As U.S. oil and gas operations and electric power systems increasingly turn to digital, cloud-based solutions to help operate their oilfields and generation plants, executives are becoming increasingly concerned about the need for cybersecurity to harden their defenses against hackers and bad actors seeking to damage or even shut down those systems.
A rash of recent cyber security breaches highlights the vulnerability of even the country’s most critical systems to cyber mischief. In the SolarWinds scandal uncovered last year, officials uncovered cyberattacks that had taken place against numerous U.S. government agencies and thousands of public and private-sector entities around the world.
More recently, in February the operator of a water-treatment plant in west-central Florida uncovered a potentially dangerous intrusion that had occurred on the plant’s computer system. The hacker or hackers set the levels of sodium hydroxide, a potentially dangerous chemical, to increase by more than 100 times the normal levels. The operator returned the chemical levels to their correct proportions and avoided a potential health disaster.
A recent report by MIT Technology Review, prepared in partnership with Siemens Energy finds that the digital transformation that the oil and gas industry is currently undergoing has brought with it both operational benefits as well as cybersecurity vulnerabilities.
Oil and gas companies are “collecting and analyzing data, connecting equipment to the internet of things and tapping cutting-edge technologies to improve planning and increase profits, as well as to detect and mitigate threats,” the report states. “At the same time, the industry’s collective digital transformation is widening the surface for cybercriminals to attack.”
Federal officials also are beginning to recognize the need to bolster the cyber-security defenses of critical infrastructure. In the House’s new $312 billion infrastructure bill, supported by President Biden, about $3.5 billion has been earmarked for improving the cyber-security of the electric grid.
Such hardening of the grid’s defenses against cyber intrusion is desperately needed, according to Tom Siebel, the founder, chairman and CEO of C3.ai, an enterprise software company specializing in providing artificial intelligence (AI) applications to industrial customers. The grid currently is vulnerable to attacks by bad actors operating out of other countries, many with the backing of those countries’ governments, he said.
“They could turn off the power grid from a cell phone in Kiev. We’re completely exposed,” he said.
Shoring up the defenses
Other industry experts agree on the need for energy companies to improve their cyber-security defenses as they begin to rely more heavily on digital technologies such as AI and cloud computing in their operations.
“Industrial cyber has become the new risk frontier and in particular, the energy vertical is the most attacked infrastructure vertical,” said Leo Simonovich, global head of Industrial Cyber and Digital Security at Siemens. “The number of attacks is increasing and the sophistication is increasing.”
He said an attack against a piece of critical infrastructure such as a power plant could lead to a temporary loss of power, total shutdown of operations or worse, a public safety incident. Siemens, he said, works with its customers to shore up their cyber defenses, “using next-generation built-for-purpose technologies powered by AI to stay ahead of attackers.”
Many energy companies are beginning to adopt AI — which mimics human intelligence by analyzing data in order to make decisions — to stay ahead of the cybercriminals and foreign government-backed hackers. Using its ability to analyze large volumes of data very quickly, AI software can detect deviations that could be the work of hackers trying to gain access to a system. The technology can also analyze the methods used in previous cyberattacks, giving systems operators the tools needed to find and thwart the next attack.
“AI is going mainstream and it’s increasingly being used for security” Simonovich said.
Reaching out, creating partnerships
As some energy companies adapt their operations to accommodate the challenges of digital transformation and cyber security, they frequently reach out to AI software providers such as Austin-based Spark Cognition, whose patented machine-learning algorithms protect the company’s clients from the more than 400,000 new variants of malware detected every year.
“Our main advantage is we block day-zero malware, without needing to have updates on your anti-malware,” said Vice President Phillippe Herve.
Other oil and gas players have partnered with companies across a wide range of disciplines to develop their own digital solutions. Royal Dutch Shell for example, has partnered with AI software company C3ai, digital tech giant Microsoft and oilfield services technology firm Baker Hughes to develop a suite of digital products for cybersecurity and other goals.
“The bad actor risk is real,” said Dan Jeavons Shell’s general manager of data science. “Cybersecurity is hugely important to us.”
He said to ensure that its AI technology doesn’t expose the company to potential cyber threats, Shell employs the same level of technical safeguards in its data science operations as it does in its other engineering and scientific disciplines.
“We’re also cautious in how far we go. A lot of our systems are placed in an advisory mode rather than a full-control mode,” he said. “Humans are still making the decisions.”