietary technology systems without Internet access, but this is changing due to the compelling benefits of IoT. Yet unique aspects of the industry continue pose ongoing security challenges, such as the safety of pipelines in remote or unstable areas.

The vision: A secure end-to-end solution

Ultimately, oil and gas companies need a secure end-to-end solution where data from the edge is captured and securely transmitted to a high-speed technology platform. From there, the data is inspected, stored, and used for analytical or predictive modeling to determine appropriate next-step actions. Therefore, the main security goal must be preventing the corruption of data throughout the cybersecurity framework, and treat communications from the edge of the network as “hostile until proven otherwise.” The security solutions must reject anything deemed untrustworthy and immediately notify the appropriate people.

The challenge: Protect the edge

Of course, creating a secure network that can help decision makers transform data into action is easier said than done. First, the industry must work together to protect the edge of the network. Machines that communicate with other machines often have been designed by manufacturers who are not familiar with existing and long-established security best practices. For this reason, mistakes are being made in software development that open up opportunities for security breaches. In addition to protecting the machines, companies should also implement enhanced physical security measures such as prohibiting personal devices from entering secure buildings or requiring security identification badges. Interestingly, the vast majority of cybersecurity attacks are facilitated either willingly or unwillingly by someone inside an organization.

The solution: Cooperation and communication

As with most complex situations, there is not a single comprehensive solution to protect data and networks from cyberattacks. Cybersecurity is an ongoing and evolving challenge, with solutions varying depending on the individual situation. However, exposure to threats can be greatly diminished through partnerships and technology. On the communication side, having a process for reporting vulnerabilities or publishing security findings whether there is a fix or not could help develop solutions more quickly.

On the technology side, the security advancements needed for a more secure network can be broken down into three layers:

  • Security prevention – Technologies used to prevent cyberattacks from accessing data on the end devices.
  • Security detection – Technologies for identifying, containing, and mitigating attacks on data center, platforms or applications, including scanning ERP systems and threat modeling exercises.
  • Security resiliency – Technologies that help prevent hijacked edge devices to corrupt data and pass it along to the infrastructure.

Security-related technologies often use sophisticated modern-day PKI cryptography, which provides both encryptions and client or server identity certification, to ensure the edge device and the endpoint for any device communication are indeed communicating with the right host. This information is then supplemented by intrusion prevention and detection software, network access controls (ideally operating on device behavior, which in many cases can be reasonably and confidently predicted in a machine-to-machine/IoT scenario), and other standard security infrastructure – including over-the-air firmware updates for any patching of the edge devices.

As cyberattacks continue to increase, understanding and managing the risks has become increasingly important. Oil and gas companies must continue to take proactive measures to reduce vulnerabilities and protect data at all points. Adopting innovative technologies and collaborating closely with partners will help create more resilient and proactive security capabilities.

To learn more about digital transformation in the oil & gas industry, click here.

About Brent Potts

Brent Potts is the senior director of Industry Marketing at SAP, responsible for the global marketing for the Oil & Gas industry. His specialties include product management, strategy, business development, and product marketing.