Posted: April 18th, 2023

Cybersecurity of Offshore Oil and Gas Operations

Cybersecurity of Offshore Oil and Gas Operations

1.2. Purpose of the Study
The purpose of this study is to understand the existing security measures of the OS platform and design, and to identify the security requirements from which security measures can be designed to improve the overall security of the system against cyber attacks. It will deliver the solution to the custom-built security model developed at the University of Western Australia (UWA) in order to address the changes and security requirements of implementing an OS platform for process control in the oil and gas industry. With a solid understanding of the security threats, it is possible to design and implement security measures into a DCS system that are capable of defeating known attacks and deterring the hacker from attempting to discover new vulnerabilities. This thesis will act as a guide to understanding the security measures needs to have in place for its DCS system, and will deliver knowledge and understanding of what is required to prevent and defend against cyber attacks.
The security model designed at UWA has chosen to focus on the MODBUS protocol as it is the most widely used and easiest protocol to communicate with various field devices. MODBUS has limited security and can be easily subject to attack, so it is important to understand the vulnerabilities and threats to the MODBUS protocol and attempt to insert security measures to prevent these known attacks. The security model will be based on a case study using an experimental system simulating a MODBUS network DCS system. This thesis intends not to create new security protocols or establish a new level of security for the MODBUS protocol, but to use available security measures to design and implement security measures into a DCS system that are capable of defeating known attacks and deterring the hacker from attempting to discover new vulnerabilities. This thesis will act as a guide to understand what to prevent and defend against cyber attacks.
1.3. Scope and Limitations
Being part of the outlined PETA operations for deployment and infrastructures developed, this study focuses on the operations of oil and gas that has been automated and the change of system that can develop a faster and reliable communications and outcomes. This study will only focus on the change of system that has been implemented by oil and gas company which they increase the risk of the operation reliability and safety. This study will not consider the change of the regulations and policies that has been developed by the company, and any financial risks that has been faced by company after the change of the system. This research can be very beneficial as the company can know what are the elements can cause the system to be vulnerable and what are the prevention that can be done to protect the system.
2. Cyber Threats in Offshore Oil and Gas Operations
Traditionally, oil and gas operators have understood the importance of good security at their onshore facilities. However, offshore and subsea facilities are often seen as less vulnerable due to their remote location. In today’s world, remote no longer guarantees safety from an attack. Modern day pirates are now equipped with the tools to access poorly defended systems and exploit them, be it for monetary gain or as an act of terrorism. A growing workforce of multinational subcontractors who also move between different offshore projects has increased the likelihood of malware being transferred from external portable storage devices to the offshore network. An infected device that has been connected to a control network could have dire consequences for the safety and integrity of the platform or subsea facility.
An attack on any part of the world’s critical national infrastructure is no longer a matter of if, but when. Energy installations are among the most important elements of critical infrastructure. Past incidents have shown a new dimension of threat to oil and gas installations occurring in the cyber domain. As the oil and gas industry continues to extend its reach to new and remote areas to satisfy growing global demand, the development of these upstream sites has become more technologically advanced. Offshore platforms are now considered to be self-contained communities often with permanent residents. This has all been made possible through the exploitation of networked systems, but has subsequently increased the potential for debilitating cyber attacks.
2.1. Overview of Offshore Installations and Platforms
Offshore installations are the focal points of the production process in the offshore oil and gas industry. They are exposed to the most severe environmental conditions and represent a considerable investment. This is where the hydrocarbons are processed and stored prior to tanker loading. Offshore installations consist of subsea wells, where oil is extracted from the earth, and surface facilities that redirect the oil and gas to a fixed or floating production facility. The oil is stored and the gas is processed to remove water and other contaminants before being transported to an onshore location. Fixed production facilities consist of steel jackets, concrete gravity-based structures or sand-anchored caissons. The facilities are chosen based on the environmental conditions and water depths of the location. They all support a deck to provide the working area and living quarters for the onsite personnel. The deck is where the oil and gas processing equipment is located. Floating production facilities are ships that have been modified to provide the process and storage facilities for hydrocarbons. They are securely anchored at the location and can either be turret moored to the seafloor or spread moored using chains on the seabed. Oil and gas is extracted in various locations of the globe, each with its own unique environmental conditions. This, combined with the range of options available for processing the hydrocarbons, leads to a wide variety in the type of offshore installations that are used.
