[Editor's note: This story originally appeared in the January 2020 edition of E&P. Subscribe to the magazine here.] 

Cybersecurity is no longer a concern for only tech experts in the IT department. It also is top of mind for executives in the boardroom and operators in the oil field—and for good reason. More frequent and sophisticated, high profile cybersecurity attacks on oil and gas operations have put the industry on edge. Not only are breaches disruptive and expensive—costing some companies hundreds of millions of dollars—but incidents like the 2017 Ukraine ransomware attack that affected transportation and logistics company Maersk, among others, remind the industry that an attack in the digital world can have dangerous consequences in the real world.

Without a doubt, companies need comprehensive security as operations become more digital. But this security doesn’t need to come at the expense of business- improvement goals. In fact, quite the opposite. The same digital capabilities that can help a company better compete (e.g., seamless connectivity, production intelligence and remote support) also can help fortify its operations. As companies plan and design their oil and gas cybersecurity strategy, they should capitalize on the aspects of connected operations that have shared security and operational benefits. The following are five key examples of how to unlock cybersecurity synergies.

Dynamic asset inventory
It is hard to mitigate threats if what they might target in operations is unknown. That is why a comprehensive, real time understanding of connected equipment and systems is essential.

Historically, taking an inventory of the equipment requires physically sending someone to all production sites. This process is time-consuming, especially with dispersed and remote operations. It is also limiting, because the data captured only give a snapshot in time of the inventory.

The Industrial Internet of Things is changing this. Now, using software or connected services, the same communications path as the control system can be used to gather asset data.

With a continuous, real-time inventory of the operational equipment, the company can stay on top of risks to its production environments. For example, companies can quickly see if security advisories, firmware updates or new patch releases are relevant to its installed base. Operations also can be better managed. The data can help, for instance, track life-cycle risks and inform a company’s modernization strategy.

Real-time process visibility
It is not enough to know what equipment a company owns. It also needs real-time visibility into how, when and where people are accessing or manipulating it. A threat-detection service can identify normal behavior across an oil and gas network and monitor operations 24/7 for deviations from that baseline.

Operators can then be alerted of any irregularities or potential threats in real time. This visibility can help uncover a threat like an outsider security attack at multiple stages, including:

• When they first gain a foothold on the network,
• When they are moving around the network to do recon on a company’s operations, and
• When they are making changes to assets (systems, equipment, networks) to carry out an attack.

The service also can help detect more common human errors and operational issues that, while lacking nefarious intent, can still disrupt operations. For instance, it could reveal that an original equipment manufacturer remotely accessed and made changes to a controller in the wrong location.

Life-cycle management support
According to the 2019 Global Energy Talent Index report, 40% of oil and gas respondents said a skills crisis has already hit the industry, and nearly 30% said the crisis would take hold in the next five years. To lessen the impact of the skills shortage, more companies are looking to outsource the responsibility of managing their oil and gas production systems.

One major oil and gas producer turned to a diagnostic reliability service from Rockwell Automation to reduce its cybersecurity risks and lower its business costs. As part of the service, the provider continuously scans the process control network of the oil and gas producer to identify, interrogate and monitor control hardware. It captures key data, such as its part number, series version and firmware version, and it tracks status, health and parameter changes.

The service helped the producer comply with a new corporate cybersecurity policy, and it led to operational improvements such as more proactive maintenance that helped them reduce manpower costs in the field and pump more barrels of oil per day.

Disaster recovery
In the event of a security incident, a company needs a plan and policies in place to help it recover as quickly as possible. This will help minimize the impact of security incidents and maximize uptime. A response plan can help a company contain, eradicate and quickly recover from threats against its operations. The plan should include the steps workers need to take to get back to a fully operational state.

Policies are just as crucial. For example, policies should define a method for backing up critical operational assets. Without backups, a company could find itself the victim of ransomware and having to decide if it should pay someone to reengineer its systems or pay the attacker to get them back.

One solution that can be required in a company’s policy is asset management software. It can automatically back up application code and configurations for devices like controllers, drives and operator terminals.

rockwell
The use of software with authentication and authorization is another best practice in that it allows an IT or security team to define who can access it and where it can be accessed. (Source: Rockwell Automation; illustration by solarseven)

Good security fundamentals
There are security best practices known as security fundamentals and sometimes hygiene that every oil and gas company should use to achieve a fundamental level of security.

Some are simple, like changing the default log-ins used in any new network equipment a company purchases. Software with authentication and authorization is another best practice. It allows an IT or security team to define who can access the software, what actions they can take and where they can perform those actions.

Other security fundamentals are more complex. For instance, control and enterprise traffic should not be treated the same on a network. If the network infrastructure that handles both these traffic types goes down, then a company’s entire enterprise is no longer functional. That is why a company should use an industrial demilitarized zone to segment control and enterprise traffic.

In addition to securing its operations, these best practices also can have operational benefits. Segmentation, for example, allows companies to connect remote employees and partners with onsite workers to more quickly troubleshoot and resolve downtime issues.

Getting the most from connected operations and securing them can go hand in hand. But before doing anything, a company needs a strategy to identify where it can be more competitive and where its threats lie. Then, it can see where these two areas share common ground.