upstream operations: cybersecurity and generation y · saudi aramco journal of technology summer...

SUMMER 2017 SAUDI ARAMCO JOURNAL OF TECHNOLOGY

ABSTRACT

The evolving trend toward integrated technologies that con-nects equipment, provides information and assists operations in real-time mode has already had an impact in the oil and gas industry by providing optimized operational solutions. In-formation management is the backbone of upstream technol-ogy operations. The attempt to gain operational efficiency and achieve unmatched records, however, may come at a price. Those connecting systems that control physical operating en-vironments, such as drilling or workover rigs, also mean in-creased exposure.

During well drilling and completion, cybersecurity is criti-cal for securing data to prevent hacking or the loss of software programs. It is important to pay attention to data flow, with the goal of protecting the data as well as the facility, while developing capabilities to deal with intrusions. This is the es-sence of cybersecurity and operational leadership. This arti-cle emphasizes the value gained by investing in cybersecurity for drilling, workover and completion operations. These can be summarized as capital, technology and personnel intensive, considering both remote and extended infrastructures.

As members of Generation Y are increasingly dominating both the workplace and consumer market, it is essential to any cybersecurity strategy to appreciate how this younger genera-tion affects the risks of logical data models and today’s conver-gence of operational technology and information technology.

The most effective strategy for ensuring the cybersecurity of industrial control systems is the iterative process, both because threats are constantly changing and because there is an expe-rience curve for security. This iterative process involves elimi-nating or reducing a hazard, substituting the identified vulnera-bility with a less hazardous material or process condition, and reducing both the potential and the consequences of human error, equipment failure or intentional harm related to cyberat-tacks, such as an advanced persistent threat.

To bolster defenses against cyberattacks, it is important to have layers of protection in the network, to identify and elimi-nate vulnerabilities, and to use more security software. This in-cludes having enough firewalls, both network and host, in place.

The more secure network architectures are those that have greater isolation between components and less interaction be-

tween the system and people.Successful cybersecurity requires careful consideration of the

various business aspects. It is dependent on the integration of four primary components: science and technology; econom-ics and business; government and regulations; and society and behavior. It is essential to emphasize that security is never just about an information technology problem, but is rather a core business issue.

Corporate cultures that have laid out clear responsibilities for employees at different levels have fewer security gaps, since every employee is aware of his or her area of responsibility in terms of risk management. The risk matrix is a useful tool when it comes to assigning responsibilities. It will also boost the company’s defense base against hacks.

Cybersecurity is a collaborative effort, and oil and gas com-panies will be working with specialized third-party security ser-vice providers at some point as they continue on their security journey. Oil and gas companies with successful security are those that reach out across the community to address the like-lihood of risks and to prioritize the exchange of knowledge.

INTRODUCTION

Numerous engineering and research projects have addressed cybersecurity for downstream operations of the oil and gas in-dustry1-3. Other works have discussed remote upstream oper-ation models along with data flow and the information man-agement that have been implemented to digitize the upstream industry, moving it to a new level of automation, efficiency and improved overall performance. The perks of the trans-forming digitization include assurance, cross-organizational collaboration, leveraging of knowledge and skills, and safer operations with minimal human presence on the well site as a result of remote control4, 5. On the other hand, when adding in-telligence, you add sensors, controls and networks. This digital expansion creates vulnerability and more entry points — back doors — to exploit defects and weaknesses. One of the reasons for this proliferation of weaknesses is that no logical system can perfectly describe a physical system because there are too many pieces involved. For instance, it is difficult to represent people’s behavior or to model the interface between human and machine6.

Upstream Operations: Cybersecurity and Generation Y

Mohammed A. Al-Ghazal and Mohammad J. Aljubran

SAUDI ARAMCO JOURNAL OF TECHNOLOGY SUMMER 2017

The value of the data and information that is gathered rep-resents a security risk for upstream operations. In the fields of exploration and drilling, geophysicists, geologists and petro-leum engineers use big data to make valuable predictions that can be acted upon and to test underlying assumptions (via sen-sitivity analysis) to make business critical decisions. Geophysi-cists use large masses of data and rely on faster computing and processing technologies more than ever before to build seismic maps and subsurface images. Similarly, geologists use data to form theories about the downhole structure and how it was formed over millions of years. They survey the area looking for patterns or anomalies that would lead to a potential discovery of additional natural resources.

