Countering the Threat of Cyberattacks in Oil and Gas
Katharina Rick
Partner and Managing Director
The Boston Consulting Group - San Francisco

Karthik Iyer
The Boston Consulting Group - Boston

Cybersecurity is particularly high in oil & gas industry compared to most other industries due to its global nature of oil & gas production and distribution. While transactions in the oil & gas arena are broad in scope that includes sensitive information on such diverse topics as possible well sites and end-user consumption which are vulnerable to cyber attacks; furthermore, the industry faces threats that are activist (including attacks carried out by environmental groups), rather than purely commercial, in nature. These cybersecurity threats could have severe effects not just on the industry but also on the environment, public health and safety, and even national security. The article describes various modes of cyberattacks in the oil & gas industry and the focus areas that the industry needs to look at in protecting themselves, their shareholders, and their customers adequately.

Across industries, companies have been intensifying their focus on cybersecurity. This is a direct consequence of the expanding role that digitisation is playing in their business and operating models, and the demonstrated potential for significant damage resulting from a successful cyberattack. Indeed, CIO magazine's "2015 State of the CIO" survey revealed that chief information officers now spend roughly a third of their time on cybersecurity-related issues and consider cybersecurity one of their top -four priorities.1 In our work, we are seeing keen interest in cybersecurity among other senior executives, including board members and CEOs.

Concern about cybersecurity is particularly high at oil and gas companies, which face a far wider spectrum of threats—threats that are potentially more severe-than do companies in most other industries2. Transactions in the oil and gas arena are broad in scope-the life cycle of a transaction can include sensitive information on such diverse topics as possible well sites and enduser consumption-so the companies are vulnerable at many different points. These companies are also subject to relatively large-scale threats, given the global nature of oil and gas production and distribution.

Furthermore, the industry faces threats that are activist (including attacks carried out by environmental groups), rather than purely commercial, in nature. These include threats that, if successful, could have severe effects not just on the industry but also on the environment, public health and safety, and even national security3.

Recognising the severity of the situation, many oil and gas companies have taken significant measures to address their vulnerability. Have they done enough? In a recent survey of a number of industry players, The Boston Consulting Group found, for example, that none of the companies had undergone a comprehensive audit (spanning corporate, upstream, midstream, and downstream operations) of its value chain.

Many Points of Vulnerability—But Where to Focus?
The scope of activities within the oil and gas industry's value chain creates many potential points of entry for attack (See Exhibit 1). It also leaves the industry prone to multiple types of attacks. These include attacks on the industry's physical infrastructure (such as cutting fiber -optic cables), the disabling of critical systems (through denial-of-service attacks, for instance), and the theft or corruption of information or the prevention of its dissemination. Given the industry's relatively high degree of automation and interconnectedness, the effects of such attacks could be highly damaging to these companies. These effects can include the loss of equipment (for example, failed pressure-valve systems), the loss of competitive advantage (through the loss of, for instance, confidentiality of production data or possible drilling sites), and even the loss of life.

In light of the industry's multiple points of vulnerability and the potentially catastrophic consequences of a successful attack, it is important to determine where these companies should focus their cybersecurity efforts. An examination of the critical vulnerabilities of analogous industries may be instructive. A 2014 report issued by the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identified a wide range of information security weaknesses evident across what the US government classifies as "critical infrastructure sectors".4 The report found that vulnerabilities in three specific realms were most prevalent across these sectors: boundary protection, information flow enforcement, and remote-access control.

Vulnerabilities in these areas can open doors to a range of attacks. Inadequate boundary protection, which can make it difficult to detect nefarious activity, can create avenues that allow outside parties to interface with systems and devices that directly support a company's control processes. Mobile and multimedia devices, including smartphones, have become integral parts of what were formerly considered secure boundaries and offer new potential points of attack. Insufficient control of information flows can allow attackers to establish unsanctioned and damaging communications using a company's channels, ports, and services. Weak control over remote access can create many entry points for unauthorised interfacing with a company's control-system devices and critical components.

