In the oil and gas sector, the upstream operations that are most vulnerable to high-severity cyberattacks are production processes and development drilling.
In the oil and gas sector, the upstream operations that are most vulnerable to high-severity cyberattacks are production processes and development drilling.

The oil and gas industry's overall cybersecurity posture is lacking, especially as upstream operations within the sector grow increasingly vulnerable to high-severity cyberattacks, a new online report by Deloitte warns.

"Whether hackers use spyware targeting bidding data of fields, malware infecting production control systems, or denial of service that blocks the flow of information through control systems, they are becoming increasingly sophisticated and, specifically alarming, launching coordinated attacks on the industry," the report cautions.

Development and production are the operations with the highest cyber risk profiles, the report notes, with the development drilling process posting the most severe risk due to significant levels of "drilling activity, expansive infrastructure and services both above and below the surface, and a complex ecosystem of engineering firms, equipment and material suppliers, drillers and service firms, partners, and consultants."

According to Deloitte, the complex technological ecosystem involved in drilling increases the overall attack surface and makes it difficult to consistently implement and enforce cybersecurity practices across development and product operations, especially with the introduction of real-time operational centers that can control drilling and access rig data remotely, from afar. Moreover, the potential cost of an attack on drilling systems is highest among all upstream processes in terms of asset losses; business disruptions, regulatory fines; reputation damage; IP theft; and health, environment, and safety incidents.

Other phases of development operations, including field development planning and well completions, carry less cyber risk, the report notes. However, bad actors could still hack into these processes to, for instance, alter the GPS coordinates of rig and optimum well spacing in order to disrupt data integrity and damage a company's profits.

Deloitte assesses that production operations are even more susceptible to attacks than the development phase, but the potential damage from such attacks are estimated to be somewhat less severe.

According to the report, production facilities are vulnerable primarily because of a "legacy asset base, which was not built for cybersecurity but has been retrofitted and patched in bits and pieces over the years, and lack of monitoring tools on existing networks." Moreover, many of the oil and gas sector's production systems are connected to and controlled by enterprise resource planning systems, which increases the attack surface and results in more severe repercussions should hackers breach the systems to steal or manipulate data.

At lower risk are exploration processes such as seismic imaging and geological and geophysical surveying, which feature closed data acquisition systems and a smaller vendor ecosystem with limited players, Deloitte explains. Still, the growing use of IoT devices such as gravity wave sensors will only increase the risk factor. And when exploration data "starts feeding in real time into cross-discipline upstream operations such as drilling plans of nearby fields, completion designs, and reserve estimations, a cyber-attack's impact would multiply, from a potential revenue loss to a significant business disruption," the report warns.

According to Deloitte, the cybersecurity posture of all three phases of oil and gas upstream operations – exploration, development and production/abandonment – is often hurt by a lack of investment and buy-in from C-level executives, a decentralized IT decision-making structure that results in the implementation of disparate systems, and the contradictory priorities of companies' operations and IT technology departments.

The increasing connectivity between multiple business operations, combined with an aging infrastructure and legacy systems that carry long lifecycles, also cause challenges, the report notes.

To help minimize cyber risks as a result of these issues, Deloitte recommends that oil and gas companies develop a holistic risk management program that incorporates all three phases of upstream operations.

A expert with Deloitte declined to answer a question regarding the report. SC Media also contacted the United States Oil & Gas Association for its stance on the report.