[Editor’s Note: This piece appeared as a sidebar to PBOG’s feature article entitled “The Digital Oilfield Has Arrived,” which appears in the October 2014 issue as Part 1 of a 2-Parter.]
Asked if companies face a larger risk factor as they increasingly handle larger amounts of data, one source from a global, multi-national oil company said that the volume of data was not the crux of the matter. “There’s less risk there simply because the data’s so large it’s hard to move out from the company. It’s usually the case that the raw data is not as valuable as the interpretive data,” the source said.
So what is the biggest risk factor for oil and gas?
“If you just look at oil and gas itself, there are two big cyber risks that most organizations face. One, there is the ‘industrial control system’ aspect. That is, losing control of an industrial control system to somebody who’s not supposed to have control of it, and causing things such as environmental releases of product—you know, oil spills and such—causing a potential loss of life. As these systems are physical systems, they could explode, for example, or release noxious gases. You could have loss of life. The worst case cyber scenario for the oil and gas industry is an industrial control system hijacking. That’s usually done [only] by cyber-terrorist organizations.”
The second risk area, he noted, is theft of intellectual property that would cause a loss of competitive advantage. Oil and gas companies spend hundreds of millions of dollars researching, doing all of the exploration activities needed to invest in production. Usually it requires multiple partners because production facilities are, sometimes, worth hundreds of millions if not billions of dollars. A large amount of money is needed to build up an asset, so they usually have partners.
You go out to bid a lot. You divest assets. You acquire assets; these are very large dollar transactions. Losing a potential revenue stream. Losing a bid. Losing a potential revenue stream, bid, or offer because someone unauthorized inside of your system is watching what you were doing and came in as a low bidder, will eventually have a long term effect on the company. That’s intellectual property theft or corporate espionage.
“Out of the four main threat actors the companies face, corporate espionage and cyber terrorism are the top two in oil and gas. Cyber terrorism being the most impactful. Corporate espionage being the most likely.
The other two threat actors are your cyber criminals, who tend to go mostly after the financial intuitions, and the hacktavists. Hacktavists generally go after whoever they feel like they need to at any point in time, based on ideology. Those are the four actor sets that pretty much any company faces. What changes from company to company are the relative importance or relevance of each actor set.”