The oil and gas market slump of 2015 brought extra pressure to bear on majors to reduce their breakeven barrel price. The quest for deeper efficiencies included a tidal shift toward digitalisation. According to Gaurav Sharma, vulnerable systems are in urgent need of upgrading and require constant protection at an estimated cost of $40 billion plus per annum. With existential external factors already putting the squeeze on investment, the growing prospect of cyberwars between rival companies is an unwelcome consequence of what was supposed to be a cost saving exercise. Meanwhile, tech giants and consultancies hear the tills ring out…
When it comes to the adoption of advanced digitisation that spreads well beyond back office corridors, the oil and gas sector in many ways lagged behind the other sectors of the economy such as retail, logistics and banking.
However, all of that changed in the summer of 2014 when the oil price decline subsequently morphed into a full-blown market slump in 2015. It triggered a drive, especially by European and US oil majors and selected national oil companies to up their efficiencies and lower their breakeven price said to be lurking around $60 per barrel industry averages at the time.
In came data premised machine learning, artificial intelligence, rig automation and all sorts of gadgetry such as sending drones in place of human beings to inspect refinery masts and pipelines. However, for an industry with a lot of legacy infrastructure, ownership of new digital assets is amplifying its cybersecurity headache, which has always been a pretty significant one to begin with, if you believe industry insiders.
Forget the new digital wave, older deployments – in some cases pretty unsecure – continue to be a source of anxiety. In 2018, investigations suggested key US refineries were still running plant control systems on Microsoft WindowsXP; an operating software the company no longer updates or provides patches for.
Hackers are rubbing their hands with glee
What’s more, Windows 7, which is also in use in many midstream and downstream control systems that haven’t been upgraded, is slated to be junked by Microsoft in January 2020. Hackers cognisant of this are rubbing their hands with glee, according to several on and off record conversation held by Energy Post at Ignite 2019, a recent annual conference in Oslo, Norway organised by oil and gas data and software firm Cognite.
The company’s co-founder and Chief Executive Officer John Markus Lervik noted: “It is not just the Americans. You will find plenty of plant control systems at European hubs still using legacy systems. Most cyber breaches never reach public domain given the critical nature of oil and gas infrastructure.”
However, that does not imply that awareness is lacking or efforts are not being made. Lervik recounted a CEO of a “major oil company” expressing concern and initiating mitigation measures to tackle the issue of legacy, secure data storage and security of assets as early as 2009.
“Every company has its own operational considerations, and as such its own approach and level of comfort when it comes to a wide range of issues ranging from system upgrades to cloud computing and storage.”
No going back
Since digital techniques are improving throughput at plants and production upstream, there is no going back, said Torbjørn F. Folgerø, SVP and Chief digital officer of Equinor.
“The oil and gas industry has to recognise the fact that there are actors out there wanting, ready and willing to cause harm. We need to be on top of our game as a global industry. By the argument, the default operating psyche should be that there is always room for improvement and we have to be a bit paranoid.
“Equinor deploys industry best practices for detection and protection against cyber attacks, but most important are our awareness campaigns for personnel and partners. Don’t forget that many breaches are a result of human errors, from something as simple as the inserting an infected USB stick to usage of unsecured equipment.”
Folgerø said resource maximisation is the industry’s primary objective, and with big data, AI and automation being key enablers in an optimisation drive that was inconceivable as recently as 10 years ago, the cybersecurity challenge is one the industry “has to live with.”
Opportunity for solutions providers
Given that hardware vendors like ABB, Schneider Electric, Emerson and Honeywell, promote that lifestyle peppered with advanced analytics, digital plant control systems and automation, it is manifestly apparent they are the ones leading the cybersecurity charge, eyeing billions in revenue.
In October 2018, Honeywell launched its dedicated cybersecurity consulting outfit. ABB offers its own customer solutions, Schneider and Emerson have dedicated “industry consultants” too. They are not alone; the global consultancies are at it as well. For instance, EY has a dedicated unit to help oil and gas clients “develop an effective cyber breach response plan that encompasses every point of interface, internally and externally.”
A spokesperson said EY’s idea is to ensure “customers’ digitalisation strategy is simultaneously implemented with a robust cybersecurity framework.” The consultancy’s recent global information security survey of 40 oil and gas industry heads found 60% have had a “recent significant cybersecurity incident”.
Six key issues have come to the fore, according to EY. They include the importance of employee awareness; need for board-level attention to threats; reputational risk; need for a skilled cyber workforce to keep pace with evolving threats; rising challenges as a result of Industrial Internet of Things (IIoT); and of course, the financial impact of breaches.
Where vendors and consultants can venture, data custodians and cloud computing enthusiasts can hardly be left behind. Enter the biggest of them all – Google. Darryl Willis, Vice President, Oil, Gas & Energy at Google Cloud, believes third party cloud services providers simply have to be trusted in the age of evolving cyber threats.
Reassuring industry participants at Ignite 2019, Willis said: “For us at Google your keeping data safe is our licence to operate. We obsess about security because our corporate customers are counting on us to do that very, very well.”
As the industry goes for fast, agile and yet secure solutions to optimise efficiencies, cross spectrum partners would be crucial, he added. Add it all together, and you have a mushrooming multibillion oil and gas cybersecurity dollar industry.
Who’s paying the bill?
Big question is what’s the petrodollar spending on it likely to be? Aggregation of figures cited by industry respondents at Ignite put 2018 spending in the region of $40 billion “designated for cybersecurity”.
Most in Oslo opined that the figure would rise by over 10% on annualised basis in 2019 to around $45 billion in 2019; given geopolitical tensions in the Middle East have raised the prospect of an escalation of cyber wars in the MENA region with many economies reliant on the oil and gas revenue.
However, the actual figure could well be higher as a number of oil and gas companies include spending on cybersecurity in their overall IT infrastructure costs. Some even include it in a rather archaic fashion in their administrative costs.
Most industry sources, including global industry consultancies, project cyber protection costs to rise exponentially to 2025, something the oil majors have been bracing for a while. It is worth remembering, the figure of $40-45 billion per year may appear high but the energy industry’s exposure is still small in relative terms to sums currently (and historically) spent globally by sectors such as banking and retail.
The differentiator is that both those sectors can, and do, pass costs indirectly on to consumers in the guise of differentiated products and services. For the energy industry it is all about selling precisely that, whether via pump or plugs, and passing cyber costs on is not so simple. So costs are inevitably coming out of headline profits, and marked against return on investment from digital techniques improving throughput resulting in higher upstream and downstream revenue and lower breakevens.
And during the financial year, cybersecurity spending – where differentiated for accounting purposes – is being included in operating expenditure. What’s unmistakable is that spending is clearly visible on most industry balance sheets, and is only going to get higher.