Although bosses from technical adviser DNV GL said the likelihood of such dangerous cyber-attacks is low, they said ransomware incidents already have a significant impact on operators and are likely to become much more prevalent. The experts made the comments to Professional Engineering after unveiling a set of cyber-security recommendations for the oil and gas (O&G) industry at SPE Offshore Europe conference in Aberdeen.
Almost 68% of O&G companies were hit by at least one “significant” cyber-incident in 2016, according to figures from the Ponemon Institute LLC. Many attacks are also thought to be undetected or not publicised by operators, for fear of copy-cat hacks or loss of face.
The risk is growing as companies embrace the advantages offered by digitisation, DNV GL said. Automated, unmanned, integrated and remote operations are potentially vulnerable to hackers at several points in the chain. “Digitisation is very much about pain and gain,” said DNV GL security head Petter Myrvang. “Cyber-security is one pain.”
The technical adviser set out recommendations in a 52-page recommended practice document, including the importance of carrying out initial assessments.
The consequences of a fire or other similar incident triggered by hackers could be “dramatic,” consultant Pål Kristoffersen told PE, but he stressed the biggest current threat is ransomware.
The industry may have been slow on the cyber-security uptake because on a reluctance to share secrets with competitors, said vice president Graham Bennett.
“We’ve had several examples – anecdotal – of information of ‘unexplained happenings,’ perhaps, in control systems," he told PE. "Until the industry starts to come forward with sharing that data it will be difficult for us to be able to learn and improve in that sense.”
Ageing structures and complexity in the global supply chain also made implementation difficult, DNV GL bosses added.
“They are truly global projects,” said Bennett. “You might have a facility that’s designed in London… the subsea equipment might be designed in Paris, the shipyard might be in Korea… and that typical project involves hundreds of interfaces between different contractors all along the supply chain, and it requires a tremendous amount of diligence to be able to look at that entire supply chain and understand where those risks might occur.”
However, the “globally applicable” recommended practice was developed with partners including Shell, Siemens and Kongsberg Maritime, and DNV GL bosses are optimistic it will be widely adapted.
Our reporter Joseph Flaig is at the SPE Offshore Europe conference in Aberdeen this week. Contact him on email@example.com or follow him on Twitter @Joseph_Flaig.