During development drilling and completion activities, in-formation security is useful in terms of validating data to pre-vent human error and optimize environmental management, such as the prevention of well blowout by using accurate pore pressure data through measurements while drilling. A gap in data may impact the operational performance, Fig. 1. On the other side, quality data availability helps in simulation and in the collaborative optimization that enables compliance with operational excellence targets while mitigating potential chal-lenges, Figs. 2 and 3, respectively.

Identifying, understanding and managing all the parts of such a complex cybersecurity issue requires expertise not tradi-tionally found within the oil and gas industry, such as knowl-

Fig. 1. Gap in pore pressure data that may lead to compound operational problems.

Fig. 2. Side force profile for drag modeling inside the wellbore.





Fig. 3. Torque modeling to ensure successful tool deployment on the bottom.

Physical Security Cybersecurity Extent Physically bounded Boundless Time Speed of a truck Speed of light Detection Physical hints Online hints Experience Well established Evolving

Table 1. Cybersecurity as scaled to physical security

Iterative Order Cybersecurity Complete hazard elimination Eliminate access or any way of interaction Reduction in likelihood or severity of a hazard Reduce interaction and increase isolation

Less hazardous material substitution Substitute a more secure logic application Use of less hazardous process conditions Use less privilege software Reduction in potential or consequences of human error, equipment failures or intentional harm

Validate input data, set equipment requirements and set alarm for analogies

Table 2. The iterative approach order scaled to cybersecurity

Fig. 3. Torque modeling to ensure successful tool deployment on the bottom.


edge of sociology. This article also addresses the impact of Generation Y on the industry as its members tend to appreci-ate more the digitization of facilities.

THE PRESSING THREAT

The oil and gas industry is prone to risks and can be targeted by cybersecurity attackers for three reasons. First, upstream oil and gas represents the world’s largest supply chain, involv-ing numerous subcontractors who supply equipment, fluid and other services to the operating company. Second, an oil and gas company’s enormous assets and extended infrastructures are connected to the functioning of its country’s economy, so-ciety and government. Therefore, any intrusion of these sys-tems will threaten the security of the nation. Every year, about $1 trillion is spent in developing oil and natural gas resources, which accounts for roughly one-third of the total capital in-vestment made around the world. Most of these investments are made to replace aging parts, to launch new developments and to further evolve game-changing technology7. Third, the life of upstream assets and resources lasts for decades with multiple time scales for different facilities.

The third reason for greater risk is because threats and secu-rity defenses are persistently evolving and changing, but a large part of a facility does not. This makes cybersecurity of such long-lived assets very complex, especially because decisions taken will last a long time and cost a lot. Additionally, the ex-tended reach of today’s oil and gas infrastructures into remote operational areas creates vulnerability and security exposures alongside environmental risk. Accidents in such extended facil-ities result in liability increases, revenue loss and loss of safety standing with society and authorities.

While substantial emphasis has been placed on physical se-curity for decades, cybersecurity is still evolving and building an experience curve as threats keep moving. Table 1 compares the nature of cyber threats to that of physical threats.

Cybersecurity attacks on energy companies are also captur-ing news headlines. The root of the problem is that many of the control systems are connected to a company’s business net-work and therefore to the internet. Three prominent themes in

the digital oil field are creating exposure. First is increased con-nectivity, which brings vulnerability (Metcalf’s Law says that the number of possible cross-connections in a network grows as the square of the number of computers increases) and raises the threat in extended facilities. Conversely, the answering in-crease in traditional security systems is not squared, which raises the security threat in extended facilities, a fundamental and common observation. As you add more sensors, the con-nectivity raises rapidly (squared) because these instrumentations depend on connectivity to function. Second, the adoption of commercial information platforms, e.g., Windows software, carries risk. Third, social engineering, defined as using a sys-tem’s weakness and cracks to phish for sensitive information, targets the larger population of computer-using employees.

