Cybersecurity in Upstream Oil and Gas Sector
I hope you enjoyed my previous Oil and Gas Cyber Security article. This time, I would like to tell you about the first aspect of the Oil and Gas security landscape in detail.
The Oil and Gas Security consists of IT Security, OT Security, and connections between them. Today’s topic is OT Security. As this area cannot be covered by one article, we will start with the upstream segment. The most critical risks which company will face if somebody gets unauthorized access to Oil and Gas companies’ infrastructure are the following:
- Plant Sabotage/Shutdown
- Equipment damage
- Production Disruption (stop or pause production)
- Utilities Interruption
- Product Quality (poor oil and gas quality)
- Undetected Spills
- Compliance violation (pollution)
- Illegal pipeline taping/
- Safety violation (death or injury)
As for the Upstream, some of the risks such as undetected spills and illegal pipeline taping are not relevant, but others are paramount.
Critical Processes in Oil and Gas
Now let’s look what kinds of processes exist in the upstream segment, what kinds of systems are used there, and what they are responsible for. As you learned from the previous article, there are more than 20 processes within three segments in total. Those processes are managed by more than 100 different types of systems, and there are more than 1000 solutions developed by hundreds of vendors.
Let’s look at the list of the systems and critical upstream processes from Extraction up to Metering.
Risks: Plant Sabotage/Shutdown, Compliance Violation, Equipment damage, Production Disruption, Safety violation
Drilling is physically creating a “borehole” in the ground that will finally become an oil or gas well. This work is usually done by rig contractors and service companies in the Oilfield Services business sector. Drilling process is managed at least by the following systems:
- Drilling control Systems
- Pump control systems (such as Schneider Electric – Realift Rod Pump Control)
- Blow-out prevention systems
- Flare and Vent disposal systems
Risk: Plant Sabotage/Shutdown, Compliance Violation, Equipment damage, Production Disruption, Safety violation
Gathering is responsible for lifting crude oil from the ground and transporting it to separators.
Wellheads are placed on the surface of oil or gas wells leading down to the reservoir. The individual well streams are connected to the main production facilities over a network of gathering pipelines and manifold systems. Wellhead can also be an injection well used to insert water. At least the following systems are involved in the gathering process:
- Well monitoring systems (WMS) estimate the flow rates of gas, oil, and water from every separate well in an oil field. The real-time evaluation is based on the information transmitted from available sensors in the wells and flow lines.
- Net Oil Measurement. Sometimes, Oil measurement starts at this stage just to estimate values. Invensys Foxboro is one of the solutions which can be used for this purpose.
Oil and Gas Separation
Risks: Inappropriate Product Quality, Equipment damage
Undoubtedly, gathered oil isn’t pure. It is rather a mixture of oil, water, and natural gas. Whereas natural gas includes such admixes as other gasses and water vapor. Therefore, this combined substance must be purified before further processing.
To remove the unnecessary substances from oil, the mixture is passed through a heater/treater unit. The remaining oil, gas and water mix goes into a heater/treater unit. Because of its density, the oil is separated from water, while the latter is vaporized through the heating procedure. As a result remaining natural gas rises to the top of the device.
Further oil/water separation is conducted with the help of hydrocyclons. The mixture revolves inside them and oil become separated from water due to high acceleration speed. Water, in its turn, is pushed out of the unit and then removed.
Separators are controlled by many systems like:
- Distributed Control System (DCS) For example, CENTUM CS3000 by Yokogawa
- Emergency Shutdown System (ESD) For example, Emerson DeltaV SIS™ Emergency Shutdown
- Compressor Control System (CCS) For example, Three Triconex TS3000 TMR
- Vibration Monitoring System (VMS) For example, Bently Nevada 3500
- Burner Management System (BMS) For example, Emerson DeltaV SIS (BMS)
Risk: Plant Sabotage/Shutdown, Compliance Violation, Equipment damage, Production Disruption, Safety violation
Raw natural gas is commonly collected from a set of adjacent wells and after the separation stage it is pipelined to a gas processing plant. After further removal of liquid hydrocarbons, the natural gas is carried to the interstate pipeline grid, which brings it to customers.
