Smart communication has been a primary focus of the inaugural SPE ENGenious Symposium in Aberdeen, and as operators develop assets that rely on intelligent and automated systems, securing the data from those assets will be key to maintaining consistent production. A panel session looked at the role communications standards might play in cybersecurity protocols, as well as the key drivers for the digital oil field.
ABB cybersecurity consultant Ben Dickinson spoke about the benefits of digitization and the main cyber threats to connected systems: ransomware threats that attack a system for financial gain; industrial espionage, such as stealing trade secrets stored within a system; a disruptive attack that has a direct impact on production; and insider damage from current and former employees, whether intentional or accidental.
Dickinson discussed mitigation strategies for each threat, such as patch management and increased training on spotting anomalies, but he also stressed that cybersecurity is a moving target. He said companies must recognize that there is no such thing as having a system that is completely immune from attack.
“You’ll never be 100% secure,” he said. “If you are 99% secure today, tomorrow that vulnerability may come out, someone may find something. So it’s a continual process. You can’t go out to a vendor and say ‘can you make me secure’ and feel comfortable with the technology that’s being used. Cybersecurity is a balance. If you make your system very secure, there’s a chance it will have an effect on production. So, it’s finding that balance and figuring out how much security you’re happy with.”
Dickinson said that increased standardization of communication protocols could allow for a common understanding among stakeholders when crafting security initiatives. Amal Alawdah, a consultant for Siemens, echoed this sentiment, saying that standards facilitate communication, commerce, and manufacturing initiatives.
“We know that in the digital oil field we have different players: suppliers, vendors, operators, regulators, all different players. The need for industrialized standardization is obvious. It facilitates business interaction and sometimes speeds up production of new product to the market,” she said.
Stephen Ashley took this one step further, saying that standards are critical for additional transformation of cybersecurity protocols and that standardization allows for innovation in that area. Ashley, Digital Transformation Solution Center manager at the Oil and Gas Technology Center (OGTC), said standardization can help companies enforce better security by providing a framework for detecting anomalies in a system.
“It’s a good way of having a discussion with asset managers and so on about why we’re having to do this stuff,” Ashley said. “It’s about putting barriers in place, it’s about being able to detect something’s happening, then reacting and recovering from that situation. Drawing that cybersecurity element into the way we work with process safety management, change processes, is very critical to making a well-controlled operation.”
Ashley expects most assets on the UK Continental Shelf (UKCS) to be remotely controlled and highly automated in the future, with people on the assets mostly serving in maintenance roles. The convergence of the intelligent control systems running these “smart” facilities will be driven by the need for integration and the remote monitoring of integrated processes, as well as the drive to automate and deliver closed loop systems. Smart facilities will also be a main driver of increased network complexity, along with the industrial internet of things and workflow automation protocols.
Information security will be a significant challenge for industry as smart facilities become more prevalent, Ashley said. Companies will have to collaborate to make smart facilities a reality, and this will necessitate trust in the quality and accuracy of data they receive from other sources.
“That will be a key part of controlling cyber risk, building a trust economy around data and a data economy around trust, then adding that to the cybersecurity infrastructure,” Ashley said.
Alawdah said that the need for a trust economy underscores the role people play in digitalization efforts.
“Trust is one of the things that requires human judgment,” Alawdah said. “Here is where a human cannot be replaced. This is why people are one pillar of any digitalization endeavor. I think human judgment and the trust of data is important.”