7 minute read
Shielding Midstream: Towards a New Paradigm for O&G operators
Without a doubt, the oil and gas infrastructure is very critical. Specifically, the midstream infrastructure is vital, as it functions as a bridge between upstream exploration and drilling activities and the distribution and sale of downstream petroleum products. In between, the midstream infrastructure not only transports oil and gas but enables the communication between the two above and supports their functions.
In North America, midstream is, in fact, a key enabler of most of the oil and gas market. For example, in Canada, 97% of oil and petroleum products are transported through pipelines. Similarly, about 2.7 million miles of pipelines transfer oil and other petroleum products to different locations daily in the US.
As technology makes its way into industry and digitization and automation systems become more relevant to O&G infrastructure, security becomes paramount. The digital revolution strengthens operations by enabling the integration of industrial technologies on unique platforms. However, digital assets are still
exposed, as networks and controls extend far beyond the infrastructure itself.
Cybersecurity experts call this the 'attack surface.' Underlying this vulnerability are digital systems companies, or third parties, that require access to their partners' networks to monitor machinery and diagnose performance.
This is how cyber-threats can affect a system; infecting your digital structure or hitting third parties, and hacking your remote access. Many of these threats come from criminal companies or so-called hacktivists with specific political agendas. Furthermore, hackers and their tools are becoming increasingly sophisticated as they diversify their methods, take advantage of any cybersecurity breach, technical vulnerability, or human error, and exploit it.
Unfortunately, the growing trend of digitization in the oil and gas industry has outpaced the deployment of robust and resilient cybersecurity safeguards.
To provide a quick example on this topic, in 2019, hackers attacked Petróleos Mexicanos, the Mexican state oil company. They forced it to shut down numerous computers and systems across the country and demanded a payment of $ 5 million in bitcoins to free the affected systems. In response, the company refused, quarantined its systems, and cleaned them up.
Although not disastrous, the attack was disturbing and demonstrated the ability of hackers to penetrate the cybersecurity systems of large oil companies.
Also, not too long ago, in May, America's largest midstream asset was attacked. The Colonial Pipeline, a system of two 8,850-kilometer pipes that transport about 3 million barrels of fuel a day between Texas and New York, was the victim. The attack triggered a severe energy
crisis and resulted in gasoline shortages and gasoline prices around $ 3 a gallon. In fact, according to a Bloomberg report, the hackers used a compromised VPN password that did not require multifactor authentication, allowing the hackers to access the Colonial network. It is unclear whether the hackers discovered the username or could figure it out independently; however, the password was found among a batch of them leaked on the dark web. The breach occurred on April 29, according to cybersecurity company Mandiant, and was discovered on May 7 by an employee who saw the ransom note. Soon after, the company reported the breach and pulled the pipeline of operations to prevent the attack from spreading to other critical systems. Despite the advice of US officials, the company paid the ransom request, about $ 5 million. However, nearly half of the fuel that commonly enters the eastern US states was affected or virtually disappeared for a few days.
Shortly after, Scott Jones, director of the Canadian Center for Cyber Security, spoke about the urgency for Canada to take cybersecurity measures and published a report on the landscape of potential threats to the country. The report noted that three Ontario hospitals and a Canadian diagnostic company fell victim to ransomware attacks in late 2019, as well as a medical company in Saskatchewan in early 2020.
Additionally, according to a report by The Conversation, Canada is delayed in not accepting reports of third-party cybersecurity vulnerabilities. In fact, Canada has not experienced an attack like the Colonial Pipeline. Still, many Canadians remember the Equifax breach in 2017, when around 19,000 citizens were affected by an attack on an online customer portal.
This is why cybersecurity has become increasingly relevant, especially in O&G infrastructure. If breached anywhere in the value stream, an attack can severely disrupt operations, causing substantial cost spikes.
Another concern is that many breaches go undetected as they occur, leaving intruders and criminals with more time to carry out their crimes and explore more vulnerabilities. In fact, according to the Ponemon Institute, the average time it takes for US companies to detect and contain a data breach is about 245 days, with a relative cost of $ 8.2 million.
As a result of all this, and especially after the Colonial Pipeline hack, the United States government, through the Department of Homeland Security, issued a new agenda for the owners and operators of critical pipelines that transport dangerous liquids and natural gas; the issue urged them to adopt "new and urgent protections against cyber intruders."
One of those protections is the immediate report of a cybersecurity incident to the Cybersecurity and Infrastructure Security Agency (CISA); appoint a cybersecurity coordinator who is available to the Agency at all times; and conduct internal security assessments to report results no later than May 28, 2022.
Some of the incidents that owners and operators must report are 1) unauthorized access to information systems or operational technology, including non-malicious policy violations such as the use of shared credentials by employees; 2) discovery of malicious software in an information or operational technology system; 3) activity that results in a denial of service to any information system or operating technology; 4) a physical attack against the network infrastructure, and 5) "any other cybersecurity incident that results in an operational disruption."
These measures, among others required by the new plan, are intended to create a cybersecurity standard for companies; and culture of cybersecurity.
Additionally, Congress is currently considering several laws that would make significant changes to the current landscape of energy cybersecurity, including measures to coordinate
pipeline safety regulation among the various agencies that presently exercise authority over pipeline operations.
All of the above are urgent and much-needed regulations for large companies and operators of "critical pipeline assets." But what about the smaller midstream companies? Are they as vulnerable as their counterparts? Well, the Jones Walker Midstream Oil and Gas Cybersecurity Survey, conducted in October 2020, found that smaller companies are particularly vulnerable to cyberattacks, as smaller companies often do not have adequate breach response plans or robust cybersecurity systems.
Consequently, some of the critical points that a smaller midstream corporation needs to attend are: • Avoiding overconfidence: the survey showed that most respondents believe that both the midstream sector and their own companies are prepared for a cyber-attack; also, more than one in 10 suffered a successful breach. • Know where the threats are coming from: survey respondents pointed to organized criminal groups as the top threat actors and their own employees' negligence as a source of significant concern. • Partnering as a defense strategy: Many companies work in isolation and do not take advantage of opportunities and cost efficiencies offered through industry collaboration and public-private partnerships. Along the same lines, Siemens published a white paper in which it extracted some valuable advice for companies to start addressing their cybersecurity weaknesses. The company highlights that cybersecurity is often seen as a lower-level structural concern. Consequently, a "blind spot" is created, an area where the eyes of operators or stakeholders do not look at all.
Breaking that blind spot would be the first step in creating a culture of cybersecurity, a new paradigm in which companies operate more securely. The company offers some tips: • Recognize potential breaches; educate employees on the importance of authentications and credentials. • Assess and plan: an assessment of the cybersecurity status of the corporation or any particular O&G asset must be inventoried; potential threats should be documented and researched. Compile a risk-ranked list of all threats and plan on how to address them. • Detect and respond: once the breaches are on the list, react to them and take corporate actions to crush them; work on timely and relevant response, designing roles and groups to address a potential threat or even an attack.
Finally, with these tools, midstream operators can harden their assets and corporations from any cyber threats; a regular practice for the future would be software patch management and malware protection. In case of enduring an attack, a postdisaster recovery data system could restore corrupt or lost information.
However, many of these tools require education, a learning curve, and strong leadership. That's why right now is the perfect time to get started on closing that blind spot. Cyber threats are only growing in sophistication, frequency, and severity. Therefore, to achieve genuinely shielded midstream operators, stakeholders, employees, all parties must participate and get involved.
