Content of PetroWiki is intended for personal use only and to supplement, not replace, engineering judgment. SPE disclaims any and all liability for your use of such content. More information
Cyber security affects every aspect of modern life, from personal emails to identity information, corporate payrolls, or even national intelligence secrets. Within the oil and gas industry, cybercrime such as data breaches can cause major threats to organizations.
Supervisory Control and Data Acquisitions (SCADA) and Drilling Control Systems (DCS) are two control systems that are critical to the infrastructure of the oil and gas industry. Originally designed to be in physically secured, isolated areas, these systems must now be integrated with IT networks.
This integration, along with the increased use of commercial off the shelf components (COTS), like USB drives and Windows, has decreased the isolation of SCADA and DCS, thus increasing vulnerability to attacks.
Digital oil fields
A Digital Oil Field (DOF) , also called a Smart Field, is an oil field that relies on a control system to operate. With a DOF, industrial automation systems are integrated with each other and with corporate networks and systems. Because the automation systems used within DOFs are similar to IT systems within enterprise networks, even becoming vulnerable to similar cyber threats as enterprise systems.
Cyber security threats
Modern cyber threats that affect DOFs go beyond simple viruses, computer or data damage, and data theft to threats that are capable of changing process plant operations:
- Increasing pipeline pressure
- Changing field device parameters
- Closing/opening motorized valves
- Causing a denial of service (DoS) attack within an control system
- Increasing/decreasing motor speed
- Displaying fake process diagrams and alarms to the operators’ human machine interfaces (HMI)
Because modern automation systems are built on industry standards like Windows, they are exposed to cyber threats like the ones listed above. Unlike cyber attacks in corporate infrastructures, attacks in the oil and gas industry can be hazardous, potentially causing loss of life, view, control, operation, or production; or damage to critical infrastructure and/or environment.
In June 2010, a computer worm called “Stuxnet” was discovered. It was designed to attack industrial programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Stuxnet functions by targeting machines using Microsoft Windows and networks, then seeking out Siemens Step software. Reportedly, Stuxnet compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Stuxnet’s design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g. in automobile or power plants), the majority of which reside in Europe, Japan, and the United States.
Control system security
Prevention of control system security incidents, such as from viral infections like Stuxnet, is a topic that is being addressed in both the public and the private sector.
The U.S. Department of Homeland Security National Cyber Security Division (NCSD) operates the Control System Security Program (CSSP). The program operates a specialized computer emergency response team called the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), conducts a biannual conference (ICSJWG), provides training, publishes recommended practices, and provides a self-assessment tool. As part of a Department of Homeland Security plan to improve American computer security, in 2008 it and the Idaho National Laboratory (INL) worked with Siemens to identify security holes in the company's widely used Process Control System 7 (PCS 7) and its software Step 7. In July 2008, INL and Siemens publicly announced flaws in the control system at a Chicago conference; Stuxnet exploited these holes in 2009.
Several industry organizations and professional societies have published standards and best practice guidelines providing direction and guidance for control system end-users on how to establish a control system security management program. The basic premise that all of these documents share is that prevention requires a multi-layered approach, often referred to as "defense-in-depth". The layers include policies and procedures, awareness and training, network segmentation, access control measures, physical security measures, system hardening, e.g., patch management, and system monitoring, anti-virus and intrusion prevention system (IPS). The standards and best practices[who?] also all[improper synthesis?] recommend starting with a risk analysis and a control system security assessment.
Protecting systems from cyber threats
Effective monitoring and management of rigsite information are both essential to securing data. Establishing a security framework diminishes risks and the negative impacts a virus causes within rig automation and control systems.
The guidelines presented in ISO/IEC 27001:2005 standard can be applied to cyber security within the oil and gas industry. This standard can be applied in multiple situations, including:
- Use within organizations to formulate security requirements and objectives
- Use within organizations as a way to ensure that security risks are cost-effectively managed
- Use within organizations to ensure compliance with laws and regulations
- Use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met
- Definition of new information security management processes
- Identification and clarification of existing information security management processes
- Use by the management of organizations to determine the status of information security management activities
- Use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives, and standards adopted by an organization
- Use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons
- Implementation of business-enabling information security
- Use by organizations to provide relevant information about information security to customers.
- Lowe, J., Lasky, J., Gilbert, D. 2007. Protecting Industrial Process Control, Automation and SCADA Systems from Cyber Threats. Presented at the SPE Middle East Oil and Gas Show and Conference, Manama, Bahrain, 11-14 March. SPE-105696-MS. http://dx.doi.org/10.2118/105696-MS.
- Al-Issa, A. 2012. Protecting the Digital Oil Field from Emerging Cyber Threats. Presented at the Abu Dhabi International Petroleum Conference and Exhibition, Abu Dhabi, UAE, 11-14 November. SPE-162304-MS. http://dx.doi.org/10.2118/162304-MS.
