Presidential Policy Directive 21 identifies the energy sector as uniquely critical because it provides an enabling function across all critical infrastructure sectors. Without a stable energy supply, health and welfare are threatened and the United States economy cannot function.
The sector’s production, transportation and refining processes rely heavily on automation and control systems connected to the internet, making it more vulnerable to cyberattacks due to the high value of the data and systems it controls. To that end, the global oil and gas industry experienced an astounding 87% increase in company filings’ mentions of cybersecurity in the first quarter of 2024 compared with the previous quarter. The natural gas pipeline infrastructure in the United States has also been the target of repeated attacks over a number of years; one of the most recent was a coordinated attack on four of the country’s biggest gas pipeline companies.
According to the latest ransomware report by Sophos, energy/oil and gas/utilities is now the industry with the third highest rate of attack, with 67% targeted by ransomware last year. Exploited vulnerabilities were the leading root cause of such attacks within the sector, exceeding the rate of all other sectors for this root cause. Attacks in the sector were highly successful, affecting more computer systems than any other sector (62%) and compromising 79% backups at a higher rate than any other sector.
While digital transformation may be exacerbating cyberattacks, the answer to optimizing processes, increasing cybersecurity and meeting new government reporting regulations may be rooted in additional technology. Additionally, incorporating real-time analytics shows true operating conditions—including drill down capabilities—to uncover problem areas, allow collaboration and provide an opportunity to establish best practices across facilities.
Operations & Technology
The need to optimize production and minimize downtime is crucial in this industry. Leveraging digital technologies can aid in streamlining processes, improving decision-making and reducing inefficiencies. The ultimate goal of adopting modern systems is to have a wholly efficient—possibly even autonomous—process that cuts out excess fat, ballooning costs and wasteful operations. Focus should be on end-to-end process improvement, which will, in turn, help shape collaboration within the organization. That means investing in training and education, process automation, related hardware and new tools or software.
Continuous operational improvement starts with capturing data from machine assets. This data provides immediate insights for both people and systems, enabling them to make better, faster decisions and drive automation. While accurate, real-time data is pivotal to operations, harnessing this data effectively requires advanced technology and analytical capabilities.
Data Analysis Drives Efficiencies
Oil and gas companies increasingly use data to drive process improvements and optimize production. Vast amounts of data are collected for environmental reporting, predictive maintenance and safety enhancements, for example, but companies may be challenged to effectively manage and analyze the data. And while monitoring and alarms can improve system efficiency, they do not automate the labor-intensive reporting process or provide much-needed analytics that extract raw or summary values over a discrete period.
Automated third-party reporting software, however, tracks all stages of an energy pipeline supply chain. The finished reports are then distributed directly to preferred destinations, which streamlines the decision-making process and enhances operational efficiency. The ability to harness this data effectively can lead to smarter decision-making, improved processes and a competitive edge. Analyzing historical data allows operations management to identify patterns, trends and anomalies that may otherwise go unnoticed. Historical data analytics can help companies transition from reactive to proactive planning and keep planning aligned with operations.
However, not all data collection systems are equal. What differentiates mediocre from effective data collection is the ability to accurately and efficiently capture critical events, even under complex conditions. Achieving effective data collection requires embracing advanced solutions that go beyond traditional approaches. The integration of such solutions allows organizations to accelerate and drive overall equipment effectiveness (OEE), avoid problems before they occur and reduce engineering time by up to 70%. This approach analyzes data and delivers intelligent root cause analysis when issues arise, correlating event and alarm data to address upcoming issues.
Organizations can also integrate autonomous alerts notification software with an issue management and resolution accelerator that keeps workers and managers in the know, from alarm and alert detection to issue resolution. Many industrial facilities struggle with data across multiple platforms, hindering real-time analysis and action. This issue is solved by integrating data into a digestible format for users, from production engineers to maintenance teams. This cohesive solution not only helps teams first know that there is a problem but then takes things a step further by helping them understand what actions were taken to resolve the problems to enhance continuous improvement programs.
Cybersecurity Protocol & Advanced Software
The oil and gas industry is a prime target for cyberattacks due to the high value of the data and systems they control. The increased reliance on technology makes the sector more vulnerable to cyberattacks, which can cause significant disruptions to operations and potentially have severe consequences for the industry and the broader economy. In a 2023 industry survey by DNV, 69% of oil and gas professionals worry their organization is more vulnerable to cyberattacks on their operational technology networks now than at any other point in their history. They also acknowledge that cyberattacks are a question of when, not if.
To build resilience, oil and gas companies need to understand how an attack can impact their operations and primary business processes. Could an incident see production shut down? Could it impact the delivery and agreements the organization has with clients and partners? Could it have an impact on the public and cause the shutdown of critical infrastructure that provides gas to a country?
