Digitalization Improves US Shale Operations but Can Compromise Cybersecurity

PITTSBURGH—On one hand, the incorporation of new technologies are helping U.S. shale producers improve operational efficiency in the oil patch.

However, on the other hand, the adoption of these new digital tools and devices are inherently making shale producer operations less safe, according to Sam Miorelli, global head of cybersecurity for industrial applications at Siemens Energy.

“Evolving business models are making digitalization a competitive advantage,” Miorelli told the audience at Hart Energy’s DUG East Conference and Exhibition on June 14. “We get efficiency by bringing in more computers and optimizing processes,” but adding digital tools increases the attack surface exposed to cyberthreats.

These changes, he said, make oil and gas companies the new cyberattack frontier.

“We need to keep malware out of OT because that’s where people can get hurt.”—Sam Miorelli, Global Head, Cybersecurity for Industrial Applications, Siemens Energy

The first step toward protecting energy assets is getting companies to understand that when IT devices —like laptops and printers—are connected to operational technology (OT) devices—such as computers that control and monitor equipment—the safety of operations can be compromised. 

Companies tend to think they are safe because they are not connected to the internet, but Miorelli cautioned, “Even when you think it’s true, it’s not true. It doesn’t matter if a computer is bolted onto machinery, or a laptop is being used to establish equipment set points. When the laptop is plugged into the equipment, it is OT.”

Based on the assumption that separation ensures security, some companies focus their efforts on maintaining an “airgap” between IT and OT to prevent potentially dangerous contact, but this is a mistake, he said. 

“The moat is not enough, and it’s certainly not deep enough,” he said.

Even if an airgap existed, Miorelli said, “maintaining an air gap is devilishly hard.”

The reason is that the lifecycle change documentation process is not oriented to preserving an airgap. 

“It’s thinking about making sure operations knows about changes, making sure there is a proper focus on maintaining safety standards and ensuring certification is not compromised. It’s generally not oriented around making sure we haven’t accidentally made an external vector on our network,” he said.

At the same time that the energy industry is becoming a target, the type of hackers attacking is changing. 

“It’s not just the guy in the basement. It’s organized crime. It’s organized terrorist groups. It’s nation states, and hacktivists,” Miorelli said.

He pointed to several recent incidents as examples, including the 2021 ransomware attack on the Colonial Pipeline, which transports an average 100 million gal/day of gasoline, diesel, jet fuel, and heating oil 5,500 miles from Houston to the Port of New York and New Jersey on the U.S. East Coast. 

The hackers, a criminal group called DarkSide, gained entry to the system when a former employee reused Gmail credentials for a corporate VPN account. 

The April 29 attack was not reported until May 7, and in the interim, 100 gigabytes of data were stolen. The pipeline was shut down until the hackers were paid a ransom of nearly $5 million.

The Colonial Pipeline attack was disruptive, but the TRITON attack carried out by a Russian government-backed research institution against a Middle East petrochemical facility in 2017 could have been deadly. 

A flaw in the malware caused two shutdowns, indicating something was amiss and prompting the company to call in investigators, who identified the cyber breach. Had they not intervened, hackers could have caused the release of toxic hydrogen sulfide gas or an explosion that would have put at risk the lives of workers at the facility as well as the surrounding area.

“We need to keep malware out of OT because that’s where people can get hurt,” Miorelli said. 

For companies that have not yet invested in cybersecurity, there is no time to lose. Fortunately, taking the first step is not cost-prohibitive.

“Investing $50,000-$100,000 in an older site is enough to get a lot done in the context of risk management for oil and gas,” he said.

For areas like the Marcellus that are in development now, cybersecurity is a subject that should be addressed very seriously in the planning stage, Miorelli said. 

“Most of the cyber pieces you want can be installed by equipment providers at relatively low marginal cost while equipment is being manufactured. If it is something you’re thinking about when transitioning from drilling to production, it is usually a lot less expensive,” he said.

Whether a company is already established or just setting up operations, cybersecurity is critically important, Miorelli said. 

“My call is to please start thinking about this,” he said.