Oil and gas industry and cyber resilience

In May 2021, the possibility of a cyberattack on the oil and gas industry was brought to the public’s awareness when U.S. pipeline operator Colonial Pipeline suffered a ransomware attack. This latest example shows that attacks are becoming more and more frequent – and more sophisticated. The threat did not begin with the establishment of digital applications in this sector: Information systems (IT) and especially operational technology (OT) are also at risk. Their protection ensures the safety of people, systems and data. Siemens Energy is convinced that the only way to remain one critical step ahead is by taking immediate action.

Ahmed Bakr is a senior cybersecurity officer (CSO) based in the Saudi Arabian city of Jeddah. He and his colleagues support the various Siemens Energy Business Units and their customers in every aspect of cybersecurity. Services include critical asset identification, vulnerability management for IT applications and support for those responsible for industrial cybersecurity of Siemens Energy's portfolio, which also covers the oil and gas business field. According to Bakr, “Oil and gas companies are targets of cyber criminals. We all are. Their attacks are intended to target a company’s systems and inflict damage by compromising the availability, integrity, and confidentiality of data for example. Although awareness is growing, defence against cyberattacks will have to be taken even more seriously in the future.”

The case of Colonial Pipeline in the USA shows what a single attack can do. The company was forced to stop running the systems that operate its 5,500 mile pipeline. The economic damage was tremendous. The next cyberattack is on its way; the only question is when and how. “The oil and gas industry has to prepare right now,” Bakr says.

“

The defence against cyberattacks in oil and gas will have to be taken even more seriously in the future.

As early as 2017, the U.S. research institute Ponemon was commissioned by Siemens to conduct a survey of the oil and gas industry. According to its findings, 68% of U.S. oil and gas cyber managers said that their organisation had experienced at least one loss of confidential information or disruption to operations in their OT environment over the past 12 months. At the same time, the study asserted that many of the organisations lacked awareness of the OT cyber risk.

“Although the most common motive of cyber criminals is to make money, attackers are no longer limiting themselves to implanting malware. Some simply want to destroy systems and harm people. So it’s also a matter of protecting the physical operational technology,” Bakr comments.

For some time, people in the industry have been talking about one of the most dangerous attacks on industrial oil and gas facilities so far. According to an analysis by cybersecurity company FireEye, one of these attacks was not only planned to disrupt operations, but also to cause physical damage threatening human lives. But what is clear, according to Bakr, is that successful cybersecurity needs to be based on a so-called layered defense approach to prevent the worst and save lives.

A layered defense, also called ‘defense in depth’, is a proven concept based on various types of overlapping cybersecurity controls. The idea is that if one control fails or gets bypassed by the attacker, another layer offers protection.

As an experienced authority on the industry, Siemens Energy makes its comprehensive expertise available to the oil and gas industry to assist in its fight against cyberattacks. The company’s offerings range from cybersecurity products and their implementation to consulting and training services as well as comprehensive cybersecurity solutions.

Having established its own robust in-house organisation to fight cyber criminality years ago, Siemens Energy now has more than 100 cybersecurity experts stationed worldwide who are directly supported by their colleagues in the various business areas known as Product and Solution Security Officers (PSSOs). The PSSOs are responsible for ensuring that products and solutions comply with global industry standards such as IEC 62443. This means that compliance with extremely high cybersecurity standards is constantly being promoted – beginning with development and throughout the entire value chain all the way to product hardening and cybersecure project execution. Suppliers and the company’s partner network are also subject to strict requirements.

One of these requirements is cybersecure products. Another is the secure use of these products, for example, in oil and gas companies. Experts agree that technology companies should take more responsibility and become more involved in the deployment of solutions in the customer’s environment. “We employ a variety of approaches to support our customers’ cybersecure operations,” says Bakr. “For example, our division Industrial Applications has achieved IEC 62443-2-4 certification in several locations for project execution processes to provide secure solutions.”

“

Knowledge is an important key to an effective defence.

However, some companies don’t have any in-house cybersecurity processes, let alone a dedicated organisation, or else they have no qualified personnel. In these cases, they can purchase expert knowledge – including, of course, from Siemens Energy, whose goal is to become the world's most valued energy technology company. Upon request, customers can be supplied with everything they need for cybersecurity structures and vulnerability or gap analysis, including measures and their implementation. This is called ‘cybersecurity as a service.’

The first step is usually a consultation on the latest cyber threats, gateways, and potentially effective measures. Ahmed Khalifa is the company’s technical sales manager for Cybersecurity. He and his colleagues are located in Dubai in the UAE.

“Many of the initial measures are easy to implement and aren’t very expensive,” says Khalifa. “For example, knowledge is an important key to an effective defence.”

Knowledge lays the foundation for secure processes and successful access management, and it also raises the awareness of all personnel. In 2020, a study by Stanford University professor Jeff Hancock and the security company Tessian determined that 88% of data breaches are caused by employee error. This means that one of the greatest risks to cybersecurity – human error – can be prevented through training.

One thing that the two cyber experts emphasise is that while the unstoppable growth of digitalisation can increase certain cyber risks, these risks are outweighed by the benefits for industry. Khalifa notes, “Digitalisation, which is especially practical for the oil and gas industry, doesn’t automatically mean operation in the cloud. For critical infrastructures like oil and gas, it primarily means using digital applications to monitor physical assets such as gas compressors and offshore drilling equipment, with the goal of making the operation more efficient and costeffective. We’re able to protect these functions from cyber threats very effectively.”

Whether it is from remote monitoring or predictive maintenance, reduced carbon emissions or optimised fuel consumption, useful data is only transferred in one direction, thanks to a Siemens Energy Power Plant Automation (SPPA) unidirectional gateway that turns data highways into one-way streets. Data transfers in the opposite direction – in the direction of the plant – are absolutely impossible. The benefits for customers are a comprehensive overview of their systems’ health status and automatic notification if any disruptions occur.

Digitalisation itself is one of the most effective weapons against cyber threats, and so is artificial intelligence (AI). AI is the basis for Siemens Energy’s innovative Plant Security Monitoring. The company wants to use AI primarily to help small and medium-sized oil and gas companies protect their plants from cyberattacks. As Khalifa explains, “The Plant Security Monitoring algorithms study and learn a plant’s ‘normal’ behaviour. Afterwards, if any deviations occur, the system records the abnormal behaviour and issues an alarm. This is how we make very effective use of every aspect of digitalisation’s strengths – including and especially in the fight against cyber criminals and terrorists.”

How cyber-ready is the oil and gas industry?

Cyber security can save lives

Strictinternal and external standards

Consulting and analysis

Does digitalisation offer more benefits than risks?

Artificial intelligence protects against cyber crime