PITTSBURGH—On one hand, the incorporation of new technologies are helping U.S. shale producers improve operational efficiency in the oil patch.
However, on the other hand, the adoption of these new digital tools and devices are inherently making shale producer operations less safe, according to Sam Miorelli, global head of cybersecurity for industrial applications at Siemens Energy.
“Evolving business models are making digitalization a competitive advantage,” Miorelli told the audience at Hart Energy’s DUG East Conference and Exhibition on June 14. “We get efficiency by bringing in more computers and optimizing processes,” but adding digital tools increases the attack surface exposed to cyberthreats.
These changes, he said, make oil and gas companies the new cyberattack frontier.
“We need to keep malware out of OT because that’s where people can get hurt.”—Sam Miorelli, Global Head, Cybersecurity for Industrial Applications, Siemens Energy
The first step toward protecting energy assets is getting companies to understand that when IT devices —like laptops and printers—are connected to operational technology (OT) devices—such as computers that control and monitor equipment—the safety of operations can be compromised.
Companies tend to think they are safe because they are not connected to the internet, but Miorelli cautioned, “Even when you think it’s true, it’s not true. It doesn’t matter if a computer is bolted onto machinery, or a laptop is being used to establish equipment set points. When the laptop is plugged into the equipment, it is OT.”
Based on the assumption that separation ensures security, some companies focus their efforts on maintaining an “airgap” between IT and OT to prevent potentially dangerous contact, but this is a mistake, he said.
“The moat is not enough, and it’s certainly not deep enough,” he said.
Even if an airgap existed, Miorelli said, “maintaining an air gap is devilishly hard.”
The reason is that the lifecycle change documentation process is not oriented to preserving an airgap.
“It’s thinking about making sure operations knows about changes, making sure there is a proper focus on maintaining safety standards and ensuring certification is not compromised. It’s generally not oriented around making sure we haven’t accidentally made an external vector on our network,” he said.
(1) IBM X-Force Index; (2) Arstechnica; (3) Wired; (4) Bloomberg
At the same time that the energy industry is becoming a target, the type of hackers attacking is changing.
“It’s not just the guy in the basement. It’s organized crime. It’s organized terrorist groups. It’s nation states, and hacktivists,” Miorelli said.
He pointed to several recent incidents as examples, including the 2021 ransomware attack on the Colonial Pipeline, which transports an average 100 million gal/day of gasoline, diesel, jet fuel, and heating oil 5,500 miles from Houston to the Port of New York and New Jersey on the U.S. East Coast.
The hackers, a criminal group called DarkSide, gained entry to the system when a former employee reused Gmail credentials for a corporate VPN account.
The April 29 attack was not reported until May 7, and in the interim, 100 gigabytes of data were stolen. The pipeline was shut down until the hackers were paid a ransom of nearly $5 million.
The Colonial Pipeline attack was disruptive, but the TRITON attack carried out by a Russian government-backed research institution against a Middle East petrochemical facility in 2017 could have been deadly.
A flaw in the malware caused two shutdowns, indicating something was amiss and prompting the company to call in investigators, who identified the cyber breach. Had they not intervened, hackers could have caused the release of toxic hydrogen sulfide gas or an explosion that would have put at risk the lives of workers at the facility as well as the surrounding area.
“We need to keep malware out of OT because that’s where people can get hurt,” Miorelli said.
For companies that have not yet invested in cybersecurity, there is no time to lose. Fortunately, taking the first step is not cost-prohibitive.
“Investing $50,000-$100,000 in an older site is enough to get a lot done in the context of risk management for oil and gas,” he said.
For areas like the Marcellus that are in development now, cybersecurity is a subject that should be addressed very seriously in the planning stage, Miorelli said.
“Most of the cyber pieces you want can be installed by equipment providers at relatively low marginal cost while equipment is being manufactured. If it is something you’re thinking about when transitioning from drilling to production, it is usually a lot less expensive,” he said.
Whether a company is already established or just setting up operations, cybersecurity is critically important, Miorelli said.
“My call is to please start thinking about this,” he said.
Recommended Reading
Bob Simpson-led TXO Energy Partners IPO Exceeding Expectations
2023-01-30 - Formerly known as MorningStar Partners LP, TXO Energy is an MLP with operations and assets in the Permian Basin, New Mexico’s San Juan Basin and Colorado led by industry veteran Bob Simpson.
Exxon Mobil’s 5-Year Plan Aims to Double Earnings, Cash Flow
2022-12-08 - Exxon Mobil is also expanding its share program to $50 billion through 2024 from its previous $30 billion goal.
Exxon Sues EU in Move to Block New Windfall Tax on Oil Companies
2022-12-29 - Exxon says the tax deters the company from investing further in European energy.
Chevron, Exxon and Total Keen to Invest in India, Says Minister
2023-01-13 - India is encouraging joint development production of oil and gas assets and investment in its domestic E&P sector, says Hardeep Singh Puri, Ministry of Petroleum and Natural Gas.
E&P Highlights: Jan. 9, 2023
2023-01-09 - Here’s a roundup of the latest E&P headlines from the past week in the upstream oil and gas industry, which include ONGC bringing stranded assets online to its “lucky mascot” and Aker Solutions winning the conversion contract for the Petrojarl Knarr FPSO.