On a quiet Wednesday in 2012 the world learnt a crucial lesson on the permeating impact of a cyber attack on a major oil and gas operator.
It was a normal day at Saudi Aramco, if slightly quieter than usual because it was the holy month of Ramadan, when, unknowingly, an employee opened a phishing email and clicked on what turned out to be an infectious link.
It wasn’t long before all hell broke loose. First files disappeared, then phones died and computers shut down as technicians ripped cables from the walls in a desperate attempt to halt the unfolding cyber attack.
In a few hours, 35,000 computers were partially wiped or totally destroyed.
Saudi Aramco was unable to receive money, process contracts and deals from partners and government. All its technology was completely defunct.
Eventually the company, which provides 10% of the world’s oil, was forced to temporarily stop selling oil to domestic gas tank trucks because it couldn’t process payments. After 17 days, the corporation had little choice but to start giving oil away for free to keep it flowing within Saudi Arabia.
In the process of rebuilding itself Saudi Aramco also caused a temporary shortage in supplies of hard drives after buying 50,000 at once.
It took five months before the company was back online.
Preparing for the worst case
The Saudi Aramco attack was bad, but it could have been much worse. The company was able to keep producing oil because its automated pumping system was unaffected.
However, cyber security on actual installations is a growing issue in the oil and gas sector, since critical network segments in production sites, which used to be kept isolated, are now increasingly connected to networks.
This is causing growing concerns that cyber attackers targeting an oil or gas installation could cause a disaster.
Mike Ahmadi, global director for critical systems security at Synopsys, a partner for innovative companies developing electronic products and software applications, says he recalls learning about one potentially disastrous scenario.
“A researcher once pointed out to me that the control systems managing the pontoons that keep them level could be compromised, allowing an attacker to drain ballast on one side, causing the platform to tilt over in the opposite direction,” he explains. “This could be quite catastrophic.” [A semi-submersible rig obtains most of its buoyancy from ballasted, watertight pontoons located below the ocean surface and wave action.]
The industry is generally keen to play down the actual risk of such threats, but Tony Proctor, a principal lecturer, consultant and information security researcher at the University of Wolverhampton, who has researched cyber security for ten years, says the industry faces many potential threats – including from eco-activists, terrorists, opportunists looking to make money and even countries aiming to disrupt another nation’s supply.
“It is not unreasonable to believe there could be a kinetic response to a cyber attack that would see countries go to war over an attack on part of the critical infrastructure, such as oil and gas,” he says.
Tackling the threat with joined forces
There are, of course, many less critical threats the industry faces. These are the focus of a new joint industry project (JIP) set-up by DNV GL to produce guidelines for protecting oil and gas installations against cyber security threats using the IEC 62443 standard tailored to the oil and gas industry.
These include malware getting into a plant, which is costly to expunge and may result in plant closures, as well as stolen data, which may be commercially sensitive.
“There was a particular incident at a Norwegian shipbuilder that builds supply ships for the North Sea, their design drawings got stolen through an attack and that of course costs them a lot of money,” says Pål Kristoffersen, project manager at DNV GL for the cyber security JIP.
Kristoffersen says there is also a growing trend in attacks using ‘ransomeware’, malware that encrypts data with the perpetrator then demanding money to clean up.
Cyber crimes costs energy and utilities companies around $12.8m each year in lost business and damaged equipment, according to a report by the Ponemon Institute's research for HP Enterprise Security in 2015.
However, this figure could be much higher, as companies often do not want to make a systems breach public knowledge, thereby essentially highlighting a weakness in their system.
The industry JIP launched in September, which includes major players such as A/S Norske Shell, Statoil, Lundin, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime, shows a new willingness to share information to create better defences against cyber crime.
It is hoped by coming together the industry can make mitigating cyber crime cheaper and more efficient in the future.
“Suppliers of automation control systems are joining the JIP because it is very costly for them to have different requirements from different operators,” says Kristoffersen.
“If they can come down to one requirement set it will be easier for them to give proposals and solutions for different operators.”
Regulatory authorities are also interested in the JIP, says Kristoffersen, because they can then audit against common requirements at rig inspections.
Installations built in the North Sea in the 1970s and 1980s without concern for cyber security are the most poorly protected and vulnerable to attacks, says Kristoffersen.
“After the platforms were built, more infrastructure was added and established with fibre optics and satellite systems and so on, and then these old installations were connected to the meter, but they are actually not prepared for it,” he adds.
There has also been an increase in automation in the industry, as well as analytics and more real-time monitoring, all of which require connection to the internet and subsequently present more surface areas for attack.
“Many operators have been a bit too quick to connect installations to the network with too simple cyber security barriers, but today the focus is much higher,” adds Kristoffersen.
However, there is no simple one-size-fits-all solution to mitigating cyber crime.
“Securing systems can sometimes be like a bottomless pit, [so] it has to be a risk based approach,” says Proctor.
“Identify what are the biggest risks, what are the potential losses and apply mitigating action which is appropriate to those two actions.”
Often, Proctor adds, vulnerabilities in systems have been identified up to six month prior to a breach so usually there is always a ‘soft’ reason why these incidents could not be avoided.
“Perhaps it was out of the organisation's control, it was an outside server, a third party system – it is a common situation I see.”
Mitigating cyber attacks
Drawing on his experience, Proctor says, there are three basic principles to cyber security: confidentially, integrity and availability.
“I think what the industry needs to do is to start by simply looking at how this CIA [confidentiality, integrity and availability] triangle is being played out across all the systems that use cyber,” he says.
“In the oil and gas industry this needs to be applied to not only information but process and everything else.”
This includes making sure data is confidential and only shared with the necessary people, but also making sure these systems are available for use.
“There needs to be a balance between the two – establishing confidentiality and at the same time ensuring availability,” explains Proctor.
The JIP has a timeframe of a year to create guidelines for industry. Kristoffersen says it will focus on a holistic approach.
“The main point is that companies should know their risk and then deploy resources to mitigate this risk,” he adds.
However, guidelines are just that – guidelines. Some think that due to the significant potential for a disaster, mandatory government regulation should be in place.
“Guidelines are always a good idea, but I think we need to start seeing better cyber security requirements,” says Ahmadi.
“Security remains largely optional and the recent downturn in profits in the petrochemical industry led to large budget cuts, and security was no stranger to the budget cuts. What does not get cut is budgets to fulfil regulatory requirements.”
In Europe the Directive on security of network and information systems, which was adopted in August with member states having 21 months to transpose into their national law, will go some way to ensure oil and gas operators in the EU implement cyber security mitigation measures.
The directive concerns measures to ensure a high common level of network and information security across the Union and will cover critical infrastructure such as oil and gas rigs.
It’s hoped that the JIP and the new EU directive will help to herald a new era of cyber security awareness in the industry, enabling operators to ward off potential attacks as effectively as possible. DNV GL is inviting companies who are not already onboard with the JIP to join the process.