The revolution in advanced, persistent threat, logic malwares that target industrial control systems, showing attack capabili-ties that could penetrate the system in spite of defenses, is mak-ing operators look at security through a layer of systems, think-ing in terms of cybersecurity strategies and defense patterns.

Experience has shown that an iterative security strategy is effective in the detection, mitigation and prevention of cyber threats because those threats are constantly changing. The it-erative strategy, as defined by the Center for Chemical Process Safety (AlChE), strives to bring about more secure operations by first eliminating a hazard completely, then reducing the likelihood or severity of a hazard by means of equipment, op-eration or process redesign, and finally substituting a less haz-ardous material or using a less hazardous process to reduce the potential or consequences of human error, equipment fail-ure or intentional harm. Also, the iterative approach accounts for the entire life cycle of a system, including all the associ-ated hazards and risks as well as economic feasibility. Table 2

Physical Security Cybersecurity

Extent Physically bounded Boundless

Time Speed of a truck Speed of light

Detection Physical hints Online hints

Experience Well established Evolving

Table 1. Cybersecurity as scaled to physical security

Iterative Order Cybersecurity

Complete hazard elimination Eliminate access or any way of interaction

Reduction in likelihood or severity of a hazard Reduce interaction and increase isolation

Less hazardous material substitution Substitute a more secure logic application

Use of less hazardous process conditions Use less privilege software

Reduction in potential or consequences of human error, equipment failures or intentional harm

Validate input data, set equipment requirements and set alarm for analogies

Table 2. The iterative approach order scaled to cybersecurity


shows how the orders of the iterative approach can be scaled to cybersecurity8.

INTEGRATED CYBER AND PHYSICAL PROTECTION SYSTEMS

Cyber and physical security is concerned with the management of unintended events. Due to the complexity of the energy business, it is best to look at the solution through the lenses of a system. This complexity stems from the multiple interacting parts of the energy system, producing behaviors that would not be necessarily expected, including reactions to things im-posed on it from the outside that were not even on the radar screen in the first place. The system approach helps create a more accurate understanding of the cause and effect pattern, enabling analysts to better predict outcomes and deal with sur-prise. The main components of this security system span sci-ence and technology, economics and business, government and regulations, and society and behavior.

One of the key aspects in understanding security is recog-nizing that the logical system is not a perfect representation of the physical system and knowing where the resulting weak-nesses will show up. Network security consists of activities and policies is designed to safeguard timely access to services, the integrity of data flow and the levels of trust between sys-tems and users. OSIsoft, a company that offers information management and data acquisition support for major industrial infrastructures around the world, has proposed a defense sys-tem with three threat interaction categories: visibility, access and trust (VAT). VAT is a great way to guide the formulation of defensive actions and to neutralize how a threat interacts with assets. In terms of visibility, targets should not be visible and advisories should be highly visible. In the access category,

access should be reduced to the absolute minimum necessary to chieve system deliverables. As far as trust goes, it is desir-able to spread trust among multiple administrators rather than trusting one point of failure in your architecture. All secure de-ployment zone architecture patterns revolve around these three categories. It is critical to select the appropriate deployment ar-chitecture. Wrong architecture causes problems due to poten-tial two-way communication, creating pathways for bad actors to access the system. Figures 4 to 7 illustrate the cybersecurity deployment patterns proposed by OSIsoft for its Plant Infor-mation (PI) System9.

A demilitarized zone (DMZ) network is always recom-mended for secure PI System deployment patterns. The most important function of the DMZ network is to enforce termina-tion of network traffic within the DMZ. The intent is to avoid a single point of failure that results in potential breach of the control system.

All three zone patterns reduce the “visibility of” and “access to” control system targets — from the corporate domain and beyond. There remains a single point of trust in the reliance on the PI System administrator and perhaps the domain admin-istrator. If the DMZ is implemented with physically separate firewalls, trust is reduced if the firewalls are of separate makes and managed by separate teams.

In pattern 1, Fig. 4, business users are not allowed to in-teract with the control system network. Furthermore, the in-terface node initiates a data-only connection to the PI server — no user interaction is supported by interface applications, and no industrial protocols are exposed inside the DMZ. Con-figuration complexity and its attendant vulnerability when us-ing OPC connections and Microsoft’s Distributed Component Objective Model program across the control system firewall is completely avoided in this pattern.

