Fulcher: Cybersecurity Ranks as Top Long-Term Threat to Statoil

Fulcher: Cybersecurity Ranks as Top Long-Term Threat to Statoil
Cyberattacks pose the biggest long-term threat to Statoil's assets, operations and personnel, a company official tells attendees at the API Cybersecurity Conference 2015.

While terrorist attacks grab headlines, cybersecurity poses the greatest long-term threat to Statoil ASA’s global oil and gas operations.

The 2013 terrorist attack on Statoil, BP plc and Sonatrach’s jointly held facility in El Amenas, Libya, prompted the company to set up an independent investigation to assess the risk of a similar attack occurring in the future. Statoil’s report on the incident, published in September 2013, concluded that the company lacked a security culture, and the security it had in place was not fit-for-purpose for a company with international aspirations.

After completing its assessment, Statoil determined that the great long-term threat to its operations came not from physical attacks, but cybersecurity attacks, Adrian Fulcher, head of security threat assessment at Statoil, told attendees Wednesday at the API Cybersecurity Conference in Houston.

While the company operates in a number of challenging environments worldwide, most of Statoil’s assets are on the Norwegian Continental Shelf, Fulcher said. As a possible consequence, the company has had a fairly easygoing security culture, which also extended to Statoil’s cybersecurity culture.  

“If we were to suffer a major large-scale accident as a result of an attack on our industrial control systems, it is something that would shape and change the future course of the company in a big way,” said Fulcher.

Cybersecurity poses a threat not just in terms of financial and human loss, but a generational challenge, or the issues posed by older legacy assets and newer assets in the design phase.

To address the lack of security culture, Statoil established a security improvement program to address different aspects of security. Through this program, Statoil has sought to address two goals in assessing its cyber and physical threats. One was to help Statoil’s executive committee board understand where they should be focused, instead of “driving through the rear view mirror”. The other goal is to provide insight and understanding to help the company in a range of activities. Rather than spending money on where it looks good, the company can spend money on what’s effective.

To address its physical and cybersecurity issues, the company has adopted the belief that security has to be risk-based and intelligence-led. This idea is not controversial, but at Statoil, the idea was a novel one. The company’s effort to address cyber and physical security has also involved personnel and resources from throughout the company, from human resources professionals and physical security personnel to automation engineers.

Statoil is also shaping and designing its cybersecurity strategy to address the fact that the days of security agencies operating independently of nation-state governments and their agendas are long gone, Fulcher said. Instead, traditional security agencies and nation-state governments are operating seamlessly, with agencies serving government agenda.

The company is also seeking to improve its safety culture through the development of human resources policies and procedures to reflect the serious consequences that clicking on the wrong email link can bring, said Fulcher.

“If you did something time and time again in a plant that constantly put colleagues at risks, there would be sanctions and consequences. It should be the same for cybersecurity issues. Careless and negligence must be stopped.”

Statoil’s relationship with the Norwegian government is allowing it access to intelligence information that can aid in addressing security issues. However, when Fulcher looks at the future, two challenges stand out to him in terms of preventing and mitigating cybersecurity attacks. This includes a lack of common standards by which suppliers and vendors can be held to provide reassurance against cyberthreats.

“We have a policy of implementing security into the design of physical assets from the ground up,” said Fulcher.

Similar standards are needed for equipment and products provided by suppliers and vendors.

Another challenge is the fact that nation-states are increasingly using cyberattacks instead of physical means to hurt another nation-state’s economic well-being. In the past, Statoil could rely on special military forces provided by the Norwegian government if its assets were physically threatened. But the move towards cyberattacks has shifted the burden to protecting assets onto companies. Fulcher sees the need for agreements to be established on what responsibilities a company has for protecting its assets, and what kind of protection it can expect from the foreign governments that host oil and gas company facilities.


Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.