Smart fields are no longer an option for the oil and gas industry; they’re a must. They are essential for increasing productivity, improving oil recovery, reducing operational costs, reducing health risks, and providing more safety and protection for the environment. These were the points made Monday by Ayman Al-Issa, digital oil field cybersecurity advisor for Abu Dhabi Marine Operation Co. (ADMA-OPCO), at the inaugural Smart Fields Summit in Houston, as he emphasized the need for smart oil fields to also have smart cybersecurity controls.
Al-Issa comes from an automation background, working in control systems before moving into IT aspects and focusing the past seven to eight years on cybersecurity. He has long been a proponent of the need for heightened cybersecurity protection—well before Stuxnet become a household name in automation circles. Six years back, he emphasized the need for cybersecurity in the oil industry, but his colleagues insisted there was no need; oil producers were isolated enough from the network, with firewalls to keep them safe.
The well-known Stuxnet virus hit Iran’s nuclear industry in June 2010, and there have been a long list of hits since then. In November 2011, hackers hit a water treatment plant in Illinois, opening and closing valves to destroy the system. In August 2012, Saudi Aramco suffered a hit to 30,000 workstations—the majority of its systems. A week later, there was a similar attack on Qatari Gas. Hackers have tried to attack pipelines in the U.S. to cause explosions, knowing where to close a valve to increase pressure. And the list goes on…
But Stuxnet was by no means the beginning. In fact, a Siberian pipeline explosion in 1982 that was a third the size of the bomb on Nagasaki turned out to be caused by a virus injected into the (American-made) control systems. “This war did not start up just today,” Al-Issa says. “It started a long time ago.”
Today, such cyberattacks can come in all different forms: increasing pressure in a pipeline, changing field device parameter settings, closing/opening a motorized valve, causing a denial-of-service attack with the integrated control system (ICS), increasing/decreasing motor speeds, and viewing fake HMI readings. They can result in a loss of view, control, operation, production, lives and more, Al-Issa notes.
To counter cyber attacks, companies need to stop what are devastating assumptions, Al-Issa says. People assume that they are not likely targets and they are not interesting to hackers, for example. But Al-Issa disputes this. “If they see a weakness, they attack,” he says. It’s as simple as that.
People also rely on the fact their system is proprietary and that it is completely isolated. Finally, they just don’t feel they can justify the expense and the manpower. But Al-Issa emphasizes just how much more companies will end up paying if they do face an attack.
“Ignorance is a killer,” he says. “When you walk on mines, your first mistake is your last mistake. Security is not an option.”
Al-Issa urges oil companies to consider security upfront. “It will be much easier to secure those systems if we do it at the engineering design phase, rather than later,” he says, adding later, “It will cost you nothing compared to what you would pay if you didn’t consider this at the beginning.”
It’s also important for IT guys to understand control systems well if they want to provide a cybersecurity solution, Al-Issa says. He has seen an IT department develop a solution, implement millions in the fields, only to find out that they don’t work because they stopped many things that they needed for production.
Some IT departments like to throw firewalls between everything. “But firewalls can become a firepass, if something is done wrong,” Al-Issa says.
Ultimately, cybersecurity is about making the smart field smart. To do it properly requires ownership from senior management, a team that includes people from different disciplines, and an understanding of the oil field operational system requirements. Companies need to build the cybersecurity infrastructure first, and then they can design the industrial operations systems with cybersecurity at the core.
“An effective process control security in the industrial oil and gas plants can make the difference between a normal day at work and a disaster,” Al-Issa says. “That’s why we need to consider cybersecurity. Cybersecurity should be at the core of operations.”