HOUSTON–Until recently, who could have imagined that a high-ranking U.S. Department of Defense official would publicly say cyber security “has become as critical to military operations as land, sea, air and space?”

Connect that dramatic policy statement with a Department of Homeland Security announcement that 40 percent of all hacking attacks last year directed at U.S. organizations targeted the energy industry. For upstream, midstream and downstream executives, the wake-up call has become starkly real, facing an enemy not armed with missiles, bombers and troops, but with keyboards, computer monitors, and an Internet connection. Cyber security has become a new form of corporate warfare.

Among key hacker targets are supervisory control and data acquisition systems with direct connections to process control networks. Given that SCADA typically is defined as monitoring and controlling entire sites or system complexes, the implications of cyber security attacks should set off alarms for all management personnel responsible for the vast array of equipment involving remotely controlled actions.

At the wellhead, automation has become common, from remote terminal unit controllers to programmable logic controllers, as have SCADA systems in locations ranging from compressor stations to gathering lines, to interstate pipelines on the midstream and downstream sides. As a result, a strategy must be developed to achieve cyber security objectives as an extension of today’s SCADA.

The overriding significance of incidents such as major software providers being hacked by the Chinese is that these nationalist outlaws already have demonstrated theoretical access to companies’ process control networks. For most oil and gas companies, therefore, the issue is twofold:

• Why typical SCADA network designs may not provide sufficient protection; and
• How companies can implement higher security levels without ballooning their technology budgets.

Realistically, any access, data or connectivity point is potentially a vulnerability point no different from any door–no matter how well secured–being a potential access point. And SCADA, in continuous operation from wellhead to midstream to downstream, is a rich source of an increasing amount of information, making it an ever-appealing target.

In weighing SCADA’s relationship to cyber security, one must consider that most SCADA systems have fairly substantial amounts of onsite power for processing, storing and transmitting data (with data stored locally, in case the communications link is broken). Different companies have different architectures, and many have regional operations centers, which may be as small as two or three local servers handling communications, data archiving and data display reporting; or they may have large, consolidated data centers.

Each well reports its information to a processor on a pad, which subsequently delivers that information through a communication link (typically a digital radio link) to a central point per field, where each field’s master radio sends the data to a control center or data center over a T1 connection. With multiple wells on one circuit, many digital radios are utilized to collect this data for each field and then connect through the T1, all of which requires multiple processors and multiple computers.

Thus, each well is a data access point and each radio network is another data access point. Any of those can be compromised. Additionally, local processors along the way also allow a risky scenario to unfold, whereby if a processor is attacked, the virus may lie dormant and do actual damage later or infect even more platforms with a virus or malware.

Four Major Weaknesses

SCADA’s complexity indicates how much can go wrong electronically if an oil and gas company’s systems are hacked or compromised. Of four major weaknesses, one involves having no security on the local area network (LAN). Frequently, a wireless network in the field, similar to ones in offices, is used to communicate with individual sensors. Also, some networks have open protocols, which allow anyone to access that LAN. Both are examples of LANs having no security, no virus scanning, and no perimeter defense.

Second, fire walls typically are the sole security provision. Many companies have a single-source fire wall at their network operations or data center, essentially functioning as a perimeter defense to scan incoming data packets. However, when a large volume of data is entering, the fire wall (which is only a filter and is not an impenetrable blockade) can be overwhelmed by too much volume or by too much complexity or sophistication. As a practical matter, a fire wall, as a filtering mechanism, only views each data packet and figuratively says a packet is either okay or not okay.

The third weakness is multiple access points in a LAN to network. Virtually every flowmeter and processor in the field has open protocols for COM, USB or serial ports, which allow access into that network. Unfortunately, many are legacy access points created years ago when cyber security concerns were neither appreciated nor apparent. Generally, companies do not retrofit old equipment or older mechanisms, because economics do not justify retrofits that do not improve operations.

The fourth weakness is a lack of physical security. This shortcoming often is evident when people can walk into an office unnoticed, sit at a computer monitor and unobtrusively access the system. Although some companies do have good security with locked doors or restricted access to programs, personnel do leave doors unlocked and access readily available–aside from stolen laptops, tablets and mobile devices, which afford hackers remote access to a company’s systems. Today’s increased access for employees often becomes a higher incidence of vulnerabilities. In other words, vulnerabilities have become a numbers game, with security policies that too often are not rigorously enforced or even in place.

Serious Potential Risks

When these kinds of security weaknesses are allowed to go virtually unchecked, multiple risks hang over companies. These include the most devastating and grievous: risks to human life. With the industry’s numerous remote locations, risks to individuals primarily occur with company personnel. Other times, however, the public is involved when operations are near populous areas.