For oil and gas companies, where is the exposure to these three vulnerabilities greatest? To make that determination, we examined these companies' value chains, using the number of systems and integration points as a proxy for exposure. Upstream data emerged as the most vulnerable. We then looked at a simple upstream drilling infrastructure for help in identifying and understanding where the security gaps in upstream operations were largest. (See Exhibit 2) As the exhibit shows, most security efforts related to upstream drilling infrastructure are focused on the security of physical assets rather than the security of information. Often, for example , data is transmitted from old or unsecured equipment and without standard protocols or security precautions.

As a result, many companies' upstream assets have glaringly unaddressed vulnerabilities to cybersecurity attacks.

Until recently, the industry considered the traditional upstream systems in oil and gas to be relatively safe because they were, in most cases, isolated. But the industry's growing use of connected industrial systems and networking technology-coupled with the ever-increasing need for real-time data and analytics-has introduced new risks. These include asymmetrical threats against which the upstream segment is relatively unprotected compared with the industry's corporate and retail segments.The upstream segment's heavy reliance on oil-field-services companies and use of nonstandard equipment and potentially insecure technologies further increases the number of potential entry points for attack and elevates the risk the segment faces.

To fortify the security of their upstream operations and related information, companies must add a broad and effective security layer on top of their existing upstream defenses. Such a layer, which would allow the companies to proactively detect intrusions and other forms of attack, should consist of such elements as firewalls, network-monitoring equipment, and network use rules that can secure systems and also enable the infrastructure to detect intrusions and associated patterns. These elements will help ensure that all information flows are authorised and that there are adequate authentication procedures in place to ensure that unauthorised parties cannot gain access to critical systems. This will help oil and gas companies manage cybersecurity risk across the upstream supply chain.

Table 2:

Shoring up Defences
Realising the need for taking concerted action against cybersecurity threats across the entire business, oil and gas companies have taken collective steps to mitigate risks. These include the formation of information-sharing bodies, such as the Oil and Natural Gas Information Sharing and Analysis Center, an industry effort launched in the US in 2014 to provide information and guidance to US energy companies.

Oil and gas companies also stand to benefit from government measures aimed at bolstering their defenses. Many governments, including those of the US, the EU, Russia, and Saudi Arabia, have developed national cybersecurity policies or frameworks, focusing specific attention on critical infrastructure. ICS-CERT, for example, was created to monitor and respond to cyber-security incidents across critical domestic sectors, performing security assessments of and making recommendations related to industrial systems. The NATO Cooperative Cyber Defence Centre of Excellence seeks to enhance cybersecurity-related capabilities , cooperation, and information sharing among NATO member states, as well as a number of NATO partner organisations from around the world that focus on the issue, including the Euro-Atlantic Partnership Council and the Istanbul Cooperation Initiative.

