Oil rigs and oilfields are incredibly lucrative targets for cybercriminals, which is why it’s so concerning that the oil-producing nations of OPEC still haven’t established good cybersecurity protocols.
The steady improvement of connectivity in oil facilities has greatly improved both the safety and productivity of day-to-day operations in the oil and gas industry. And while this is welcome news to an industry where a mere ten hours of rig downtime can cost a company upwards of $125,000, it also introduces a great deal of new risk into the picture in the form of cybersecurity vulnerabilities.
According to Deloitte, energy was more prone to cyberattacks in 2016 than all but one other industry, “with nearly three-quarters of U.S. oil and gas companies experiencing at least one cyber-incident.” But this remarkably high figure isn’t entirely surprising when you consider the research that indicates only 35% of oil and gas companies rate their OT cybersecurity as “high,” and only 41% of oil and gas companies claim to “continually monitor all infrastructure [for] threats and attacks.”
As troubling as this domestic state of affairs may be, the International Telecommunication Union’s 2017 Global Cybersecurity Index (GCI) paints an even grimmer picture of cybersecurity in oil and gas industries in the Organization of the Petroleum Exporting Countries (OPEC).
Built around five central cybersecurity “pillars” — legal, technical, organizational, capacity building, and cooperation — the GCI measures “the type, level, and evolution over time of cybersecurity commitment in countries and relative to other countries.” It focuses especially on “the cybersecurity commitment divide, i.e. the difference between countries in terms of their level of engagement in cybersecurity programs and initiatives.”
Every country is given an overall cyber-readiness score (on a 0 to 100 scale), and these scores are sorted into three classifications: initiating stage (GCI scores below the 50th percentile), maturing stage (GCI scores between the 50th and 89th percentile), and leading stage (GCI scores in the 90th percentile and above).
According to the index, countries in the initiating stage collectively produce more than 44 million barrels of oil per day, roughly 45% of the world’s overall production. Among OPEC’s 14 member countries, six — Angola, Equatorial Guinea, Gabon, Iraq, Kuwait, and Libya — are in the initiating stage and eight — Algeria, Ecuador, Iran, Nigeria, Qatar, Saudi Arabia, the United Arab Emirates, and Venezuela — are in the maturing stage.
Even in OPEC countries with relatively mature cybersecurity systems in place, cyberattacks on oil facilities continue to pose a significant threat. For instance, in 2015, Saudi Arabia (which charted a score significantly higher than the OPEC average) recorded more than 160,000 cyberattacks per day; the actual number experienced is likely far higher, as nearly half (46%) of all cyberattacks on OT environments go undetected.
In 2012, hackers launched the notorious Shamoon virus, an attack which wiped the disks of more than 30,000 computers at state-owned oil company Saudi Aramco. Similar attacks on Saudi government systems, almost certainly including those at Saudi Aramco, were reported in August and November of last year.
Unfortunately, oil-producing countries continue to be vulnerable to serious cybersecurity breaches. Around 42% of offshore rigs in the world are over 15 years old, and, according to Deloitte, “Fewer than half of oil and gas companies use monitoring tools on their networks, and of those companies that have these tools, only 14% have fully operational security monitoring centers.”
As a result, a major cyberattack can create hundreds of millions of dollars in damage before it’s even detected. If targeted correctly, such attacks could cause noteworthy disruptions not only of national economies, but of the global oil and gas market at large.
Encouragingly, some oil and gas stakeholders have started working together to improve industry-wide cybersecurity. At the end of the day, however, a network’s cybersecurity is only as strong as its weakest link, meaning each and every oil company has a responsibility to maximize the protections on its own digital infrastructure.
One of the most efficient ways to do so is to partner with a cybersecurity expert like Turn-key Technologies. With over two decades of experience in the petrochemical industry, we understand the unique challenges presented by complex OT environments, and are able to help any oil and gas company achieve robust security without compromising the speed or efficiency of their operations.