2.2. Unique Cybersecurity Challenges
Another challenge comes from the fact that offshore installations are often in international waters or in locations near or in politically unstable regions. This adds the possibility of politically motivated attacks such as terrorism or hacktivism and presents jurisdictional and regulatory issues from the differences in laws between various operating regions.
The remote nature and harsh physical environment of offshore installations provide a security challenge in that there is a requirement for a high degree of automation and remote monitoring/control of processes. This introduces a reliance on complex control systems, data networks, and the use of commercial off-the-shelf technologies; all of which are more susceptible to cyber threats of the types mentioned in the introduction to this article. As the industry moves towards more autonomous operations and increased use of subsea systems, these trends are likely to continue.
One unique challenge to the security of offshore platforms comes from the transient nature of the workforce and the regular crew changes undertaken offshore. Many of the systems used for monitoring and control of the platform processes are safety critical, and any changes made to these systems have the potential to compromise safety and production. It is important that personnel coming onboard the platform do not bring any malicious software, viruses, or malware with them; detection of these threats at the perimeter is difficult, and an infected USB drive has the potential to cause significant damage.
Apart from the standard cyber threats that face most industries, offshore oil and gas installations and platforms are also susceptible to specific threats that require a unique approach to high-level security. Although the increased connectivity to onshore offices has provided large cost savings and efficiency benefits, it has also provided a conduit for cyber threats to offshore data, systems, and operations.
2.3. Potential Consequences of Cyber Attacks
Production loss is one of the immediate effects of a cyber attack. In 2009, Iran reported that it had been hit with the Stuxnet worm. This malware specifically targets Siemens supervisory control and data acquisition (SCADA) systems that are used to manage and maintain the oil and gas installation. Stuxnet is thought to have set back Iran’s nuclear program by up to 2 years, and post-attack analysis suggests that the worm caused significant damage to a uranium enrichment plant. Though Stuxnet was not an oil and gas-specific attack, this type of worm can cause widespread damage to any installation that uses SCADA systems. Given that gas and oil are finite resources, any reduction in production could have severe economic consequences.
If the blowout preventer in the Gulf of Mexico incident had been hit with malware a year or so earlier (as the type was not disclosed), the device could have been rendered unusable. Blowout preventers use both hardware and software protection systems. If targeted and if malware were to propagate, it could lead to costly and extensive repairs being required to return the device to service. This represents an example of how an immediate software attack can damage high-value hardware, and the knock-on effects can bring repercussions to the offending parties for many years to come.
Cyber attacks can have potentially damaging impacts. They can cause an immediate effect, such as production loss, or they can have more long-term implications, such as environmental damage.
2.4. Case Studies of Past Cybersecurity Incidents
In November 2008 – Affordable Custom Essay Writing Service | Write My Essay from Pro Writers, legal counsel for ACERGY received an e-mail with an attachment that purported to be from the High Court in London but in reality contained a virus. This caused a major security breach on their systems and led to damaging of numerous files. There is suspicion that this was part of the same fraudulent scheme by the Nigerians to gain additional evidence for litigation against ALLIANZ and ACERGY. Although there is no concrete evidence linking the attachment specifically with the Nigeria team, the timing is consistent with an attempt to gain further leverage in litigation. This ACERGY case is significant for organizational liability in maritime law and contracts however it may be used as a starting point for discussions on the effect cyber security breaches can have on these companies.
One major cyber attack on a maritime energy company was the ACERGY and ALLIANZ case. In a 2008 – Affordable Custom Essay Writing Service | Write My Essay from Pro Writers episode of the ACERGY and ALLIANZ case, a group from ITIC (International Transport Intermediaries Club) collected evidence of a team of Nigerians who were attempting to defraud and extort money from various companies and persons including ACERGY and ALLIANZ. After the team received a fraudulent order from an impostor purporting to act on behalf of ALLIANZ to perform survey work in Nigeria, it billed ALLIANZ for the work but was suspicious of the situation and contacted the insurer. This led to an investigation in which the team found the impostor and fraudulently purported to hire the impostor as a consultant with ALLIANZ eventually discovering what has occurred and obtaining evidence of fraud. This Nigerian team then sued ALLIANZ for wrongful dismissal of their supposed consultant and the case escalated to litigation.
