Oil and gas companies face a combination of common and unique challenges on the cybersecurity front, according to Jon Taylor, an assessment and testing services manager and principal consultant for Revolutionary Security, a subsidiary of Accenture.
Oil and gas firms face some of the same challenges as utilities
Speaking during a webcast hosted by Oil & Gas Journal on July 22, Taylor acknowledged that oil and gas operators had many of the same vulnerabilities as electricity providers and other utilities. Specifically, he said in response to a question from IndustrialCyber.co, cyberattacks on these companies’ industrial control systems (ICS) and operational technology (OT) have the potential to trigger undesirable changes in the operating environment.
“I think oil and gas, like any ICS or OT industry, does have unique issues. That is, we have physical consequences to any of our OT actions,” he said.
These consequences are of greater import when they involve OT problems such as production outages, equipment malfunctions or safety hazards rather than information technology (IT) problems, he said. “With respect to automated threat and response, from an IT perspective, we can just go shut somebody’s computer off, and I don’t care if you can’t get to your spreadsheet,” he said. “We can’t do that to a controller because we can lose control of that process.”
Oil and gas companies must consider profits and variable operating conditions
At the same time, Taylor stressed that oil and gas firms faced unique cybersecurity challenges, even as they shared common concerns with power and water providers.
For one thing, he said, oil and gas companies tend to operate under conditions that are more fluid and variable than those facing utilities. That is, he said, the parameters of the operating environment can change very quickly during tasks such as drilling new wells or extracting hydrocarbons from subsurface reservoirs. As a result, cyberattacks can be more difficult to spot, since work crews must pay attention to so many other things.
“It can be that the variability in field processes makes it harder to capture [security threats] than [in] the electric industry, where everything’s static,” he explained.
Additionally, he said, oil and gas operators are often trying to turn a profit – unlike many utilities, which have the task of ensuring supplies to the public, sometimes to their own financial detriment, and of protecting and maintaining vital infrastructure. “I think there’s often more focus on monetary gain in oil and gas, whereas in electrical [generation], it’s more [of a concern] at the nation-state level,” he commented.
“So yes, I think there are differences,” he added. “Overall, the theme sounds the same, but the words might be a little different.”
Oil and gas companies must guard their intellectual property
Taylor also pointed out that some oil and gas companies were particularly vulnerable to cyberattacks designed to secure outside access to intellectual property. For example, he said, refinery operators have the task of guarding the proprietary technologies and processes they use to produce specialized fuels, lubricants and chemicals.
“The amount of intellectual property we put in our refining processes can also be a challenge. The specific data can really be intangible, [but they’re] worth a tremendous amount to a company,” he said.
He noted, though, that there were many steps that operators could take to guard their facilities from outside intrusion. One such step, he said, involves getting creative with names.
He cited a hypothetical example of a technician who, when tasked with setting up a system to monitor all the OT devices supporting an oil and gas company’s operating facility, tagged every device with a descriptive name that revealed exactly what function each performed. “We see this very commonly in production environments where tag names give away a ton of information about the process,” he said.
The problem with this practice, he remarked, is that it gives cyberattackers too much information – and too much insight into their targets’ operations. Intruders who learn how companies organize and use their equipment “can easily reverse-engineer that production process,” he stated.
Even if companies do adopt non-intuitive naming practices, he added, they should take additional precautions to keep information about their OT systems secure. “That information should never be stored on the same network as your production network,” he said. “It should always be in a very tightly locked down environment, completely isolated. And we recommend if it’s really critical to a core part of your business or to part of your brand identity, that you put it away in a data vault.”
Taylor’s advice is valuable, given that oil and gas companies represent a key component of vital infrastructure. But it is particularly worth heeding at a time when cyberattacks on oil and gas companies are on the rise. Oil and gas operators that are familiar with their own combination of common and unique vulnerabilities on the cybersecurity front have a better chance of resisting attacks.