Recently, a compelling report that placed production system software and security firmly in the spotlight appeared in the Scottish media.
North Sea oil and gas companies are merging production system software with their company-wide IT networks to reduce operating costs, according to KPMG Scotland.
The decision to merge production systems and IT networks has left them vulnerable to a cyber attack that could threaten to shut down production, the business advisory giant KPMG said.
Oil & Gas firms lose nearly £400 million annually
The UK government has already estimated that oil and gas firms lose almost £400 million each year through cyber crime and theft of their intellectual property.
George Scott, head of information protection and business resilience for KPMG in Scotland, said that because of the “highly competitive market”, oil firms were under increasing pressure to reduce costs by integrating their industrial control systems – which monitor and manage production and supply – with the rest of their IT systems and wider networks.
He said: “While this improves efficiency and allows real-time data from field operations to be shared with management onshore, this exposes pipelines to cyber attacks they were never designed to resist.”
“While the issue of industrial espionage is not new, developments in pipeline management which have seen traditionally closed systems integrated with wider networks mean oil and gas companies must also address the potential of cyber attacks on their supply.”
Mr Scott added: “With an ever more dispersed workforce relying on mobile devices to share information, it’s important oil and gas businesses are aware of the risks and have a strategy to deal with them, by putting in place procedures to police the way mobile technologies are used.”
Mark Mair of Skibo Technologies, backed the call for increased vigilance, saying: “We have already seen campaign groups target oil majors by hacking their data and posting it online.”
“I believe that is just the tip of the iceberg. Many cyber terrorists live for the buzz of infiltrating what is claimed to be an impenetrable ring of security and could attempt to shut down oil production on a North Sea platform simply to show that they can.”
He said companies in the energy sector had become “prime targets” due to the high-value nature of their operations and intellectual property.
“Aberdeen is a region synonymous with the oil and gas industry and therefore the IT networks of businesses in the area are a lucrative proposition to cyber criminals,” said Mair.
“We recently investigated one case where a cyber criminal stole £1.2m from the bank account of an oil company by sending a few carefully crafted e-mails to a new member of staff in the finance department.”
Cause for alarm
Asset Guardian Solutions Ltd (AGSL) works on behalf of many Blue Chip organisations that operate in the oil and gas industry, including BP, INPEX, Woodside Energy and Stena Drilling, among others. These global leaders choose Asset Guardian to secure the integrity of their process software and, in turn, the mission critical processes it controls.
“News of this practice of merging networks is more than cause for concern, it’s truly alarming,” said Sam Mackay, Chief Executive of AGSL. “To protect process control software assets and the overall operation of a facility, it is essential to prevent unauthorised access to process control systems. By linking networks, the security of process critical software is potentially reduced. Companies opting to merge their networks must ask themselves whether opting to maintain a competitive edge in the short-term is worth putting themselves at such risk.”