Maritime transportation, being the most cost effective way to move large amounts of oil and gas across the world, is playing an increasingly important role in global energy commerce. According to the International Energy Agency, the movement of oil by sea is projected to increase by 15% and the shipment of Liquefied Natural Gas is to rise by 67% over the next 6 years. All this is good news for the shipping industry. But it also makes the industry more susceptible to cyber attacks endangering the safety of crew, the marine environment, and the security of sensitive information.
3. Cybersecurity Measures for Offshore Oil and Gas Operations
– Promote a strong, risk-based security culture among asset owners, operators, and personnel. Specifically, what is the worst that could happen? And what do we need to do to make sure it does not happen?
– Ensure that all information, communication, and control systems are managed within a comprehensive, integrated assurance framework that includes: Cyber security management should be integrated within overall safety and environmental management without the need for new specific regulation.
– Asset, platform, or system operators and service providers, and a Common Criteria/ISO 15408 assurance standard for products.
– Encourage the development and maintenance of secure software and systems life-cycle best practice in the offshore petroleum industry. This standard has been poor in the past, and we must not perpetuate old mistakes with new technology.
– Dynamic risk and impact assessment for threats and vulnerabilities to assets and systems, and prompt notification and action on emerging security issues that may be associated with geopolitical, economic, or technology development events.
– Market security and build security economics into procurement practices for energy and ICT products.
– Emergency preparedness and incident response exercises and simulation for cyber-related scenarios at both national and industry levels, with the necessary participation from public authorities and intelligence agencies.
Cyber security countermeasures can be taken to defend against the cyber threat to offshore oil and gas installations, mobile assets, and control systems. These measures are based on existing good practice and the specific guidance set out earlier in this report. The principal goal of these measures is to minimize the risk of a cyber attack causing a disruptive, costly, or potentially hazardous impact to safety, the environment, or production, as well as ensuring that safety and critical control systems are not compromised. In summary, the measures recommended are to:
3.1. Regulatory Frameworks and Standards
tion 1164, which provides guidelines for cybersecurity management systems in the oil and gas industry. These standards could help companies understand the necessary security measures and encourage them to go beyond the minimum requirements set by regulations. Additionally, international collaboration and sharing of best practices could also contribute to the improvement of cybersecurity in the offshore oil and gas industry. Overall, a combination of regulatory frameworks, industry-specific standards, and international cooperation is needed to ensure effective cybersecurity in this sector.
3.2. Risk Assessment and Management
Risk assessment and management practices are an essential step towards protecting any valuable assets, and in the offshore oil and gas industry, this process is well defined. According to the API, risk assessment is the foundation for managing risk and an essential step to ensuring that operational and cybersecurity risks are managed within the organization’s risk tolerance. Rigzone is a popular source of news and information on the oil and gas industry, and it offers a variety of materials on the subject. For example, a webcast entitled “How to Build a Good Offshore Risk Assessment.” In it, the speaker outlines the differences between an operational risk assessment and a procedural one, as well as the necessity for a quantitative risk analysis to secure top management decision. Because the first is used to identify major accident hazards and reduce risks to lowest practicable levels, and the latter is used to appraise what has been done to prevent the likelihood of specific unwanted events occurring. When the quantitative risk analysis involves calculating the risk as a numerical value of the product of the probability and the consequence of the event happening, and then comparing them to risk criteria to determine if more needs to be done, or if the management of risk is at an acceptable level. These methods seek to provide an understanding of what the most important risk factors are, and how they can be minimized. This is usually done by identifying and evaluating all risks in conjunction with drawing up risk control measures and preparing an Emergency Response and Contingency Plan for major accident requirements. UGIN recommends the utilization of CyberHAZ and CRAM (Cyber Risk Analysis Method) to analyze cyber risk. EMFI provides a list of 7 steps to a cybersecurity risk assessment plan, as well as a free template for the creation of a risk assessment matrix. This is a method for allocating resources for management in a live and easy-to-read document that allows for quick understanding of the levels and types of risk involved.
3.3. Network and Infrastructure Security
The second major component of an effective cybersecurity program is network and infrastructure security. It addresses the security of the networks and computer systems that process, store, and transmit the information that is critical to the operations and the people who execute them. An offshore network consists of the communication links from the platforms to the onshore locations along with the hardware and information systems that they support. The systems range from standard IT systems similar to those used in onshore environments to specialized control systems for operating equipment. The most well-known are SCADA (Supervisory Data Acquisition and Control) systems that are used for operating and monitoring industrial processes. These systems are being heavily targeted in recent years due to the trend of cyber-terrorist attacks and have led to potentially dangerous situations all over the world. In 2010 – Essay Writing Service: Write My Essay by Top-Notch Writer, a breach of the SCADA system on an onshore natural gas compression facility led to a massive explosion causing the loss of 7 lives and $50 million in damages. This event is a clear demonstration of the potential consequences that cyber-attacks can have on oil and gas operations and reinforces the need for security measures to protect them.
