PITTSBURGH—On one hand, the incorporation of new technologies are helping U.S. shale producers improve operational efficiency in the oil patch.
However, on the other hand, the adoption of these new digital tools and devices are inherently making shale producer operations less safe, according to Sam Miorelli, global head of cybersecurity for industrial applications at Siemens Energy.
“Evolving business models are making digitalization a competitive advantage,” Miorelli told the audience at Hart Energy’s DUG East Conference and Exhibition on June 14. “We get efficiency by bringing in more computers and optimizing processes,” but adding digital tools increases the attack surface exposed to cyberthreats.
These changes, he said, make oil and gas companies the new cyberattack frontier.
“We need to keep malware out of OT because that’s where people can get hurt.”—Sam Miorelli, Global Head, Cybersecurity for Industrial Applications, Siemens Energy
The first step toward protecting energy assets is getting companies to understand that when IT devices —like laptops and printers—are connected to operational technology (OT) devices—such as computers that control and monitor equipment—the safety of operations can be compromised.
Companies tend to think they are safe because they are not connected to the internet, but Miorelli cautioned, “Even when you think it’s true, it’s not true. It doesn’t matter if a computer is bolted onto machinery, or a laptop is being used to establish equipment set points. When the laptop is plugged into the equipment, it is OT.”
Based on the assumption that separation ensures security, some companies focus their efforts on maintaining an “airgap” between IT and OT to prevent potentially dangerous contact, but this is a mistake, he said.
“The moat is not enough, and it’s certainly not deep enough,” he said.
Even if an airgap existed, Miorelli said, “maintaining an air gap is devilishly hard.”
The reason is that the lifecycle change documentation process is not oriented to preserving an airgap.
“It’s thinking about making sure operations knows about changes, making sure there is a proper focus on maintaining safety standards and ensuring certification is not compromised. It’s generally not oriented around making sure we haven’t accidentally made an external vector on our network,” he said.
At the same time that the energy industry is becoming a target, the type of hackers attacking is changing.
“It’s not just the guy in the basement. It’s organized crime. It’s organized terrorist groups. It’s nation states, and hacktivists,” Miorelli said.
He pointed to several recent incidents as examples, including the 2021 ransomware attack on the Colonial Pipeline, which transports an average 100 million gal/day of gasoline, diesel, jet fuel, and heating oil 5,500 miles from Houston to the Port of New York and New Jersey on the U.S. East Coast.
The hackers, a criminal group called DarkSide, gained entry to the system when a former employee reused Gmail credentials for a corporate VPN account.
The April 29 attack was not reported until May 7, and in the interim, 100 gigabytes of data were stolen. The pipeline was shut down until the hackers were paid a ransom of nearly $5 million.
The Colonial Pipeline attack was disruptive, but the TRITON attack carried out by a Russian government-backed research institution against a Middle East petrochemical facility in 2017 could have been deadly.
A flaw in the malware caused two shutdowns, indicating something was amiss and prompting the company to call in investigators, who identified the cyber breach. Had they not intervened, hackers could have caused the release of toxic hydrogen sulfide gas or an explosion that would have put at risk the lives of workers at the facility as well as the surrounding area.
“We need to keep malware out of OT because that’s where people can get hurt,” Miorelli said.
For companies that have not yet invested in cybersecurity, there is no time to lose. Fortunately, taking the first step is not cost-prohibitive.
“Investing $50,000-$100,000 in an older site is enough to get a lot done in the context of risk management for oil and gas,” he said.
For areas like the Marcellus that are in development now, cybersecurity is a subject that should be addressed very seriously in the planning stage, Miorelli said.
“Most of the cyber pieces you want can be installed by equipment providers at relatively low marginal cost while equipment is being manufactured. If it is something you’re thinking about when transitioning from drilling to production, it is usually a lot less expensive,” he said.
Whether a company is already established or just setting up operations, cybersecurity is critically important, Miorelli said.
“My call is to please start thinking about this,” he said.
Recommended Reading
BKV Prices IPO at $270MM Nearly Two Years After First Filing
2024-09-25 - BKV Corp. priced its common shares at $18 each after and will begin trading on Sept. 26, about two years after the Denver company first filed for an IPO.
Oil, Gas Completions Company Covenant Testing Rebrands as One X
2024-09-25 - Covenant Testing said the name change to One X is meant to bring awareness to the company’s “comprehensive, end-to-end solutions for our clients.”
Mach to Sell Additional Common Units to Fund A&D
2024-09-25 - Mach Natural Resources announced that the underwriters of its public offering of 7.27 million units have exercised an option to purchase an additional 1 million common units at $16.50 per unit.
Trafigura Appoints Holtum to CEO, Weir Appointed Chairman
2024-09-24 - Richard Holtum will assume the CEO position on Jan. 1, 2025, and current CEO Jeremy Weir will assume his new position as chairman of the board.
Diamondback to Sell $2.2B in Shares Held by Endeavor Stockholders
2024-09-20 - Diamondback Energy, which closed its $26 billion merger with Endeavor Energy Resources on Sept. 13, said the gross proceeds from the share’s sale will be approximately $2.2 billion.
Comments
Add new comment
This conversation is moderated according to Hart Energy community rules. Please read the rules before joining the discussion. If you’re experiencing any technical problems, please contact our customer care team.