Anytime a safety system potentially can be compromised, ramifications for disaster are tilted easily toward injuries or loss of life because systems that fail are not fundamentally benign, but have tremendous stored kinetic energy. The consequences can be huge, anytime an alarm does not sound or a valve does not close because a system has been hacked remotely.

Another risk of compromised systems is to the environment. Even a small spill is not innocuous if, for example, it infiltrates a water table or part of an aquifer. Worse, some risks could go unremediated simply because they went unnoticed.

Third, risks to a company’s reputation can be severe and immediate, but also difficult to cleanse or repair over a long period. A company’s image, which may have been built up carefully over decades with customers, vendors and the public, can be exceptionally sullied. As a consequence, it hurts recruitment because previously likely candidates may have become disillusioned with what the company appears to stand for.

Fourth is the risk to physical assets and lost production resulting from cyber sabotage. Perhaps ironically, production loss tends to account for the smallest percentage, since once the loss is experienced and attributed to malware, a company is obligated to shut down its other operations where malware also may have struck. However, various other unaffected systems may have to be shut down also on the basis of diligence, which is where revenue loss does occur and begins growing.

Damage potential creates the management quandary. If a company has a field where data are compromised and a pad goes bad, does management assume that only the one observed pad is bad? Or should the entire network be shut down? Incidents such as this have shown that company profit margins for an entire quarter actually have eroded through one significant attack and what had to be done to stave off human or property disasters.

Companies simply cannot ignore what might be missing or lacking. They must respond to what may exist by auditing their networks, processes and system for weakness or flaws. Specifically, companies have multiple responsibilities regarding cyber security. They have a fiduciary responsibility and a public safety responsibility, as well as an obligation to their employees’ welfare to shut down, figure out and turn around the adverse situation.

Proactive Cyber Security

Many oil and gas companies operating domestically and globally can do more proactively to protect themselves on the cyber security front. First, a company literally should draw up a cyber security plan to assess risks and vulnerabilities in its network and SCADA systems. This becomes the foundation for designing the network and SCADA system with cyber security contingency planning and prioritized countermeasures.

Since many companies do not and have not documented vulnerability problems, a risk/vulnerability analysis will show the “holes” (sometimes gaping), which become apparent only through a formal assessment. Ideally conducted by an outside vendor for best objectivity, the audit also can be done quicker and at a noticeably lower organizational cost.

Assessment studies include other strategic activities such as contingency planning, developing a road map, and prioritizing countermeasures.

The first piece of the security puzzle for company management is to “know what you have.” The second is knowing how to defend against security breaches, and the third piece is understanding what to do if and when a system is compromised.

In other words, a response plan must address how management should take action, which personnel should respond, which programs should be moved to other servers, and whether parts of the system should be shut down and people should be evacuated. In addition, what are the protocols, who gets energized, whose job may change for several weeks, who gets reported, and who is in overall command? All this should become the contingency plan.

The second proactive step is about specific protection against cyber threats. Key protective measures include fire walls and access controls. This decision-making process begins with establishing firm policies for “bring your own device” at oil and gas companies to ensure the system can “handle” those devices, and by instituting sufficient control measures. One measure is limiting what the devices can access, such as a company network.

Although fire walls protect against known vulnerabilities for which defenses exist, fire walls are only as robust as their updates. Access policies are equally sensitive and should be reviewed on an ongoing basis because methods of access increase monthly.

Third is the critical importance of monitoring, an admonition recognized by the industry in American Petroleum Institute Recommended Practice 1164, which states that implementing a combination of network monitoring technologies in addition to firewalls is necessary to enhance network security and management. Fortuitously, software has been developed to evaluate how a network is running and determine whether any abnormalities exist. Companies should utilize these programs to ensure their systems have not been compromised.

Finally, central to any effective cyber security plan is developing a customized intrusion/detection plan, or a response plan that is initiated once an attack is detected. Essentially, monitoring software is used to identify what the normal operations look like and to spot anomalies. When the latter occurs, parts of the system can be shut down and run to alternative platforms, whereby the anomalies can be investigated and cleaned without additional system damage.

It is quite similar to preventive maintenance on a pump. When the pump begins vibrating or exhibiting other operational problems, waiting for the pump to actually fail is not a viable approach. Instead, the pump is put on bypass and another pump is put on line while the defective pump is repaired.

As critical as cyber security is, simply creating a climate of alarm is not the solution. Rather, companies should develop options to deal with each alarm that codify that there is real potential trouble in cyberspace, and should impose architectures or processes to deal with the problems.

Tomorrow’s information technology capability will be much different than today’s. Therefore, even more potential for vulnerability will be created, and in turn, will continue to be exploited by hackers seeking to disrupt vital operations within the oil and gas industry. Executives must recognize that neither business models nor IT models are static, so their cyber security models also should not be static. They must be ongoing and adaptive, and be able to advance with the times to defeat the catastrophic threats to the industry in cyberspace.