Companies can take proactive steps to help add protection against cyberattacks. Although replacing legacy systems and networks can be extremely costly, it is essential to work with vendors and cybersecurity experts to implement updates and, if necessary, overhauls of outdated systems. Invoke the help of internal or external advisors to prioritize risk and develop a realistic approach for enhancing cybersecurity. At a minimum, comply with basic standards, including restricted physical and technical access, firewalls, logging and encryption.
Additionally, many supervisory control and data acquisition (SCADA) systems are simply overexposed to the internet by remote desktop applications (e.g., remote desktop protocol [RDP] and TeamViewer). In an attempt to provide process and asset information to operators, organizations have provided much more, ignoring the principle of least privilege (PoLP) and opening their entire control systems and their hosts to remote desktop access by unnecessary parties. Such broad remote access techniques present an increased security risk for organizations.
Advanced remote alarm notification software and reporting software allows remote operators access to only the information they need from SCADA. It does not provide access to the SCADA itself or its operating system host. Such notification software is compatible with more secure, layered networks in which a series of firewalls provide added protection from attacks. This is done by deploying notification solutions alongside the SCADA system at the network’s control level and using notification modalities that are not internet facing or distributing internet-facing notification processes to higher levels. For example, internal email servers, SMS modems and voice via private branch exchange (PBX) devices allow communication with the outside world without internet exposure. Likewise, distributing the processes that interface with SCADA from those that interface with external email servers, voice over internet protocol (VoIP) solutions and cloud apps allows internet-based notifications without compromising security.
There are valid use cases for desktop sharing software that do not violate PoLP and go well beyond operator access to process information. For such systems, it is critical the remote desktop solutions be implemented with sound security. Oil and gas companies should not use unattended access features, and IT leaders should configure the software such that the application and associated background services are stopped when not in use. Integrating remote alarm notification software through the SCADA system is critical to further reducing cyberattacks.
There are several steps that oil and gas companies should take to improve their cybersecurity:
- Update any software to the latest version.
- Deploy multifactor authentication and favor authentication apps and SMS instead of codes sent to email.
- Use strong passwords changed periodically where multifactor authentication cannot be employed.
- Ensure antivirus systems, spam filters and firewalls are up to date, properly configured and secure.
- Require all personnel to go through cybersecurity awareness training.
- Create or review backup and recovery plans.
New Reporting Requirements
In July 2023, the Transportation Security Administration (TSA) announced updates to its security directive aimed at enhancing and testing cybersecurity for certain pipelines and liquified natural gas facilities. This move underscored the TSA’s continued focus on fortifying the nation’s critical infrastructure against cyber threats. This, along with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and the Securities and Exchange Commission rule requiring public companies to disclose material incidents within four business days, has caused significant changes: first, a shift toward earlier reporting and public disclosure of cyber incidents; second, an increase in government oversight and regulation of cybersecurity within the industry; and third, a heightened focus on cyber governance, including by companies’ boards of directors.
TSA substantially expanded cyber incident reporting requirements when it required critical pipeline owners and operators to report any cybersecurity incident on a pipeline’s network infrastructure to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of identification.
To help meet these mandates, companies can turn to third-party reporting software that seamlessly integrates with programmable logic controllers (PLCs), SCADA and historian systems. Reports provide a visualization of this historized process information and correlate related process variables, compute metrics on that data and visually graph such data for easier pattern and anomaly detection. Advanced reporting solutions can even pull information from remote alarm notification software, allowing further analysis and optimization of condition response times.
Reporting software enables organizations to turn raw process data into actionable information, thereby increasing efficiency and reducing costs. Automated reporting solutions streamline regulatory compliance by consolidating data from disparate sources like instrumentation readings, program or recipe setpoints, human-machine interface (HMI) audit trails, alarm history and others. As the data is collected, it is summarized as key metrics such as the deltas in the cleaning solution temperature or conductivity. The final output is published into a formatted document representing a detailed performance audit of the process execution.
References
- offshore-technology.com/data-insights/cybersecurity-mentions-oil-gas-industry (accessed May 21, 2024).
- praxie.com/digital-transformation-in-oil-and-gas-manufacturing (accessed May 22, 2024)
- Megan Ray Nichols, “How Manufacturing Plants Can Prepare for Industry 4.0,” InterestingEngineering.com, April 20, 2018.
- worldoil.com/magazine/2023/december-2023/features/digital-transformation-building-cyber-resilience-in-the-oil-and-gas-industry (accessed May 22, 2024).
- awwa.org/wp-content/uploads/awwa-cybersecurity-risk-and-responsibility.pdf (accessed March 1, 2022).
- biztechmagazine.com/article/2021/04/cybersecurity-lessons-utilities-can-learn-oldsmar-water-plant-hack (accessed March 1, 2022).
- Stephen Lilley and Christopher Watts, “Changing Cybersecurity Expectations for US Oil & Gas Companies,” Bloomberg Industry Group, Inc., 2023.
