Cyberattacks can compromise the availability, integrity, and confidentiality of oil and gas companies. In the worst case, they endanger lives. This is why the industry needs to increase its systems’ cyber resilience now, say experts.
As early as 2017, the U.S. research institute Ponemon was commissioned by Siemens to conduct a survey of the oil and gas industry. According to its findings, 68% of U.S. oil and gas cyber managers said that their organisation had experienced at least one loss of confidential information or disruption to operations in their OT environment over the past 12 months. At the same time, the study asserted that many of the organisations lacked awareness of the OT cyber risk.
“Although the most common motive of cyber criminals is to make money, attackers are no longer limiting themselves to implanting malware. Some simply want to destroy systems and harm people. So it’s also a matter of protecting the physical operational technology,” Bakr comments.
For some time, people in the industry have been talking about one of the most dangerous attacks on industrial oil and gas facilities so far. According to an analysis by cybersecurity company FireEye, one of these attacks was not only planned to disrupt operations, but also to cause physical damage threatening human lives. But what is clear, according to Bakr, is that successful cybersecurity needs to be based on a so-called layered defense approach to prevent the worst and save lives.
A layered defense, also called ‘defense in depth’, is a proven concept based on various types of overlapping cybersecurity controls. The idea is that if one control fails or gets bypassed by the attacker, another layer offers protection.
However, some companies don’t have any in-house cybersecurity processes, let alone a dedicated organisation, or else they have no qualified personnel. In these cases, they can purchase expert knowledge – including, of course, from Siemens Energy, whose goal is to become the world's most valued energy technology company. Upon request, customers can be supplied with everything they need for cybersecurity structures and vulnerability or gap analysis, including measures and their implementation. This is called ‘cybersecurity as a service.’
The first step is usually a consultation on the latest cyber threats, gateways, and potentially effective measures. Ahmed Khalifa is the company’s technical sales manager for Cybersecurity. He and his colleagues are located in Dubai in the UAE.
“Many of the initial measures are easy to implement and aren’t very expensive,” says Khalifa. “For example, knowledge is an important key to an effective defence.”
Knowledge lays the foundation for secure processes and successful access management, and it also raises the awareness of all personnel. In 2020, a study by Stanford University professor Jeff Hancock and the security company Tessian determined that 88% of data breaches are caused by employee error. This means that one of the greatest risks to cybersecurity – human error – can be prevented through training.
One thing that the two cyber experts emphasise is that while the unstoppable growth of digitalisation can increase certain cyber risks, these risks are outweighed by the benefits for industry. Khalifa notes, “Digitalisation, which is especially practical for the oil and gas industry, doesn’t automatically mean operation in the cloud. For critical infrastructures like oil and gas, it primarily means using digital applications to monitor physical assets such as gas compressors and offshore drilling equipment, with the goal of making the operation more efficient and costeffective. We’re able to protect these functions from cyber threats very effectively.”
Whether it is from remote monitoring or predictive maintenance, reduced carbon emissions or optimised fuel consumption, useful data is only transferred in one direction, thanks to a Siemens Energy Power Plant Automation (SPPA) unidirectional gateway that turns data highways into one-way streets. Data transfers in the opposite direction – in the direction of the plant – are absolutely impossible. The benefits for customers are a comprehensive overview of their systems’ health status and automatic notification if any disruptions occur.
Digitalisation itself is one of the most effective weapons against cyber threats, and so is artificial intelligence (AI). AI is the basis for Siemens Energy’s innovative Plant Security Monitoring. The company wants to use AI primarily to help small and medium-sized oil and gas companies protect their plants from cyberattacks. As Khalifa explains, “The Plant Security Monitoring algorithms study and learn a plant’s ‘normal’ behaviour. Afterwards, if any deviations occur, the system records the abnormal behaviour and issues an alarm. This is how we make very effective use of every aspect of digitalisation’s strengths – including and especially in the fight against cyber criminals and terrorists.”
October 27, 2021
Nina Terp works as a freelance science and technology journalist in Germany. Her work has been published in a number of German and international specialist media.
This article was originally published in Oil Review Middle East Issue 6, 2021.
Combined picture and video credits: Siemens Energy