Intrinsically cyber-safe devices: a solution for systemic cyber threats

Francis Lobo, head of upstream engineering at Canopius

(This article originally appeared in The Canopius Herald in March 2018)

Everyone with clients in the oil and gas sector knows that cyber is among senior managers’ top three risk management concerns. They have good reason to be worried: no energy company is immune to cyber losses, and the danger is rising every day. Risk management shortfalls – despite best-efforts – leave the insurance sector exposed to potential systemic losses. Design practices in the oil and gas industry are inadequate to deal with major accident hazards arising from systemic cyber risk. A modified approach is needed, beginning at the design phase.

Insurers, brokers, and clients alike understand that industrial control systems must be made as resistant as possible to cyber intrusions. The usual approach is to defend system perimeters using firewalls and other techniques intended to keep hackers out. Unfortunately a fundamental problem limits the effectiveness of this approach. Such defences are not impenetrable, and almost all may be easily circumvented by sophisticated hackers. Systems have holes and open doors. They may even harbour dormant malware preparing for future attacks.

Increasingly, information officers have come to realise that they cannot defend system perimeters adequately. They are also vulnerable to attacks launched from within, perhaps through code embedded before perimeter defences were erected or introduced when software patches are applied.

For the insurance market, the greatest concern is systemic risk. Insurers and their customers can easily cope if a system is hacked and, say, a single compressor explodes. However, if embedded malware causes fifty compressor explosions on different platforms around the world, the oil industry and its insurers will face severe challenges. The Schneider Electric hack proves that such attacks are possible.

One solution is to encourage the adoption of a new approach that supplements perimeter protection and intrusion detection. Intrinsically cyber-safe barriers such as mechanical fail-safes can prevent an event from occurring and address systemic risks. During drilling, for example, the mud column is typically the primary barrier that prevents sub-surface formations from flowing to the surface. It is intrinsically cyber-safe. This simple fact would make it highly unlikely that a cyber attack could result in many such wells erupting out of control simultaneously at multiple locations.

The conceptual introduction of just one such barrier to other systems at the design stage – such as ensuring an isolated mechanical pressure relief valve is fitted to all pressure containing equipment – would be sufficient to begin reducing systemic risk by providing an un-hackable backup to integrated control systems. As such intrinsically cyber-safe barriers would be dormant except when called upon to respond to a potentially catastrophic situation, industry can still realise the enormous benefits of digitalisation while being protected against catastrophic loss, and in particular cyber-related systemic loss.


Posted on 13th April 2018.