As oil and gas investment booms, Tony Burton, the head of critical national infrastructure at Thales UK, looks into why cybersecurity should be revisited.
The oil and gas industry is booming. Following on from the introduction of tax changes in 2013 to help spur growth in the sector, representative bodies for the UK oil and gas industry revealed that investment in the North Sea is at its highest for 30 years, and is still rising – with an expected £13.0 billion to be pumped into the sector in 2014. Equally, following poor exploration performance in recent years, energy consultancy Wood Mackenzie believes 14 new fields will now be brought on stream, anticipating a £21.3 billion spend on capital investment across the next 18 months.
This new activity will see oil and gas companies invest significantly in new infrastructure projects, particularly for the new offshore developments, and unconventional sources of energy like shale gas and oil sands. A big driver behind new and existing projects will be a push to maximise infrastructure, resources and footprint – a move towards total, integrated solutions for managing and securing critical facilities.
Tackling the slippery slope of security
The strategic and global nature of oil and gas pipelines, coupled with their intrinsic alignment with critical infrastructures, demands that heavy investments for new infrastructure projects are accompanied by a hefty rethink around the security threat. Consultancy Frost & Sullivan has already urged oil and gas companies to double cybersecurity expenditure over the next two years to detect and counter cyberattacks, after revealing that the biggest threat for new infrastructures is from terrorists, hackers and state-sponsored groups that use unconventional tactics of attack. These attacks vary from use of explosive devices to destroy physical assets to cyberattacks for stealing information and taking remote control of a SCADA system – all of which can have devastating consequences. The case of Stuxnet, believed to have been created by the US Government to target Iran’s nuclear facilities, is just one example of how malicious malware can be used to wage cyberwarfare on key elements of national infrastructure.
For the companies involved, the benefits of centralising operations are twofold, and efficiency gains are achieved by adopting this approach for network and plant operating systems. Combining these and using a single secure communications backbone will reduce operating costs and ensure that personnel remain in secure locations when carrying out tasks. However, part of this new strategy also involves decreasing the number of staff on site and instead increasing remote operation, monitoring and incident response. This concept of ‘remote but reachable’ locations offers a more efficient and safer working environment for most employees. By taking the problem to the person, rather than them having to go it, operators can ensure people are not put in danger and can focus on resolving issues, rather than their own personal safety. However, with fewer staff present on site, the potential impact of accidents and security attacks on facilities, whether physical or cyber, increases.
The risks and challenges associated with updating old SCADA systems pose an additional problem. While new facilities give operators the chance to build security into the design from the get-go, older facilities, particularly from older analogue communications to digital communications, can be a restraint for infrastructure security.
Regs hit the rigs
With many of these new infrastructure projects now under way and following the high-profile Deepwater Horizon incident in the Gulf of Mexico in 2010, the European Commission concluded that the existing regulatory framework and industry safety practices did not provide adequate assurance that risks from offshore accidents were minimised. As a result, the Offshore Directive (due to be implemented by July 2015) was published in June 2013, with the objective to reduce as far as possible the occurrence of major accidents related to offshore oil and gas operations, and to limit their consequences. These new requirements relating to licensing, environmental protection, emergency response and liability – in addition to safety – require a thorough understanding of all regulatory aspects and the evolving threat landscape.
Additionally, oil and gas firms are being encouraged to partner with consultants and technology partners that can assist companies in navigating this complex network of challenges, and ensure new facilities and existing structures provide workers with the freedom to operate securely. No two facilities are the same, and each has its own set of challenges and weak points – determined by factors such as geographic location, political situation and current security posture. A thorough risk assessment of all facilities should be implemented to ensure security return on investment.
Ultimately, failure to evolve holistic security practices and systems in line with changes to infrastructure can be costly, and expose firms to an increasing number of security incidents – at a malware, and health and safety level.
Technology plays a central role in the generation and distribution of oil and gas, so ensuring that security capabilities of all existing and future facilities meet modern-day demands is critical. Suppliers of security systems should aim at designing an integrated security solution that proactively identifies, assesses and mitigates risks and threats originating from within the facility as well as from beyond it.
A holistic security strategy and renewed focus on integration is key to increasing overall operational efficiencies and giving companies working in challenging environments the freedom to operate securely. Operations and security can no longer be seen as separate issues if people, places and information are to be protected, but achieving a balance between safety and security needn’t be a pain point if steps are taken now to get security priorities in order as we herald a new era of investment in the oil and gas industry.