These various bodies and efforts notwithstanding, individual oil and gas companies need to take primary responsibility for their cybersecurity themselves. We recommend a risk-based approach centered on three steps:
  • Develop an understanding of the precise risk to the company's assets and the effort and resources necessary to mitigate them: With that understanding, the company should prioritise its security efforts. Cybersecurity risk varies considerably, depending on a host of variables, including the type of asset, its position in the value chain, and its physical location. The consequences of an attack can also vary materially. An effective detection and response scheme will aim at addressing the largest threats first.
  • Build and sustain a multilayered defense system: Such a system should protect against various attack vectors. Management of this is highly complex and requires organisational alignment, the right technologies, clear processes, and strict organisational discipline. Threats to hardware infrastructure, for example, are different from threats to software, and it is imperative that oil and gas companies have resources that address both.5 Companies must therefore identify vendors whose equipment has been field-tested against a barrage of attacks. The companies must also be able to pinpoint sources of attack and mobilise the right sets of tools and resources in response. The ability to continually monitor all infrastructure, prioritising threats and defenses, requires both agility and an organisational readiness to redirect technology and people to areas where they are needed most. This system and approach is considerably different from the traditional top-down, linear work-order process that is still employed in many segments of the oil and gas industry.
  • Manage cybersecurity risk on a consistent basis: The company must be well prepared to detect and respond to various types of attack across the value chain. Reaching this state will demand that the company's processes, systems, and people are continually adapting to the changing landscape of cybersecurity risk. It will also demand active leadership at the executive level, which is essential for ensuring that the organisation is capable of responding to asymmetric attacks quickly and with agility.
These efforts should be supplemented by a number of midlevel priorities, including the following:
  • Understand critical assets and the role of information relative to those assets at the institutional level and ensure that the right skills and personnel are available to safeguard vital information.
  • Conduct frequent audits and assessments of points at which critical information is being transmitted in order to identify and secure vulnerabilities.
  • Engage in data-shaping activities that boost the company's ability to recognise exceptions to normal data flow and transmissions, exceptions that could indicate attempted attacks from external parties.
  • Recognise and act on the knowledge that, in many cases, people are a company's weakest links. Most attackers target systems that have been made vulnerable through user apathy, inattentiveness, and ignorance. An organisation may have the very best technologies and processes, but if its people are unable or unwilling to comply with established security measures, the effectiveness of its defenses is greatly diminished. Adequate training and awareness is therefore critical for ensuring that the entire organisation (including IT staff, R & D professionals, and business and other users)-not just portions of it—is well braced to help resist and weather cybersecurity threats. Active promotion of best practices, such as the use of encrypted storage devices and strong passwords, can go a long way toward creating a robust people defense.
  • Ensure that the company's partners—for example, vendors and oi -fieldservices companies-adhere to the company's organisational-security guidelines, including the use of companyapproved hardware and software. Employees of these organisations should also have an adequate understanding of the basic principles of information security and management.
Lower-priority-but still important—measures include ensuring that there is sufficient redundancy in critical systems to enable uninterrupted operations in the event of denial-of-service attacks and providing a "kill switch" to disable connectivity in order to stop an intruder (with sufficient backup in place to allow processes to stop safely). Companies' orientation toward these and all security-related requirements should be comprehensive in nature and focused on continually managing risk, meeting or exceeding industry standards, and limiting negative impact on the business and customers.

The increasing technological complexity of today's oil and gas industry- driven by, for example, the industry's spiraling deployment of data mining and analytics technologies, sensor and networking technologies, industrial systems, and systems integration technologies—is rendering it increasingly vulnerable to cyberattack. To protect themselves, their shareholders, and their customers adequately, industry players must make cybersecurity a highest priority and an ongoing consideration at the executive level.

1. "2015 State of the CIO," January 5, 2015, /2862760/ cio-role/2015-state-of-the-cio.html#slide9, and Carla Rudder, "These 4 responsibilities just jumped to the top of CIOs' to-do lists," The Enterprisers Project, November 18, 2015, -4-responsibilities-just-jumpedtop-cios-do-list.
2. Indeed, as oil and gas companies deal with the severe oil-price decline, cybersecurity is among the few areas that they will likely continue to fund.
3. Information on the oil reserves of various nationstates, for example, is extremely sensitive, and its illicit distribution could have global geopolitical ramifications. Hence, many governments, as well as businesses, are making concerted efforts to address cybersecurity. See, for example, NATO Cooperative Cyber Defence Centre of Excellence, "Cyber Security Strategy Documents,"
4. US Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team, Industrial Control Systems Assessments, FY 2014: Overview and Analysis.The US Patriot Act of 2001 defines critical infrastructure as "…systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." According to the US government, there are 16 sectors that fall within this category, including energy, transportation systems, water and waste-water systems, emergency services, dams, critical manufacturing facilities, and chemical facilities.
5. Although companies are inclined to focus significantly on software, the threat of theft or hacking of physical hardware is very real. Use of secure technologies, such as military-grade hard disks and network equipment, can go a long way toward mitigating such threats.