Fig. 4. Deployment pattern 1: DMZ PI9.

Fig. 5. Deployment pattern 2: PI high availability9.



In addition to avoiding a single point of security failure — due to configuration error or actions by a disgruntled admin-istrator — multiple firewalls provide another quick disconnect point. For instance, in pattern 1, service level degradation is greatly reduced when closing connections with the corporate domain.

The security posture can be improved by providing applica-tion servers within the corporate network. For instance, deploy PI Coresight or PI Webparts on the business network to reduce user connections into the DMZ.

In the pattern 2 variation, Fig. 5, access is segregated using PI high availability (HA) collectives. Essentially, you allocate a server for groups of users or for specific kinds of service. For example, the top PI server is the primary server and is only used by administrators. The middle server is the default for the corporate domain. The bottom server is allocated to the pro-

tected control network. Failover priorities can be configured and further enforced by firewall rules — PI firewall, Windows firewall, infrastructure firewall, and so on. HA collectives are not limited to two nodes. Six is common for mission critical transmission and distribution systems. It is possible to place a collective member inside the control network. Collective members’ support membership is different from “untrusted domains.”

In the pattern 2 diagram, placing a collective member in the corporate domain necessitates use of a PI-to-PI interface. Pat-tern 2 is a minimum recommended security posture when the PI interface output functionality is enabled. This pattern fur-ther reduces access to potential targets in the DMZ. There is less trust in any single server.

In the pattern 3 architecture, Fig. 6, data is replicated from an embedded PI server in the control network to a PI server




Fig. 6. Deployment pattern 3: DMZ PI-to-PI9.

Fig. 7. Deployment pattern 3+: Absolute enforcement9.

Fig. 8. The steps of risk management as applied to a simulated cyberattack scenario.

Risk Event Cyberattack



residing in the corporate domain. This approach helps keep potential threats out of the DMZ; there are no open inbound ports.

This pattern is commonly used where the corporate do-main provides a central aggregation point for multiple plants and control networks. Control systems with original equip-ment manufacturer PI Systems can also readily deploy in this configuration.

The PI-to-PI interface offers a flexible and robust data rep-lication service. Conforming security solutions are available partners for industries, subject to high assurance standards. These hardware and software solutions enforce one-way infor-mation flow at the physical media layer.

Visibility is reduced as corporate users see only the corpo-rate data streams. Access is reduced as fewer corporate users need to have access to the DMZ network; and with two in-dependent PI Systems, trust in a single administrator is also reduced.

With a logic architecture identical to that of pattern 3, pat-tern 3+, Fig. 7, removes software and configuration from the data flow enforcement role. Firewalls are replaced by a pair of hardware devices: a transmit-only device and a receive-only device. Similarly, the PI-to-PI interface functionality, including automatic point synchronization, is split into a sending agent and a receiving agent. Data flow enforcement is based on laws of physics: systems in the corporate domain absolutely cannot breach this implementation. This pattern calls for high security assurance.

Note that pattern 3+ does not use general purpose enforce-ment — therefore, many common applications cannot be sup-ported. For instance, a remote desktop is interactive and not viable by design for pattern 3+ support. Replication agents do exist for many other common services, e.g., email, file transfer, and so on. Trust in software and configuration-based vulnera-bility are reduced with this approach; however, trust in people

to not circumvent policies remains. On a final note, no matter how advanced the technology,

individuals and organizational culture — represented in the way that security is communicated — remain as the most cru-cial defense to cyberattacks.

INFORMATION RISK MANAGEMENT

The risk management exercise is a useful tool to understand the problem context, identify risks and causes, assess potential consequences and evaluate treatment strategies that will elimi-nate and reduce hazards; it also suggests how to communicate lessons learned for improvement opportunities. Figure 8 rep-resents the steps of risk management as applied to a general cyberattack scenario. The simulated scenario involves cyberat-tack risks coming from social engineering phishing with web-based delivery that succeeds in corrupting the user’s hard drive and losing all its information, or phishing with web-based de-livery that succeeds in letting hackers into the user’s computer system where they can see all personnel/secured/sensitive ma-terials and use that to harm the user or the company. The risk matrix will close gaps and assign responsibilities that will in-crease the difficulty of a cyber breach, increase detection capa-bility and abate negative consequences.

