CYBERSECURITY
An immutable ledger enables multi-party operations Put settlement disputes to bed and ensure multiparty accountability By Norman Thorlakson
Figure 1: A layered and decentralized cybersecurity enforcement approach is universally applicable across different assets installed at the edge. Image courtesy: Xage Security
T
he age of digitalization promises accuracy, speed and safety, but to harness these benefits, it is imperative that oil & gas operations implement comprehensive cybersecurity solutions that are legacy-device compatible, scalable, and capable of enforcing roles-based access control policies (RBAC) and multi-party trust. Oil & gas operations are often spread out geographically and in remote locations –– leaving digital assets to the mercy of the elements, and reliant on the accuracy of operators to calibrate devices, update firmware and maintain accurate records of meter readings (particularly during custody transfer). With many processes dependent on manual input — and using a single password across personnel — transparency and accountability can disappear, resulting in financial loss, settlement disputes and even physical danger that can arise from operations malfunctions. What’s more, the energy industry is a target for cybercriminals who focus on industrial IT/ OT disruption, including competitive and rogue nations going after rival states, and organized criminals hoping to extract ransomware payments. A variety of threats, including phishing, malware infected devices inside the firewall, and even disgruntled employees, can initiate attacks that result in damage and halts in operation. These threats must be met with comprehensive cybersecurity capable of detecting, identifying and blocking such events, to prevent financial, physical, legal, and business impacts. Risks to operations Oil & gas organizations employ a unique operational architec-
ture, and one that is as complex as it is interdependent. Characteristically, this architecture is decentralized — by the sheer quantity and location of geographically disparate devices — and diverse, with assets that span different generations, vendors, types, makes, models, and connectivity means (wired, wireless, serial, RF). As operations continue to digitalize, it is common for legacy and next-generation technology to work together — exchanging data across channels, under the same firewall and within adjacent domains. These devices require access from various personnel to calibrate systems, deliver maintenance and record data. These devices, once isolated but now connected, present vulnerabilities and entry points for malicious actors seeking access to oil & gas operations. In an ecosystem where so many different components (data, applications, devices and people) play a role in day-to-day functionality, control is essential. A security system that allows organizations to log all interactions or changes made by internal personnel, block unauthorized access attempts, and tamperproof devices across an ecosystem, creates an invaluable blanket of trust across the entire operation, and between multiple parties in the supply chain. For example, on a pipeline, commodities are exchanged between supply chain partners that rely on accurate meter reporting. These devices are in near constant use and left out in the field where they are exposed to harsh conditions — requiring frequent recalibration. As a result, it is not uncommon for personnel to override faulty meters and adjust numbers based on assumptions or historical estimations. When this occurs, however, financial settlements can be thrown into question when records undergo an audit. Unverified recording can result in settlement disputes and inaccurate product volumes. A second example is the refinery, where inputs like feedstocks, electricity from the local OIL&GAS ENGINEERING DECEMBER 2019 • 19