- Cavazos, C.J. 2013. Ensuring Data Security for Drilling Automation and Remote Drilling Operations. Presented at the SPE Asia Pacific Oil and Gas Conference and Exhibition, Jakarta, Indonesia, 22-24 October. SPE-165918-MS. http://dx.doi.org/10.2118/165918-MS.
- International Organization for Standardization. 2005. ISO/IEC 27001:2005. http://www.iso.org/iso/catalogue_detail?csnumber=42103.
Noteworthy papers in OnePetro
Aarab, N., Houmb, S.H., Hulick, K., et al. 2014. Process for Security and Requirements Development. Presented at the SPE International Conference on Health, Safety, and Environment, Long Beach, California, USA, 17-19 March. SPE-168466-MS. http://dx.doi.org/10.2118/168466-MS.
Al-Sharif, N., Almadi, S. 2014. Intelligent Field Infrastructure Embedded Cyber Security Protection. Presented at the SPE Saudi Arabia Section Technical Symposium and Exhibition, Al-Khobar, Saudi Arabia, 21-24 April. SPE-172198-MS. http://dx.doi.org/10.2118/172198-MS.
Aubuchon, T., Susanto, I., Peterson, B.T. 2006. Oil and Gas Industry Partnership With Government To Improve Cybersecurity. Presented at the International Oil & Gas Conference and Exhibition in China, Beijing, 5-7 December. SPE-104284-MS. http://dx.doi.org/10.2118/104284-MS.
Aytac, U., Mehdizadeh, Y., Watson, V. 2006. Security Management and How To Do It. Presented at the SPE International Health, Safety & Environment Conference, Abu Dhabi, 2-4 April. SPE-98245-MS. http://dx.doi.org/10.2118/98245-MS.
Bowler, J. 2008. Data, Information and Digital Security. Presented at the International Petroleum Technology Conference, Kuala Lumpur, 3-5 December. IPTC-12326-MS. http://dx.doi.org/10.2523/12326-MS.
Cavazos, C. 2014. Data Security Promotes Improved Intelligent Drilling. Presented at the SPE Intelligent Energy Conference & Exhibition, Utrecht, The Netherlands, 1-3 April. SPE-167904-MS. http://dx.doi.org/10.2118/167904-MS.
Dewitt, C.O., Ellis, J. 2013. Control System Cyber Security: Staying Ahead of the Evolving Threats. Presented at OTC Brasil, Rio de Janeiro, 29-31 October. OTC-24393-MS. http://dx.doi.org/10.4043/24393-MS.
Pitzer, D.R., Girdner, A.M. 2014. Addressing and Managing Cyber Security Risks and Exposures in Process Control. Presented at the SPE Intelligent Energy Conference & Exhibition, Utrecht, The Netherlands, 1-3 April. SPE-167912-MS. http://dx.doi.org/10.2118/167912-MS.
Roop, M.R. 2008. An Effective Facility Security Plan. Presented at the ASSE Professional Development Conference and Exhibition, Las Vegas, Nevada, 9-12 June. ASSE-08-630. https://www.onepetro.org/conference-paper/ASSE-08-630.
Smith, A.L. 2014. Oil and Gas E&P Cyber Security: Perfect Storm Threat Review. Presented at the SPE International Conference on Health, Safety, and Environment, Long Beach, California, USA, 17-19 March. SPE-168320-MS. http://dx.doi.org/10.2118/168320-MS.
Woudenberg, Betsy. 2015. Target, Havex, Shamoon, Night Dragon: How Cyber Espionage Impacts the Oil and Gas Industry and How You Can Make a Difference. SPE DETS Webinar. https://webevents.spe.org/products/target-havex-shamoon-night-dragon-how-cyber-espionage-impacts-the-oil-and-gas-industry-and-how-you-can-make-a-difference
American Petroleum Institute. 10th Annual API Cybersecurity Conference & Expo. http://www.api.org/cybersecurity.
CSC. Oil and Gas Cyber Security. http://www.csc.com/oil_and_gas/insights/67618-oil_and_gas_cyber_security.
Infocast. Cyber Security Management for Oil & Gas. http://www.infocastinc.com/events/cybersecurity.
United States Senate Committee on the Judiciary, One Hundred Twelfth Congress. 2011. Cyber Security: Responding to the Threat of Cyber Crime and Terrorism. Hearing. http://www.gpo.gov/fdsys/pkg/CHRG-112shrg71412/pdf/CHRG-112shrg71412.pdf.
United States Department of Homeland security. Cyber Security. http://www.dhs.gov/topic/cybersecurity.
Probst, C.W., Hunker, J., Gollmann, D., et al.2010. Insider Threats in Cyber Security. Boston: Springer Science + Business Media, LLC.
Use this section for links to related pages within PetroWiki, including a link to the original PEH text where appropriate