Energy companies must act now to avoid leaving themselves open to potential cyber terrorist attacks, according to a leading Aberdeen-based communications expert.
Gordon Adie, managing director of integrated communications specialist Arrowdawn, has urged companies to take proactive steps following the warning from business advisory firm KPMG that industry cost-cutting measures have left vital computer systems at risk.
The report claimed a cyber-attack could even force the shutdown of a North Sea platform – costing firms millions of pounds per day. The issue was recently highlighted in several media reports.
Gordon, who was part of a technical team that set up data centres for two oil majors, said: “Many of the systems commonly used in the offshore industry are 10 to 20 years old and, until recently, they had been kept separate from the main IT infrastructure of the business; meaning they had not previously been exposed to external access via the internet.
“Typically, these older systems often lack the sophisticated defence mechanisms that you would have on your onshore equipment such as virus and malware protection.
“By integrating these control systems with the company’s main IT infrastructure, businesses of all sizes – not just the oil majors – may have now potentially left themselves open to outside threats.
“The complex systems required to effectively respond to a potential attack on a pipeline call for a distinct skillset with specialist knowledge; rather than a broad approach which may be present in a general IT service delivery role.
“IT personnel are commonly entrusted with ensuring access to company systems – for instance, email and intranet. However, in order to prevent a potentially harmful cyber attack to control networks, a different approach is required whereby rogue incoming traffic is stopped at its source.
“By introducing firewalls or other comprehensive security measures, all connectivity from the internet to these crucial systems can be blocked. External access needs to be categorically restricted, if not prohibited altogether.
“As a result of the drive to integrate systems, most companies in the industry now operate networks which would be familiar to potential hackers. One way to minimise this danger is to implement bespoke systems which are more difficult to exploit.
“One solution previously implemented by Arrowdawn was the replacement of a North Sea oil and gas business’ ageing process control network. We took a system that was extremely vulnerable to potential threats and in its place installed a state-of-the-art resilient firewall solution that protected all of the company’s process control networks from external access and are now monitored 24/7.
“The two-year project, which our team carried out on-site, significantly strengthened the security of the company’s network as demonstrated by the completion of an audit by a third party which reported zero findings.
“Additionally, proper training is also needed to ensure that staff are fully aware of the potential consequences of a cyber-attack and how best to respond.
“While the risk is very tangible for companies operating in the offshore environment, it could also pose risks for other high-level industrial sites onshore. It’s very much a real threat and businesses should have robust strategies in the place to maintain the security of their infrastructure.”