3.4. Employee Training and Awareness
Training should be short and sharp and aim to provide the workers with a basic understanding of what cyber security is, what the risks are to the organization, and what they can do to prevent security breaches. The ultimate goal is to make cyber security part of the offshore safety culture. Measures should be put in place to assess the effectiveness of the training and the level of cyber security awareness amongst the workers. An ideal way to do this would be to conduct random simulated phishing attacks on the workers and monitor how they respond. Workers who fail the test should be further educated on what to look out for and what they should do if they are unsure whether an email is a phishing attempt.
As the movement of the workforce is very high in the oil and gas industry, the level of cyber security awareness is generally quite low, especially at the offshore facilities. Office and support staff may have a reasonable level of understanding as they have likely worked in other industries. However, workers on the offshore platforms may have little to no understanding of cyber security or why it is important. This lack of awareness can easily lead to them making mistakes that could compromise the cyber security of the entire organization. Therefore, all employees including contractors should undergo cyber security awareness training. The best and most cost-effective form of training for offshore workers would be an e-learning course that they can complete in their own time prior to going offshore. This should be supplemented with face-to-face training and further e-learning material that these workers can access during their time offshore.
3.5. Incident Response and Recovery
Incident response and recovery is the final crucial component of a cybersecurity program. The goal is to contain any incident before it can wreak havoc with operations and to recover normal operations as quickly as possible.
Various frameworks exist to help in the construction of an incident response plan. The most widely used is the National Institute of Standards and Technology (NIST) 800-61, which helps organizations to build and improve a comprehensive incident response plan. The ISO/IEC 27001 framework is more aligned with a comprehensive security program and less focused solely on incident response, but is useful to organizations that can’t afford the NIST program. Of course, the cost of each program may be irrelevant if the organization is based in a country where a regulator requires use of a specific program.
Incident response plans are more effective if major stakeholders from the organization have been involved in their construction and if possible scenarios have been tested in a tabletop situation. The plan should include the process for incident detection, response, and follow up. It should also document lessons learned from each incident.
4. Future Trends and Emerging Technologies in Offshore Cybersecurity
With the increasing complexity of offshore systems comes the need for more advanced and automated security systems. One method to achieve this is through the use of artificial intelligence (AI) and machine learning (ML) technologies. AI is the simulation of human intelligence processes by machines, especially computer systems. These processes include learning (the acquisition of information and rules for using the information), reasoning (using rules to reach approximate or definite conclusions), and self-correction. AI has the potential to make systems ‘smart’ enough to automatically detect and prevent cyber-attacks. ML is a type of AI that provides computers with the ability to learn without being explicitly programmed. The basic premise of machine learning is to build algorithms that can receive input data and use statistical analysis to predict an output value within an acceptable range. ML could be used to predict cyber-attacks based on patterns and other various indicators within a network. By predicting such attacks, it gives the system an opportunity to take preventative action, thus reducing the need for response and recovery methods of cybersecurity. AI and ML have endless possibilities in the field of cybersecurity, and it is likely to become a major focus for offshore operations in the near future.
4.1. Artificial Intelligence and Machine Learning
In this section, the focus is on the increasing use of artificial intelligence and machine learning in developing more sophisticated cyber-attack and cyber-defense tools and the possible impact this could have on the current standards of offshore cyber security. Machine learning is a type of artificial intelligence that allows software applications to become more accurate at predicting outcomes without being explicitly programmed. The primary focus of machine learning is to enable the computers to learn automatically without human intervention or assistance and adjust actions accordingly. This is already being utilized by cyber security professionals for developing anomaly detection, which could be highly beneficial for intrusion detection systems. These systems work by establishing a ‘baseline’ of normal network or system activity and can rapidly identify any deviations from this baseline. Any activity that strays from the baseline is flagged as an anomaly and may be evidence of a security breach. Current anomaly detection systems are rule or signature-based and can be quite rigid in their effectiveness. Any new threats or attacks that generate anomalies, which do not fit the established rules, can go undetected. An advantage of machine learning is its ability to adapt and define what is an anomaly and what is normal activity, without specific programming. This could greatly improve the effectiveness of anomaly detection as a whole, however as attackers could also utilize these methods to test and deploy new forms of malware offensively, it may lead to a game of cat and mouse to determine whose machine learning algorithms are superior.
