Shale gas development, like the rest of the oil and gas industry, has security high on its agenda. In addition to the usual threats experienced by the sector – not least cybercrime, physical threats, and industrial espionage – fracking has been met with protest in a number of regions. As a new and controversial activity, its security challenges have been widely publicised.

Over the last few years, the UK Government has encouraged exploratory drilling activities to ascertain the country’s shale potential. This has led to a deep rift in public opinion, with some expressing fears it could be damaging both to the environment and human health.

In August 2013, energy company Cuadrilla halted its oil-drilling operations in Balcombe, West Sussex, UK, ahead of an upcoming protest by the pressure group No Dash For Gas. A spokesperson said the drilling had been scaled back on the advice of Sussex Police, adding that Cuadrilla’s main concern was "the safety of our staff, Balcombe’s residents and the protestors following threats of direct action against the exploration site".

Terror alert

The ‘day of action’ itself was by far the biggest anti-fracking demonstration ever to take place in the UK, and saw hundreds of protestors arrested, including Green Party MP Caroline Lucas. Cuadrilla ultimately ruled out the site in question, having determined that the shale rock already contained natural fractures.

A year later, campaigners glued themselves to the DEFRA building, occupied a Blackpool office and took over a field next to a proposed exploration site.

Amid dozens of peaceful protests, the UK’s fracking industry has also seen one terrorist-type attack, in which the home of a shale gas security guard in Northern Ireland was petrol-bombed from a passing car. This act was roundly condemned, with a spokesman for an anti-fracking group reinforcing how violent actions undermined its "goal of putting a halt to shale gas exploration".

Evidently, protestors constitute a special kind of security threat that is often beyond the scope of a fracking company itself. During the protests at Balcombe, Cuadrilla employed the services of international security firm G4S.

As the latter’s brochure explains, "G4S Gurkha Services provide security and risk management services for one of the UK’s leading unconventional gas exploration and production companies. With a growing anti-fracking movement, the Gurkha Services management team conducted a full risk assessment to assess the various threats, vulnerabilities and risks associated with different locations on-site. This allowed the team to maximise resources and efficiencies at each location, delivering a total security solution."

It seems clear that, for as long as hydraulic fracturing remains contentious, shale gas companies will need to invest in similar operations, working with specialised contractors to protect their personnel and assets. These headline-grabbing challenges, however, are only one piece of the puzzle. The industry faces many other security issues that command attention on a day-to-day basis.

Cyberman

Martin Smith, CEO of the Security Company and chairman of the Security Interest Special Awareness Group (SASIG), has been working in cybersecurity since the early 1980s.

He feels that when it comes to cyber-threats, shale gas is no different from any other business: "There are specific issues related both to oil and gas and fracking, but the risk profile is constant across all subsets of industry.The message I try to get out is that, while cybersecurity is relatively mature, and the available technology is well established, the biggest problem is the human factor."

Smith is referring to security breaches that occur through user ignorance, carelessness and poor procedure. While he believes most enterprises have adequate IT strategies in place, they are not so well equipped to deal with breaches of trust.

"The weaknesses will be with your employees, and your customers and your users, and the criminals will use that weakness to exploit your systems," he says. "They won’t now try to come in through the technical firewalls, they’ll try to come in through the human equivalent."

The saboteurs in question fall into four distinct categories. First, there are the typical cybercriminals, whose main goal is to steal information and by extension money. Secondly, there are the cyberterrorists, who seek to undermine a company’s system for political or economic ends. Both these groups pose a recognised threat, irrespective of what industry you’re in.

"For as long as hydraulic fracturing remains contentious, shale gas companies will need to work with specialised contractors to protect their personnel and assets."

The third and fourth categories have particular relevance to industry. These are the anti-fracking lobbyists (who, outside from protesting, may try to disrupt operations by way of a cyberattack) and the industrial spies.

Since shale gas is a new and growing sector, its vulnerability to data poaching is especially high.

"Are you on the track of a new gas field, have you worked out a new technology for fracking? Those are enormously valuable pieces of information to the opposition and industrial spies will attack you," explains Smith.

"Fracking is a special technology with huge potential, so people want to know how their competitors are developing techniques. Because it’s different and new, espionage is bigger than it would be against a typical oil and gas industry."

What companies can do to eliminate these threats is a moot point. The UK Cyber Security Strategy, published in November 2011, outlined the need for rigorous technical solutions across the private sector. It points out, "Business is the largest victim of crime and economic espionage perpetrated through cyberspace.

"Ultimately, it is the private sector that owns the assets and makes the business decisions about investing in improved cybersecurity."

Equally, however, it emphasises that approaches to the risks in cyberspace must not rely on technical measures alone and stresses that changes in attitudes and behaviours will also be crucial to operating safely in cyberspace.

As Smith sees it, this change of attitude will involve re-envisioning security as a business problem, something that needs to be tackled at a C-suite level, rather than consigned to IT departments.

"It’s a pressing issue," he says. "We’re already seeing organisations suffering data breaches due to flaws in very basic procedures. In a way, the more security we put in place the more vulnerable we become to human error, and that’s where the danger lies. Cybersecurity is concentrating ever more on brain surgery, while the patient is dying of the common cold."

Present dangers

He feels this shale gas is particularly vulnerable in this regard. With reams of sensitive data in its systems, an inexperienced industry is tackling these challenges against a backdrop of widespread hostility and opportunistic criminals.

"The internet is only 20 years old, and we’re only now beginning to catch up on the safety and security side," he says. "Now put those issues in microcosm and you have the shale gas industry, which itself is brand new."

While it may be a novelty at present, there can be no doubt that UK shale is in a process of rapid development. In January 2014, Prime Minister David Cameron declared that the government was "going all out for shale" and that local councils would be entitled to keep 100% of the business rates raised from fracking sites.

Chancellor George Osborne said at the time, "We are prepared to push the boundaries of scientific endeavour, including in controversial areas, because Britain has always been a pioneer. The country that was the first to extract oil and gas from deep under the sea should not turn its back on new sources of energy like shale gas because it’s all too difficult."

But while fracking activities have strong government backing, the ‘anti’ lobby is growing just as fast and protests look set to continue. For those working in the industry, it’s important to approach the security question with open eyes, remaining savvy to threats of every kind.

"Nobody’s entirely immune to attack but you want to make yourself less vulnerable," says Smith. "You need to know who is responsible for protecting systems and data, and who is responsible for implementing the technical defences.

"You also need to establish awareness among all system users as to what the dangers are and what the everyday housekeeping good behaviour looks like. For an emerging industry like fracking, if you don’t recognise the danger you’re in, your system will be inherently insecure and your operations will be inherently at risk."