In the last few years a new threat facing the oil and gas industry has evolved, which if companies and authorities do not take seriously and effect preventive measures, the results can be very serious in material and even loss of life.
I am referring to cyberattacks on facilities that have become more frequent and malicious, which has necessitated equally more sophisticated measures to counter. The oil and gas industry by the nature of the feed and products it handles is always at risk of fires and explosions, and therefore its safety requirements have been tightened time and again.
The simple plants of yesteryears were easy to protect as capacities were small and controls were localised and operators easy to train. But as they grew in capacity and sophistication, the control system became more integrated and a fault in one section may be quickly transmitted to others.
Modern reliance on electronics and computer control and the advent of the internet may have improved safety, productivity, quality control, economy and reduction of risks brought on by human error. However, it brought with it the possibility of cyberattacks, which involves offensive interference with control computers to manipulate the operation of the plant or to cause accidents of serious consequences.
This attack can be done by hackers, individuals or organisations, once they obtain access to the system by installing spyware, viruses and other names known to the professionals of the business. The attacks can be as serious as taking over control of the Supervisory Control and Data Acquisition (SCADA) systems of a plant; create untold accidents by opening or closing the wrong valve; or raising the temperature or pressure beyond the limits of design.
There are many reports that suggest these attacks have increased significantly since 2000. Safdar Akhtar of Honeywell Process Solutions recently said that “Since the 2010 discovery of the Stuxnet worm targeted at industrial programmable logic controllers (PLC), the Middle East has been central to cyber security threats facing industrial enterprises worldwide” and “remains a key target for attackers”.
Energy companies in the UAE, Saudi Arabia, Kuwait, Oman and Qatar were targeted. The attack can be “from enemy states, terrorists, “hacktivists” criminals or insiders” and the risks “are ever changing and ever growing”.
The fear of attack has driven companies to tighten security by adopting sophisticated preventive and countermeasures, but more importantly governments have introduced regulations to strengthen cyber security standards. In our region, Qatar has its National Standards for Security of Critical Industrial Automation and Control Systems.
The UAE’s National Electronic Security Authority also published its standards guided by the experience of other more advanced nations, while Saudi Arabia is developing standards. And all have introduced strong anti-cybercrime laws.
The recent series of fires and explosions in Iran’s oil and gas facilities may have been caused by cyberattacks bringing the Supreme National Cyberspace Council to look into it by special teams of investigators. Although the incidents are separate, their immediate cause is not clearly identified, which intensified the possibility of cyberattack.
A fire on July 6 in the Bouali petrochemical plant with damages estimated to be tens of millions of dollars was followed less than 48 hours later by the explosion of an LPG pipeline at the Marun oilfield where one worker was killed. On July 29, a fire in a Kermanshah petrochemical plant took two days to put out.
Another explosion of a gas pipeline near Ganaveh killed a worker and within hours a fire at the Khomeini petrochemical plant occurred on August 6. The Iranian ministry of oil blamed the incidents on technical errors and refused the idea of cyber sabotage — but the investigation by the Cyberspace Council detected malware in the system, though it did not blame in the incidents to it.
More aggressive attacks
It is difficult to believe that these incidents were simply technical given that an attack in 2012 by a virus forced the ministry to disconnect its main oil terminals from the internet to protect them from damage.
This problem is more likely to stay with the oil and gas and power industries and it is necessary to take counter measures into consideration in the design of plants and their control systems. Cyber-attackers are becoming more aggressive and sophisticated and owners of facilities should be equally so by employing the right people and techniques and upgrading their protective measures on regular basis.
Operators should be trained accordingly and any interference with the computer controlling the plants such as the use of personal USBs or disks should be prevented.
This is not just a company problem but a national problem since it threatens vital infrastructures and governments must always step in through regulations and adoption of the right standards to help counter these criminal acts.
The writer is former head of the Energy Studies Department at the Opec Secretariat in Vienna.