4.2. Blockchain Technology
Blockchain has been identified as an important technology likely to have a big impact on future digital industries. Blockchain is essentially a shared digital ledger of transactions that is duplicated and distributed across the entire network of computer systems. This is useful in creating a high-trust cyber environment for transactions and data sharing, with records being permanent and verifiable. Consensus mechanisms ensure that replication of data stays consistent with the sharing party’s intentions, and with no centralized point of control, it is difficult for unauthorized users to manipulate information. This technology is largely associated with the financial sector as it is the basis for Bitcoin and other digital currencies, but it may become increasingly influential in the management of data between various businesses and companies due to its high level of security and decentralized nature. Blockchain has also been targeted as a method for enhancing data security in IoT networks, with a recent article stating that the development of a blockchain-based data protection solution for connected devices will be a major focus for IoT developers in 2018: 2024 – Write My Essay For Me | Essay Writing Service For Your Papers Online. Given the nascent state of this technology and the potential benefits, it is likely that research and development of blockchain solutions to data security will occur in offshore industries in the coming years. A transition to such technology may be difficult, however, and adoption may be slow if cost, risk, and return on investment are not deemed as favorable in comparison to current data security methods. This will be a topic of assessment for oil and gas management considering the potential suitability of blockchain to data security in an environment of increasing data threats and its compatibility with future IoT systems.
4.3. Internet of Things (IoT) Security
The Internet of Things (IoT) can be known as the interconnection of uniquely identifiable embedded computing devices within the existing infrastructure. IoT has found to provide many benefits to the oil and gas industry and has seen significant investment over recent years. These systems can be used to track inventory and environmental conditions and make adjustments to equipment with the goal of increasing production. However, IoT is an extremely high cybersecurity risk. As the systems control many physical elements, a cyber-attack can have a significant impact on health and safety, the environment, and production of the operation. High consequence events can occur, and the attack could go undetected for some time. Attackers only require access to a few devices to compromise an entire IoT system, and traditional IT security measures are often not effective with IoT technology. An example would be a cyber-physical attack in Ukraine in 2015 – Research Paper Writing Help Service, where attackers gained remote access to the SCADA system and opened breakers to cause a large-scale blackout. This highlighted the interdependency of cyber systems and physical elements and is applicable to the future of IoT in oil and gas.
Cybersecurity of offshore oil and gas operations reflects an ever-evolving environment, aiming to be proactive instead of reactive in its response to technological change. There are three waves of technological advancement seen from 1990 to today and tomorrow. We are currently in the third wave, characterized by the information age and increasing use of cyber systems. The use of information technology, control systems, and cyber-physical systems has made significant contributions to the efficiency of drilling and production but has also exposed the industry to new vulnerabilities. Consequently, there are many future trends and emerging technologies to be aware of that are going to further change the industry. This could be from a security standpoint but also technology that could be adapted by attackers to exploit the vulnerabilities.
4.4. Cloud Computing and Data Protection
Software as a Service (SaaS) has become increasingly popular in the industry. For industrial control systems that are maintaining safety-critical operations, it is imperative to run and manage security services that are on par with the systems they are attempting to protect. This could lead to a new level of resource and expertise in cyber security from third-party security vendors when trying to sell their services to energy companies, whose skills in managing and maintaining said resources may be less developed.
The data-centric nature of cyber security is particularly relevant to cloud computing, a flexible and cost-efficient way of delivering computational resources as a service. Often, data in the oil and gas industry is stored in remote locations, and the ability to securely transmit it to a central cloud provider can reduce the cost of ownership of IT systems. While it can often reduce the cost of data management, handing over control of sensitive data to a cloud provider can be a barrier due to the risk of a breach in a third-party data center. A recent study by the Ponemon Institute revealed that nearly half of the IT and data managers surveyed stated that their companies had higher levels of data security when using cloud computing than when using in-house IT. This suggests an increase in confidence in the way data is stored and managed in the cloud. With the use of private and hybrid cloud systems and the right encryption, as discussed above, the risk of data loss can be comparable to that of internal systems.

Order | Check Discount