THE IMPLICATION OF GENERATION Y

Understanding organizational, cultural and behavioral factors in security is critical. This part of the article discusses the influ-ence of belonging to a digital society and how this is changing businesses.

Members of Generation Y — the digital natives, so to speak — value a lifestyle that is centered around technology and connectivity. They tend to bring this attitude to the business workplace, which may heighten cybersecurity risks. Unhooked




Risk Event Cyberattack



from traditional societal structures, members of Generation Y tend to intensify the digital interface in the consumer mar-ket and work environment by connecting and automating sys-tems without the need for human involvement, and these con-nections are growing rapidly (again, see Metcalf’s Law). The problem is that these technology natives often focus on the technology and its functionality, and they tend to overlook the vulnerabilities, which are bound to materialize.

The challenge faced by the energy business comes from forces fueling an entire society that is untethered from the traditional social structure and linked instead by social and smart tech-nologies. The energy industry’s use of geographically connected, extended physical infrastructures and its increasing reliance on these technologies and the displacement of physical activity by digital virtual activity are already reshaping behavior. This will have a significant effect both on the energy usage pattern and on the evolution of the energy system as consumers demand change.

The digital interface is extremely important, especially to the younger generations. Virtual interaction is part of the daily norms for Generation Y. As the younger generations grow in connectivity and virtual communities expand, certain unin-tended consequences and ramifications will impact the business world as a result. Such consequences include universal digi-tization and connectivity, and the emergence of a knowledge sharing economy, both of which open up regions of security cracks that could potentially disrupt the conventional phys-

ical business model. A strain or stress then emerges between the new techniques and the old — and results in disequilib-rium between newly adopted technological systems and the old business system — due to generational behavior change in the workplace.

It is essential to realize that the rate of change is much faster than many individuals and most organizations expect and are able to accomodate. The key is to understand the various groups’ reactions to new technologies so as to anticipate reac-tions and responses with the goal to mitigate divisions where needed.

CONCLUSIONS AND RECOMMENDATIONS

1. Industrial data flow and control logic models are the digital brains that monitor, manage and control the vast interconnected networks of upstream operations.

2. Once an advanced system is infected with a persistent threat, it is hard to remove the bug; even reformatting will not remove it. This further underlines the need for a proactive and iterative approach toward cybersecurity in upstream digital operations.

3. A cyberattack can be discovered by observing off-nominal events or sudden changes in measurements, including pattern deviation. The solution after discovering an attack is to stop its replication.



4. Inevitable flaws in software create vulnerabilities when someone finds that crack in the system. Generally, proprietary software is more secure than commercial software.

5. Company cultures that have clear responsibilities for employees at different levels experience fewer security gaps; every employee is aware of his or her area of responsibility in terms of risk management. The risk matrix is a useful tool when it comes to assigning responsibilities. This will also boost the company’s defense base against hacks.

6. It is also essential to recognize that when making a cybersecurity recommendation, you can’t compute the outcome perfectly because of uncertainty, but you can influence the direction in a way to make the likelihood of future events more positive than it is now.

7. No matter how advanced the technology, individuals and organizational culture — represented in the way that security is communicated — remain the most crucial defense.

ACKNOWLEDGMENTS

The authors would like to thank the management of Saudi Aramco for their support and permission to publish this arti-cle. Also, part of this article is derived from the cybersecurity course offered by the University of Southern California. The authors acknowledge the support of Professor Donald L. Paul.

REFERENCES

1. Al-Issa, A.: “Protecting the Digital Oil Field from Emerging Cyber Threats,” SPE paper 162304, presented at the Abu Dhabi International Petroleum Exhibition and Conference, Abu Dhabi, UAE, November 11-14, 2012.

2. Burda, B., Crompton, J., Sardoff, H.M. and Falconer, J.: “Information Architecture Strategy for the Digital Oil Field,” SPE paper 106687, presented at the Digital Energy Conference and Exhibition, Houston, Texas, April 11-12, 2007.

