Analysis: Cyber security in oil & gas
Energy companies in the Middle East are consistently coming under attack from hackers
Energy companies in the Middle East are the consistently coming under attack from hackers. Are they doing enough to protect themselves?
Cyber-attacks are nothing new, but the rate of which energy companies are being targeted with progressively more aggressive and complex assaults is one of the major challenges by companies working in the industry.
In a market that is infamous for its talent shortage, using data can actually increase oil production, according to Booz Allen Hamilton.
Its research suggests that rapid advancements in processes have until now supported reliable and complex, if expensive extraction, but in an age of increasingly volatile oil prices the capture and analysis of big data will offer tangible benefits across the value chain. The paper cites Chevron’s i-fields project as successful model for a data driven oil field. The project is set to save the company over $1bn annually.
In addition, the research found that data driven oil fields can help defend the industry from a looming skills gap by automating processes and socialising institutional knowledge through management systems.
The paper references a study, which found that 75% of international oil companies felt staffing challenges were responsible for project development delays, and 59% of companies said the skills gap was a reason for greater industry risk taking.
In the Middle East, 50% of the region’s skilled oil and gas professionals are expected to retire within the next five to seven years.
“The oil and gas industry is a pillar of economic development in the Middle East region – particularly the GCC, and a primary source of employment and state spending,” said Atif Kureishy, Principal at Booz Allen Hamilton MENA. “Securing the industry’s viability in a way that is sustainable and resilient to external factors such as falling prices and a shortfall in human capital will rely on technology and analytics.
“Less than 1% of the data currently available on a modern oil rig is currently being captured and analysed,” continued Kureishy, “meaning extractors and producers are leaving themselves increasingly vulnerable to low oil prices and a skills shortage. It’s important that we are not only capturing as much data as we can, but that the industry is able to identify the people and systems equipped to make sense of that data to inform better decision making.”
The paper describes the oil and gas industry as being ‘particularly at risk to cyber-attack’ given its critical nature to economic and social security, and as companies look to migrate to more integrated, digital systems the attack area ‘increases together with the organization’s vulnerability’.
Dr. Mahir Nayfeh, Senior Vice President – Technology and Analytics at Booz Allen Hamilton MENA, said: “The industry finds itself at the intersection of a crisis in which a glut in global supply and a systemic shortfall in talent have intercepted each other – threatening the short term success of operations. But greater yet, is the sustained and evolving cyber threat from hacktivist criminals motivated by high stakes and low defences.
“Devising strategies that allow organizations to maximize operations without compromising intellectual property will be about finding a defence in depth cyber security model that balances technology deployment to support data capture, with the analytical intelligence to interpret and understand what the data is telling you,” continued Dr. Nayfeh.
Article continues on next page ...
“That is why every data driven oil field get three key components must right – cyber security, integration and analytics – in order to realise its disruptive capabilities.”
But these open systems have come at a price, putting millions – potentially billions – of dollars and the associated information at stake. And it is companies here in this region that have more to lose than most.
Between January and February, software company Symantec observed a multi-staged, targeted attack campaign against energy companies around the world, with a focus on the Middle East. This attack campaign used a new information stealer, detected by Symantec as Trojan.Laziok. Laziok acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers, said the report.
The detailed information enabled attackers to make crucial decisions about how to proceed further with the attack, or to halt the attack. During the course of Symantec’s research, it found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected.
The Middle East was heavily targeted by the cyber-attack, with the United Arab Emirates hit by a quarter of all phishing attempts. The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server.
These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). This vulnerability has been exploited in many different attack campaigns in the past, such as Red October.
If the user opens the email attachment, which is typically an Excel file, then the exploit code is executed. If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.
The advantages of automated systems and controls are clear; a defect at a plant can be detected from thousands of miles away and corrected within the hour, rather than the painstaking days it would have taken to pinpoint the fault 20 years ago, and the associated downtime that comes with that. It also means that companies can deploy less boots on the ground in danger zones, instead using advanced technology to keep production ticking over.
But the advantages come at a cost, according to Safdar Akhtar, director business development, cyber security for Middle East & Africa, Honeywell Process Solutions.
Over the past several years, automation technology developers have leveraged commercial off-the-shelf technologies, which have helped to reduce development times and enhance enterprise interoperability and overall value for plant end users,” he said.
“However, these more open platforms have come with new complexities: the risks and realities of viruses, other than malware and cyber terrorism. A process automation system running without proper security measures faces an operational risk similar to someone running an operating system without an updated antivirus program. But it is really only in recent years we have seen companies adopt this mind set and take preventative measures rather than put measures in place when damage has been done.
“This is a mind-set that transcends geographies and the Middle East has been unfortunate to several high-level security breaches over the past few years that have put it in the limelight.”
Article continues on next page ...
With would-be attackers changing tactics on a regular basis, companies are under more pressure than ever to continually update and improve their virtual defences. But the very best systems and programmes are ineffectual without educating employees, says Akhtar.
“Industrial Cyber Security is a combination of practices, processes and technologies designed to defend process control networks, systems, computers, programs and data from attack, damage, disruption, unauthorised access or misuse. It is more than just software patches and should be approached as a continuous, critical process.
“Compared to traditional cyber security approaches followed in corporate IT departments, industrial control systems have unique cyber security requirements that demand deep process control knowledge and specialised cyber security solutions and expertise.
“Technology in this sector is constantly evolving and therefore updates and changes are inevitable in order to protect assets accordingly. This is the nature of the industry, particularly within the energy industry where you have remotely located assets and the need to enhance consistent security measures. The rise of software-driven technology, such as the cloud and virtualized environments, has also increased the need for more regular updates.
“However, I would say one of the most important changes that need to be made is internally. Employees must be aware of the role they play in the protection of their company’s data and the protocol in place to protect that. Education is key to ensuring this responsibility and accountability is upheld.”
- 25% Proportion of attacks on UAE from recent cyber campaign
- 1% Only a fraction of rig data is being captured.
- 50% Skilled labour expected to retire within five to seven years.