Oilfield Technology spoke with Deirdre Michie, Chief Executive of Oil & Gas UK, who, as an executive committee member with SPE Offshore Europe 2017, will be leading a panel session at the conference to explore the industry’s understanding of what the ‘new realities’ are and how to deal with these emerging threats.
Why did the SPE Offshore Europe executive committee select ‘Cyber and Physical Security’ as a keynote topic for this year’s conference?
The scale and severity of attacks on industrial cyber systems is growing. For the oil and gas sector - like other sectors - it continues to be difficult to detect and defend against.
In what has been an uncertain time for the industry, now, more than ever, it is important that we build our resilience against the changing threats of the global geopolitical and security landscape.
This keynote session seeks to inform our understanding of what the ‘new realities’ are in the global security environment, so that we can proactively manage the risks and ensure safe and sustainable operations.
How would you describe the rate of such attacks and how is this impacting the industry financially?
Politically and economically, the attention of hackers is drawn to energy in wishing to cause disruption by halting production, causing financial loss, or even causing loss of life.
Cyber-attacks on the energy sector, and on oil and gas facilities, have increased in the past five years along with the associated costs.
How are threats and security risks changing for the oil and gas industry?
Technological advancements in our industry may expose more of our operations to cyber attack.
The offshore physical security environment is also ever changing with strategic geopolitical shifts giving rise to new areas of potential conflict. Global networks of terrorists continue to pose a threat to politically important commercial operations.
Pirates in parts of Asia and Africa have been found to hack into shipping management systems to identify potentially lucrative targets, and the Shamoon attack on Saudi Aramco in August 2012, was perhaps the most high-profile attack within the industry to date.
Is there any shift from physical to cyber risk or are they actually converging?
Malicious groups have an increasingly large armoury of technology - physical weaponry and malware - with which to target oil and gas operations.
Those with specialist knowledge suggest that in most cases, cyber and physical attacks are disassociated, although ‘cyber physical’ attacks, where control systems are hacked to cause physical damage, are on the increase.
Can you give any examples of recent significant physical security-related incidents in the industry, the impact they had and how they were handled?
Companies have demonstrated different approaches to the recent spate of attacks by the Niger Delta Avengers (NDA) on oil facilities offshore of Nigeria.
The militant group emerged in early 2016 and has launched more than a hundred attacks on oil infrastructure, including pipelines, vessels and offshore platforms owned and run by some of the world’s largest energy companies.
Some companies evacuated staff and halted operations at an early stage. It was vital that companies were informed with up-to-date and accurate information, in order to effectively manage the risks to their people and assets.
What effect do you think the downturn is having on threats and risk in the industry?
With pressure on bottom lines, expenditure on sometimes expensive risk mitigation technology, could be seen as challenging. However, the threats are unlikely to go away and will continually evolve. It is therefore vital that companies continue to invest in solutions that will ensure security for their personnel, assets and reputation.
Frank Gardner, the BBC’s security correspondent, journalist and author, will join the ‘Cyber and Physical Security’ panel session at SPE Offshore Europe 2017.
What can the oil and gas industry learn from other sectors to strengthen security?
Cooperation and sharing information within the industry is crucial to help companies collectively respond to emerging threats and, importantly, learn from incidents where things have gone wrong. There are a number of ongoing collaboration initiatives on cyber security in the oil and gas sector, which is good to see.
Investment in risk management will establish effective processes and procedures to ensure industry remains on top of security threats, and will also instil a culture of security within any organisation.
Human error still remains one of the main causes of security lapses and all employees should have an understanding of how they are likely to be targeted. In today’s digital world, simply opening an infected email in a head office for example, may lead to serious consequences for upstream and downstream operations.
Are there any new developments in this field that will be discussed at OE? Who is the debate aimed at?
Security threats can impact everyone in the industry at all levels, from investors to boards to senior managers to rig workers, so this session is open to all.
Professor David Stupples, Director of Electronic Warfare Systems Research, University of London, will reveal research into the current state of play of the cyber threat specific to the oil and gas industry. In particular, he will talk about cyber-attacks on SCADA – supervisory control and data acquisition.
Other keynote speakers include Dominic Armstrong, president of Herminius, a risk management and intelligence consultancy.
We will also welcome BBC security correspondent, journalist and author, Frank Gardner OBE, who survived being shot six times by Al-Qaeda terrorists in a Riyadh suburb in Saudi Arabia.
What can delegates expect to take away from this session?
Delegates will leave with a better understanding of the shifts in global strategic risks to oil and gas operations and the ‘new realities’, threats and vulnerabilities that companies are facing. The discussion will also share experiences and learnings from security trends in existing offshore producing regions such as West Africa, the Middle East and South America.
Read the article online at: https://www.oilfieldtechnology.com/digital-oilfield/12052017/cyber-and-physical-attacks-understanding-and-managing-the-risks/