3. Vijay, A. and Unni, V.S.: “Protection of Petroleum Industry from Hackers by Monitoring and Controlling SCADA System,” SPE paper 149015, presented at the SPE Intelligent Energy International, Utrecht, The Netherlands, March 27-29, 2012.

4. Sawaryn, S.J., Goodwin, S., Deady, A., Critchley, C., et al.: “The Implementation of a Drilling-and-Completions Advanced Collaborative Environment — Taking Advantage of Change,” SPE Economics & Management, Vol. 3, Issue 2, April 2011, pp. 93-101.

5. Florence, F., Chapman, C., Macpherson, J. and Cavanaugh, M.: “Implementation of Drilling Systems Automation — Halifax Workshop Summary: Industry Standards, Business Models and Next Steps,” SPE paper

174779, presented at the SPE Annual Technical Conference and Exhibition, Houston, Texas, September 28-30, 2015.

6. Cavazos, C.J.: “Ensuring Data Security for Drilling Automation and Remote Drilling Operations,” SPE paper 165918, presented at the SPE Asia Pacific Oil and Gas Conference and Exhibition, Jakarta, Indonesia, October 22-24, 2013.

7. U.S. Energy Information Administration: “Annual Energy Outlook 2017 with Projections to 2050,” January 5, 2017, 64 p.

8. Center for Chemical Process Safety, The American Institute of Chemical Engineers: “Final Report: Definition for Inherently Safer Technology in Production, Transportation, Storage, and Use,” July 2010, 54 p.

9. Owen, B.: “Recommended Deployment Patterns,” talk presented at the OSIsoft Users Conference, San Francisco, California, April 16-19, 2013.


BIOGRAPHIES

Mohammed A. Al-Ghazal is a Petro-leum Engineer at Saudi Aramco. He is part of a team that is responsible for gas drilling and workover operations in Saudi Arabia. During Mohammed’s career with Saudi Aramco, he has led and participated in several projects,

including those addressing corrosion and scale mitigation, real-time downhole monitoring, open hole, horizontal mul-tistage technology, aerated mud drilling, pressurized mud cap drilling, integrated cyber and physical security, logical information control modeling, environment friendly fluids, conformance control, temporary chemical plugs, downhole coring and in situ stress plane profiling.

Mohammed has authored and coauthored several Society of Petroleum Engineers (SPE) papers and technical journal articles as well as numerous in-house technical reports. As an active SPE member, Mohammed serves on multiple committees. He also served as a member of the industry and student advisory board in the Petroleum Engineering Department of King Fahd University of Petroleum and Minerals (KFUPM). In recognition of Mohammed’s contributions, he is the recipient of several awards and honors. Recently, Mohammed was selected as the recipient of the 2016 SPE Health, Safety, Security, Environment and Social Responsibility Award.

In 2010, Mohammed received his B.S. degree with honors in Petroleum Engineering from KFUPM, Dhahran, Saudi Arabia. In 2015, he received an M.S. degree with honors in Engineering from the University of Southern California, Los Angeles, CA.

Mohammad J. Aljubran joined Saudi Aramco in mid-2015 as a Petroleum Engineer with the Drilling Technology Team of Saudi Aramco’s Exploration and Petroleum Engineering Center – Advanced Research Center (EXPEC ARC). He published and presented

seven Society of Petroleum Engineers (SPE) technical papers, was granted publication approval for three more papers, and filed four patent applications in the area of drilling and completion within the first two years of his professional career.

Mohammad joined the Offshore Workover Engineering and Operations Department where he planned, designed, and executed re-entry and mechanical operations across major Saudi Arabian offshore fields, such as Safaniyah, Marjan and Zuluf. He is currently assigned to the Engineering team of the critical Khursaniyah Gas Increment project.

Mohammad was a lead member of the University of Oklahoma team that won first place at the 2015 SPE Drillbotics competition in automated rig design and construction.

In 2015, he received his B.S. degree in Petroleum Engineering from the University of Oklahoma, Norman, OK.

upstream operations: cybersecurity and generation y · saudi aramco journal of technology summer...

Documents