Energy: Oil and Gas

At Opliciti we create strategic direction, helping you build cyber security capability; not just deploy technology.

Cyber Attacks

Cyber attacks against oil and gas companies may seem unusual. Afterall, many oil and gas sites are remote, seismic and oil flow data is complex and operations appear mostly physical, rather than technical IT systems.

However, oil and gas typically forms part of the host nation’s critical national infrastructure (CNI). This means it is attractive to both cyber crime and cyber espionage.

Secondly, oil and gas have complex ecosystems consisting of heavy onshore and offshore assets, processing facilities, systems, networks and processes; yet the increasing desire to improve efficiency and cost to improve production and profit is driving digital transformation. This results in an increase in the attack surface area and exposes legacy systems never designed with security in mind, nor intended to be connected to the internet.

Thirdly, there is an increasing trend toward cyber attacks against industrial control systems (ICS) and operational technology (OT).

Cyber challenges within the
Exploration and Production lifecycle

Access, Explore, Appraise and Select stages

While the value of seismic data may be low on an attacker’s radar, the cost for conducting the exploration and seismic activity can be significant, requiring strong information and data management controls. As exploration teams collaborate across the different areas of activity, they move toward Apprise and Select, the point where major investment decisions are made. At the Select stage, information is often considered highly confidential and requires considerable cyber security attention.

Additional activity may also include ‘licensing rounds’ and ‘mergers and acquisition’ activity, information equally classed as highly confidential.

Consider: Digital platforms processing this data were traditionally used on premises, but the trend is toward new platforms able to integrate, applications and processes in the cloud. Good information and data management must be supported with cyber requirements within robust contracting to cloud providers, removal of single points of failure, backed up data and workflows with tried and tested recovery. Baselines require monitoring to identify and investigate anomalies to reduce cyber threat and insider risk.

Define and execute stages

Once a site has been selected for development, significant capital programme management is initiated. Activities can include design of new assets and facilities to contracting existing, for example, Floating Production Storage and Offload (FPSO). Where new assets are built, it is essential cyber security is integrated at the design stage. This includes within IT systems, Industrial Control Systems (ICS) on board vessels and rigs and even protecting Maritime systems. Exploration and production companies need to also be aware of increasing regulation. For example, maritime regulation now requires vessels to have a Cyber Security Management Plan (CSMP).

Additional design specification, operational maintenance, land transport, maritime and aviation contracts can be attractive targets for cybercrime and fraud.

Consider: Cyber-security-accepted-industry best practice frameworks, for example IEC62443 supports OT environments, can be used for the development of secure architecture and vulnerability analysis for operators, and secure practices of vendors of systems and components.

Maintain and operate stages

Operational efficiency, decision quality and reputation become significant during maintain and operate stages, as operators continually seek to optimise processes, reduce costs and improve productivity. The use of digital technology is starting to define the future of operations which in turn is increasing cyber risk significantly. Attacks on ICS can create digital disruption that impacts physical process, physical damage or even cause loss of life.

Consider: Monitoring of IT and OT systems, tried and tested emergency cyber response teams that span the gap between IT and engineering and business continuity plans that scenario plan replacement or work a round of proprietary physical infrastructure damaged by cyber-attack.

Opliciti

Opliciti has extensive experience of working across the upstream oil and gas lifecycle value chain within large independent exploration and development companies.

Let us help you:

  • Assess and present cyber security as a business risk to drive board ownership and risk appetite.

  • Create business-integrated or aligned cyber security strategy across IT and OT environments to enable safety, resilience and create and protect value.

  • Align with industry accepted best practice, ISO27001, NIST, NIS CAF, IEC62443 etc, identifying prioritised risk and aligning appropriate proportionate controls that are suitably governed.

  • Manage security operations using artificial intelligence and machine learning with automated response to stop cyber threats efficiently and effectively.