Natural gas compressors are the heart of natural gas production. Shale gas wells usually work at very high pressures and flow rates at first, but they decline rapidly to a lower level. As the pressure declines, gas compressors must be set up to increase the gas pressure high enough to push it through pipelines.
There are also some “gathering” compressors, located at or near the actual wells that produce gas from deep underground. They pull gas from individual or group of wells and increase the pressure to push it into a gathering pipeline that leads to various types of facilities for further processing.
Large industrial gas compressors have two to six cylinders with internal pistons and check valves. Linked into a pipeline, a compressor draws gas in at a low pressure and brings it out again at a higher pressure to move it through the pipeline system.
The compression process naturally causes the gas to heat up, so cooling is required before it comes to the next stage for further compression or before continuing into the pipeline. This is done with large air-cooled heat exchangers, which work like in cars, also cooling the engine and compressor.
- Oil and Gas Compression System (for example, BAUER Compressors)
- Air Cooled Heat Exchangers (for example, GE)
Compressors used in the oil and gas industry are divided into six groups depending on their function:
- Flash gas compressors
- Gas lift compressors
- Reinjection compressors
- Booster compressors
- Vapor-recovery compressors
- Casinghead compressors
Risks: Plant Sabotage/Shutdown, Utilities Interruption, Compliance violation, Safety violation
On an installation where the water cut is high, there will be a huge amount of water produced. This water should be cleaned before discharge to sea. Some researchers revealed that wastewater injections result in seismicity activity, so today much more attention is attracted to issues surrounding the management of oilfield water used in upstream oil and gas operations.
Risks: Product Quality, Monetary loss
Metering is the most significant process as the quality of final products depends on how proper the metering was conducted. During this stage, involved systems analyze density, viscosity water content, temperature, and pressure. The metering usually includes several runs. Each run employs one meter and several instruments for temperature and pressure correction. Gas metering is less accurate than Oil metering (+-1%). The most important part of metering is fiscal metering.
In overall, there are at least the following metering systems in every Oil and Gas organization:
- Fiscal Metering System
- Liquid Flow Metering
- Gas Flow Metering System
- Wet Gas Metering System
- Potential attack vectors
Enough theory, let’s try to find potential vectors allowing cyber criminals to attack ICS systems of an Oil and Gas company. Our examples will be Burner Management System and Fiscal Metering Systems.
Burner Management System (BMS)
In the oil and natural gas industry, various facilities (e.g. line heaters, dehydrators, separators, amine reboilers, tanks, etc.) are used to accomplish production and transportation. Some of them require heat to enable the appropriate function of the application. To provide the required heat, a burner is used within the application.
Burner Management Systems make Oil & Gas companies safer, more efficient, and more compliant.
Without a BMS, companies may face the following difficulties:
- A worker must discover and reignite the extinguished burner manually (often with a fuel-soaked rag that’s tied to a stick). This process takes time and can pose a danger to the worker.
- Lack of electronic temperature control results in the situation when the application burns continuously, often without any need, until the flame fades away.
- No safety shutdown. With BMS certain application inputs (e.g. high/low pressure, level, etc.) indicate a potential problem.
Most of the major ICS vendors provide BMS solutions.
Examples of BMS systems:
Invensys BMS, Emerson DeltaV SIS, Siemens BMS, Honeywell BMS
What if somebody can get access to BMS? What can they do? Is it possible to perform any physical attack like those that were described at the BlackHat conference?
The fire triangle consists of three components. When one of them is missing, the reaction cannot be sustained. Control of the air/fuel ration is one of the crucial functions of combustion/burner systems. It is intended to ensure that sufficient excess air is maintained. If fuel lacks, the system is safe, but if oxygen or heat for ignition is missing, the conditions may be dangerous. To minimize the explosion risk, one must ensure that flammable mixtures do not accumulate anywhere within the plant.
If an attacker wants to stop operations (perform a sabotage attack) by destructing burning process, they need to control any of the sources of flammable mixtures:
- Oil or gas leaking into the combustion chamber through the burner because of leaking fuel shut off valves.
- Deposits of coal or oil not properly removed from the system.
- The operation of the plant with insufficient combustion air resulting in carbon monoxide and unburnt fuel in the downstream ducting and dust collector.
