Are cyber security risks deterring digitalization?

Nada Ahmed, DNV GL - Oil & Gas,

May 1, 2016

With big data also comes big risks to security. DNV GL’s Nada Ahmed discusses how security standards can be raised within the oil and gas industry.


New IT infrastructures and technologies have modernized the way in which the industry manages operational assets, allowing operators to connect assets and previously isolated networks to operational technologies and enterprise information technology. Motivated by low oil prices and the need to overhaul costs and efficiencies, the industry is coming to terms with the large amount of data being generated and the unprecedented opportunities within big data and analytics.

However, concern is growing not only about how this data should be effectively used, but also how critical oil and gas cyber structures should be protected and safeguarded against the increasing scale and severity of cyber-attack. In addition to protecting data and information as seen from the enterprise IT point of view, it is vital to protect control systems and operation technologies for production and safety purposes. However, the new operational modes expose the industry to new vulnerabilities and threats. There are three key threats: theft of core intellectual property; disruption of a physical plant and other points of capital investment; and compromise of executives’ communications about key business decisions. Direct threats can be a combination of malware and hacker tools or attacks from organized crime, rogue states and/or terrorist groups.

DNV GL’s recent global research on the outlook for the oil and gas industry in 2016 revealed that the industry is cautiously moving forward to embrace the full possibilities of the new digital era. The principal barriers identified by the report include being able to retrieve and access data, and to ensure that the data is reliable and protected by a robust security system. When asked how advanced respondents were in digital adoption across the physical assets and operations, only 20% of senior oil and gas professionals scored themselves highly.

Developing a robust digitalized strategy

The low level of readiness in the industry can be attributed to the complexity of data produced and the lack of IT infrastructure needed to store and analyze large amounts of structured and unstructured information. Most of today’s data is stored in fragmented systems, in various formats, and is not easily accessible to make timely decisions. To unleash the full potential of this data-rich reality, companies will have to aggregate data sets from various databases, standardize formats for easy analysis, and make it available to the right people for decision-making. It is therefore vital that companies implement a robust strategy to capture, manage and utilize critical data. Domain knowledge and technical competence is crucial to put data into practical use.

Advancements in industries like retail, logistics and the aviation sectors have shown the potential for efficiency and cost saving from data-centric decision-making. These industries have pioneered a culture that redefines the human and machine interaction. By closely monitoring the data being generated not only by machines but humans themselves, one is better able to link what were once perceived to be random events to particular outcomes, allowing for better and more accurate predictions.

The value demonstrated by these industries, along with the advent of open source movement, where software is made available for everyone to use or modify, has led to rapid developments in predictive analytics and machine learning technology. The innovation and methodologies developed in other industries can be easily applied to the oil and gas sector to quickly ramp up the IT infrastructure, increase connectivity and remove silos created by operators, equipment and system providers. An initial investment will be required to overcome the challenges posed by the status quo. However, benefits attained in the long run will be significantly greater.

Transforming caution into confidence

Besides the lack of infrastructure, another challenge highlighted in the interviews for a DNV GL white paper ‘Industry Perspective: Digitalization in the Oil & Gas Sector,’ was trust in the data on which the industry is dependent. The interviewees revealed a varying level of faith in the data currently used. When data is fragmented and arriving from multiple locations, it needs to be properly sourced and aligned to a central data quality standard. Such standards are lacking in the industry today and more work needs to be done to ensure that all stakeholders uphold the quality of data being transmitted by their systems. Systematic monitoring of data and frequent data quality checks will be needed to ensure that the quality of information is comparable to the impact of decisions informed by it. ‘Health checks’ to analyze current status can identify vulnerabilities and threats across the entire supply chain. This will allow the assessment and mitigation of risk once found.

Security will also be paramount for rapid adoption of new technology in the oil and gas industry. Field, reservoir and production data is incredibly business sensitive and operators demand uncompromising protection through rigorous security systems. Stringent security standards will be required to minimize security breaches and to enhance the flow of information within projects and with trusted partners. The DNV GL white paper found that although companies are actively managing their information security, just over half (58%) have adopted an ad hoc management strategy, with only 27% setting concrete goals.

Secure, reliable and safe cyber structures

Infrequent major cyber security attacks make the news, but there are many more attacks on a smaller scale that go undetected or unreported as many organizations do not know when a system has been infiltrated. The first line of attack is often the office environment of the oil and gas company, from where the hacker is able to work its way through the firewalls to the production network and process control and safety systems. For example, hackers may use social engineering attempts on office domains to harvest passwords and other ways to access production networks. While companies are realizing that information security cannot be ignored, a majority have still not implemented a coherent, strategic management approach, though some investments are being made. Success will depend on leadership and organizational culture that integrates information security in daily routines.

Cyber security vulnerabilities can be addressed through a live risk-based approach using the bow-tie model familiar in dynamic safety barrier management. This allows companies to identify the threats to and vulnerabilities of assets and operations and plan barriers to prevent incidents and mitigate the consequences of cyber risks. This includes procedures to maintain the barrier quality documented in performance standards. DNV GL applies its independent, risk-based approach to designing, implementing, testing, monitoring and maintaining cyber security countermeasures for customers worldwide. The company’s software tool, Synergi Life – Risk Management Module, is used to establish a live asset and risk registry. This tool allows vulnerabilities and threats to be assessed and mitigations to be followed up.

Based on the high concern from the industry on cyber security, a joint industry project is being initiated by DNV GL with the aim to standardize cyber security requirements in the oil and gas industry.

The digital transformation is challenging the traditional business models employed in the oil and gas industry, and will introduce new forms of interaction between stakeholders. It will influence the competitive landscape by redrawing industry boundaries and create space for new disruptive companies that change the business landscape. However, the vast majority of industry leaders and decision-makers are still trying to grapple with the implications of the new data reality and may be wary of entrusting too much on data and predictive algorithms. However, players who are quick to embrace the transition will gain a unique competitive advantages they gain better control of their operations and keep costs down in an increasingly demanding industry.

Nada Ahmed
is a senior consultant working with information risk management at DNV GL in Norway. She has six years’ experience in risk management and has recently been working on building the digitalization strategy for the oil and gas business through dialogue and pilot projects.