Given the increasingly central role of data and connectivity, cyber security is widely accepted as a major risk to the sector, and society as a whole. Furthermore, as technology becomes more accessible the skillpool of associated “dark arts” expands – and the risks increase.
The view from the boardroom
At a recent executive briefing event hosted by LRQA Energy, it was recognised that those responsible for cyber-attacks are highly skilled, not constrained by the law and driven by a range of motivating factors. Whilst there is significant activity across the sector to mitigate the potential impacts, many of those present felt that the level of response may be insufficient and / or misdirected. Some executives felt that adequate measures were in place to protect against data theft and hacking, but that operations remain vulnerable, making interruptions a likely outcome in the event of a cyber-security breach. It was also suggested that most oil & gas sector companies do not yet have in place the systems and resources required to precisely determine the source of cyber-attacks or with what frequency they occur in order to implement preventative measures.
During the discussion, executives largely agreed that a standardised approach to cyber-crime is vital. As cyber-security threats have gained currency relatively recently, the International Association of Drilling Contractors (IADC) is in the process of developing recommended practices (based on ISA/IEC 62334). Once published, this will give drilling contractors and operators some guidance on the measures they should be taking. However, the area remains largely unregulated and much depends on the attitude of individual companies.
The threat is real – so what can the Energy industry do?
The statistics confirm that the threat is serious and growing. According to a Internet Security Threat Report, the number of cyber-attacks on large companies increased by 40% in 2014 .
In 2012, the attacks on Saudi Aramco and Qatar's RasGas raised the profile of cyber security. At Saudi Aramco, hackers replaced data on hard drives with an image of a burning U.S. flag, prompting the then Secretary of Defense Leon Panetta to label the incident, "a significant escalation of the cyber-threat." Two years on, it was reported that between 2010-2014 hackers had stolen source code and blueprints to the U.S. oil and water pipelines and power grid, and had infiltrated the Energy Department's networks on 150 occasions. More recently, high profile breaches at Sony and UK telco TalkTalk have accelerated and amplified concerns about the risk associated with cyber attacks within industry and the public.
At LRQA Energy's, Dr. Richard Parliman, Lead Technical Specialist on system and controls and working with Cyber Security, is driving efforts to equip the Energy industry to defend itself. He says, “The industry falls into two camps: there are those who want to implement strong protective measures, and then there are those who think there’s no real risk and don’t take it seriously.”
Describing the highly organised nature of espionage malware, Parliman cites Careto (or “The Mask” when translated from Spanish), discovered in 2014 and believed to target government bodies. More recently, says Parliman, the Mask has been has directed specifically at Energy companies, and another such threat, the Phantom Menace, aimed to compromise the control systems of a vessel by stealing data or taking control. He says, "The malware remained in the background once activated and would run unknown, then submit events like entered passwords and data. It was mostly used for stealing confidential data or taking over communications /control systems and using them as a back door to gain access to other systems."
Alongside the increased threat and heightened profile, antivirus software products struggle to keep up. Most virus checkers only search for and detect the most common viruses and malware – which largely those that specifically target the Energy industry. Or, as Parliman says, “If it doesn't hit a specific number, it doesn't go into the digital file. We’re going to have to start developing those systems ourselves for the protection of the energy field, because the general commercialised antivirus companies don't get enough hits on those [systems] specifically."
Parliman supports the view from the executive briefing – cyber security is at an early stage of development throughout the sector, and not enough is known about the sources and frequency of attacks. Of course, responses and capability varies, with some companies committing resource and focus to advancing in this area. Other – usually smaller – companies lack the scale required to develop and effect solutions, so they will look to external sources. Parliman is hopeful that the recommendations currently being developed by the IADC will help. He says, "Granted, it's going to be a very watered down, very minimal version, but it's going to be some sort of start for them,"
Connectivity equals vulnerability
The increasing digitisation of the sector has elevated the risk associated with cyber attacks, because hackers can now access data and systems from the outside. For this reason, Parliman notes that older rigs may be less vulnerable. He says, "The more you connect it, the more potentially accessible you make it. With the utilisation of marketed rigs going down, and the stacking and decommissioning of some of the older rigs, this is going to become more of an issue. In the process, they're naturally getting rid of the older rigs because required maintenance costs are high, and modern technology increases overall safety and whole profile performance. In addition, newer rigs can be more connected, allowing for better on and off shore monitoring."
In addition to hardware-based threats, software presents a different type of risk. Parliman explains, “Your network is actually tied into your vulnerable information, which would be, for example, your data logging company, the drilling control system, or financial information. So if somebody gained access through the physical elements (ports, servers, etc), now they have access to the financial data- just by inserting a push email." Using the example if an email sent from a rig, Parliman outlines the process by which a virus embeds itself in the metadata and spreads. In this instance, the very specific nature of the virus means it is unlikely to be detected by antivirus software.
Knowledge-sharing is part of the defense
Cyber-security skills are vital for today’s sector. This means training or investing in specialists as well as operational teams so that actions and processes are thoroughly considered in the context of cyber security. LRQA Energy has developed a set of procedures to help Energy companies tackle cyber security issues. Parliman describes these as a high level view of the systems, equipment and personnel on a rig or a facility, a means of evaluating which elements are most vulnerable to attacks, and then comparing their condition to international and regional standards.
Parliman notes that unintentional potential 'breaches' of cyber security are common. "There have been plenty of times when we've been on rigs where a USB drive, something simple, is supposed to be scanned before it goes into any system...Well, a person uses it, passes it to the next person, gives it back, plugs it in the system...Is that safe? Not really. But does it happen a lot? Yes, because that's been the routine practice over and over for third parties, contractors, OEMs, etc."
For this reason, an assessment should always include human and social factors, as well as technical, process and equipment aspects. This includes gaining a deep understanding of how people actually behave, rather than assuming that policy and procedure reflects the reality.
Following this overview evaluation, the LRQA Energy team is developing a thorough three-stage four level assessment, which could include checking and stress-testing the facility's network. By acting as an outside intruder and inside intruder, expert can evaluate the extent to which procedures are being followed and their effectiveness. They also verify that equipment is functioning correctly, and assess the extent to which systems are vulnerable to attacks.
Clearly, no organisation can afford to ignore the potential impacts of cyber attacks – least of all in the Energy industry. Whilst cyber criminals become more sophisticated, so too must be our response and defensive activities.
For more information about how LRQA Energy can help, please contact energy@lr.org