- Quenching of the flame by cold dust entering the furnace. It can reduce the temperature below the ignition temperature.
- Fuel entering the furnace as a result of repeated unsuccessful ignition attempts. It poses a risk of oil firing, for example, caused by cold oil remaining in pipes during a shutdown, as a typical reason.
- BMS prevents operator errors leading to danger and causes the safe shutdown of the burner in case of other equipment malfunctions. Since BMS system manages all critical processes for burner safety (the safe start-up, operation, and shutdown of the Fired Heater), unauthorized access to BMS can result in a plethora of risks including explosion. The simplest attack on BMS System is to turn off the purge. As mentioned before, cold oil left in pipes during previous shutdowns can burn and damage the equipment.
Custody Transfer (Fiscal Metering)
In the oil and gas industry, Custody Transfer, or fiscal metering, deals with the transactions responsible for physical substance transportation between operators, e.g. the transportation of crude and refined oil between tanks, tankers, and other vessels. In the scope of this process raw and refined oil is measured for a further sale to a potential customer.
Its accuracy is crucially important for all parties involved in bargaining, as payment size depends mostly on the volume of transferred gas and oil. In this regard, even the tiniest measurement errors can result in financial losses.
Here is a case from “Petroleum Africa Magazine”: “Pump Station 2 on the Alaska Pipeline is designed to pump 227 cubic meters of oil per minute. A small error of 0.1% equates to an error of 2,057 barrels of oil a day. At a spot price of $30 a barrel, that 0.1% error would cost about 70k$ a day. Over a year, the 0.1% error would amount to a difference of 25m$.”
The core and executive element of the fiscal metering IT infrastructure is the flow computer. Processing the data obtained from the measuring devices (various types of meters and sensors), it estimates the volume of the transferred oil and gas, in accordance with flow calculation algorithms.
Metering control software
How does that work? First of all, there are Flow meters. These devices (such as KROHNE and Vortex) are very accurate, and it’s quite hard to conduct some physical attacks on those meters. Mostly it’s because very few people have access to the devices. Then, there is a Flow computer, which collects data from all the flow meters and calculates values based on this data and some formulas which are preconfigured.
The most common flow computer is Emerson FloBoss S600 (previously known as Daniel DanPac secure metering computer Daniel S600+).
The FloBoss S600+ Flow Computer is designed specifically to measure hydrocarbon liquid and gas where versatility and accuracy are of the great importance. Its features make it a perfect solution to deal with all the process related to fiscal measurement, custody transfer, batch loading, and meter proving applications.
FloBoss is not the only computer to accomplish such functions. Such devices as KROHNE Summit 8800, ABB TolatFlow, Emerson FloBoss S600, Emerson ROC800, or Schneider Electric Realflo can be implemented in an organization for these aims.
A flow computer seems an attempting target for cyber-attack, but it’s very expensive and hard to find. Even if it’s full of vulnerabilities (as it usually occurs with most of the “closed” solutions), it’s quite hard for cyber criminals to discover those vulnerabilities and to get access to this computer.
After a flow computer carried out all the required calculations, this data is collected by Fiscal Metering systems. Data aggregation and management systems provide the complete information enabling one to gain and maintain control over all aspects of the measurement processes. On the basis of this data, all the key decisions are made at all levels, from QMI engineering to top management. And here comes the most interesting part. The final information about quantity and price of oil and gas is gathered from many Flow computers into one management system. Examples of those systems are FlawCall Enterprise, KROHNE SynEnergy, and Honeywell’s Experion® Process Knowledge System (PKS), MeterSuite. Such systems have direct connections with ERP and other enterprise systems. It means that, first of all, the final data about volume and value of commodities that is used in mutual settlements is transferred directly to those control systems. The combination of this fact and that these systems are located in one network with ERP and other business applications makes it an easy target for cyber-attacks.
I hope today you have learned a lot about the oil and gas industry. Though sometimes this information does not have a certain relation to the cybersecurity, the knowledge of systems and business processes is essential to understand what threats exist for these industries and how to defend against them. In the future articles of the series, I’ll describe risks for Midstream and Downstream companies in terms of OT and then we will move to business applications security.