In 2020, the BP announcement that it would ramp down oil and gas production over the next ten years previews a big shift in the way companies—and markets—think about what makes a healthy energy company. BP’s step is a bold one for a major oil and gas company, but it is not alone. Numerous rebrands around the globe drop the word “oil,” as boards navigate market pressures from new technologies and changing consumer preferences.
The way companies handle the rapid transformation caused by digitalization across their value chains—and their resilience and security against cyberattacks—will become a major market differentiator. As the oil and gas industry increasingly relies on digitally connected energy assets, automation, and remote operations, cyber risks will have a direct, and growing, impact on operations. While past cyber defenses focused on protecting information technology (IT), digitalization of operating technologies (OT) requires a different approach, reflecting the interplay of digital and real-world components in industrial processes.
Cybersecurity is quickly becoming a key enabler of companies’ competitive advantage in the digitized energy future, protecting core value by ensuring trust and providing stability of operations and resilience against unplanned outages.
The energy sector is increasingly focused on efficiently managing the minute-by-minute and second-by-second flow of energy to a decentralized network of producers and consumers. Whether managing legacy assets or building out entirely new business models, companies are seeking to simultaneously maximize profits and minimize emissions. Every piece of the supply chain is moving toward digital management, especially in extraction operations and pumping stations, generating plants and renewable power, smart devices and distributed generation. That ongoing digital revolution maximizes efficiency for existing assets and prompts companies like BP to reinvent business models as they expand into new markets.
Today, energy sector leaders need to take cyber risks into account when assessing the stability of their lines of business. With digital assets deployed throughout every aspect of operations, companies that fail to maintain strong cybersecurity run the risk that operations will come to a sudden, expensive, and prolonged halt. While a home computer or corporate server hit with a cyberattack can be halted, rebooted, and fixed without lasting damage to the equipment, operating technologies hit with a cyberattack may suffer physical damage, posing safety threats to personnel on site and requiring extensive repairs or replacement before operations can resume. Managing this risk will be an integral part of any future energy business, and a major consideration for investors.
Cybersecurity for OT environments is a rapidly maturing field. Until recently, cybersecurity practices in the energy sector were mostly adapted from information technologies. Shared threat information, rapid patch deployment, and strong firewalls between internal and external networks are an excellent start.
However, IT solutions do not always measure up to the challenges unique to OT. For example, a spike in network traffic can be a strong signal that hackers are exfiltrating IT data from a corporate database. But with OT, defenders cannot count on network traffic to signal mischief. Malicious commands may use the same amount of traffic as normal operations, or even use the same commands with the wrong timing. Detecting OT attacks requires greater context and continuous monitoring. Getting that monitoring and context almost always requires corralling information from a mismatched set of new and retrofitted equipment, all speaking different languages and none engineered originally with cybersecurity as a design feature. This is a technical challenge to execute, and the volume of data produced each minute makes it impossible to solve with manpower.
Oil and gas companies are already seeking and deploying new cybersecurity tools to meet OT challenges. An MIT report, Transforming the energy industry with AI, shows companies increasingly use artificial intelligence solutions (AI) both for everyday operations—such as oil exploration—and for cybersecurity applications like automated monitoring and detection of cyberattacks. Partnerships for AI innovation enable companies to access solutions beyond their in-house budget or expertise and are expected to play a key role in producing scalable, affordable, industry-specific solutions that keep the oil and gas sector ahead of the pace of attacks.
AI tools that automate monitoring and that leverage human analysts offer major benefits to the industry. Machine learning allows algorithms to recognize differences between normal operations and warning signs that an attack may be in the early stages. Smarter alerts and automation free up human analysts to investigate anomalies and assess the likely intent of attacks when they occur. Digital models allow a systems-level analysis of the impacts expected from an attack, and allow operators to select responses that defeat the attack with minimal disruption to operations. Just as importantly, making OT cybersecurity affordable and outsourceable helps prevent small and midsize companies from becoming the weak links in critical infrastructure networks. Shoring up those potential weak links improves reliability of those networks for all.
It is clear that the energy sector is poised for major transformations. BP’s bold example and the new MIT report show companies already reorienting on an interconnected, digitally managed, high-efficiency energy future. For the energy sector to fully deliver on the promise of next-generation technologies, we need to secure that future as we build it.
Leo Simonovich is the Vice President and Global Head, Industrial Cyber and Digital Security at Siemens Energy.
Read more on this topic
Mon, Jan 18, 2021
The inaugural edition of the Global Energy Agenda provides context for the unprecedented year that has passed. It features a survey of thought leaders in the energy sector, as well as a series of essays by the leading figures in energy, to set the energy agenda for 2021.
Global Energy Agenda by
Wed, Oct 14, 2020
The operational and information technologies responsible for running energy systems today were never engineered to be secured in a digital environment, posing a technical challenge tough to solve and difficult for small and mid-sized operators to afford. New developments in artificial intelligence-based solutions can help all energy companies put defenders ahead of attackers, while adapting to the changing energy landscape.
Thu, Jul 9, 2020
Digitally connected oil and gas assets, smart grids, renewables, and intelligent infrastructure promise more efficient, safer, and lower-emissions operations, but truly reimagining the energy sector and fully realizing that promise requires strong cybersecurity. Whether built new, acquired, or retrofitted, future energy assets will rely heavily on digital management and remote access. In these stressful but potentially exhilarating times, the winners will be those who envision more competitive business models based on new technologies.
Subscribe to DirectCurrent
Sign up for the Global Energy Center newsletter to stay up to date on the program’s work.