NPC report addresses cybersecurity risk in oil and gas

While digitization and connectivity technology is responsible for great strides in operational excellence and productivity, the merging of IT networks with operational technology (OT) industrial control system networks has also introduced cyberattacks that are increasing in both frequency and sophistication.

The SMART approach translates to information that is “specific, measurable, actionable, relevant and timely.”

Responding to this cyber crisis, the National Petroleum Council (NPC) has published "Dynamic Delivery: America's evolving oil and natural gas transportation infrastructure." This collaboration among multiple oil and natural gas companies, OT system vendors, U.S. government representatives, and private sector cyber-defense companies and consortiums offers eight significant findings and supporting recommendations to help the industry better respond to cyberattacks.

Al Lindseth, senior vice president of technology, process and risk management for Plains All American Pipeline, was a member of "Dynamic Delivery's" technology advancement and deployment task group.

Lindseth said the group's discussion first oriented around business IT and cyber networks.

"But that's more of a focus on the probability of attack," Lindseth said at the online OpEx Cyber Security in Oil and Gas conference in a panel discussion titled "IT/ OT Convergence in Oil and Gas: The New Cybersecurity Risks."

Lindseth noted attacks on financial institutions' IT networks as an example.

"They're moving trillions of dollars each day across business-to-business networks, across banks and across customer accounts. Their strategies and goals are oriented to their customers' [ability to] manage their own accounts, with all of this happening in a stream-like fashion regardless of what device they're using and where they are," he said. "So they're trying to leverage the internet as much as possible, and that increases the probability and likelihood of attack."

"However, the threat to OT networks is really more a matter of the magnitude," Lindseth explained. "If there's a successful attack on an OT network, it could result in massive economic impact for that company, including environmental, health and safety consequences.

"Ultimately, any program is going to have at its core [the realization] that it's going to be breached. It's only a matter of time. It's when, not if."

The 'SMART' approach

One of the report's key findings addressed the importance of industry companies and government agencies collaborating on reducing cyber risk.

Also a member of "Dynamic Delivery's" technology advancement and deployment task group, Angela Haun, executive director for the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), said that ONGISAC strives to be a communication hub that allows strategic partners, government agency relationships and all other intelligence sources to centralize and find directional communications that are efficient and effective.

"We serve as an extension to all of our members' security teams, and we take a 'SMART' approach to information sharing, both in the IT and OT world," Haun said.

The SMART approach translates to information that is "specific, measurable, actionable, relevant and timely."

Haun stressed the importance of anonymity in information sharing.

"We can develop trust in relationships, and we can share more fully with others because they are protected from being called out as a victim or having an issue," she said. "That's very important for the ability to share and communicate with each other, so not just the vanilla, easy stuff can be shared, but more sensitive and more specific information can come through and serve the good of the whole, and elevate the security of the entire industry."

The full draft report of "Dynamic Delivery" is available at https://dynamicdelivery.npc.org.