The Energy industry is no stranger to cyber-attacks. In May 2021, a US operator was forced to shut down a pipeline, and pay US$4.4m to hackers following a ransomware attack. In the Ukraine, two cyber-attacks – in December 2015 and June 2017 – led to the shutdown of its national power grid.
The consequences of attacks are potentially catastrophic from both a safety and a commercial perspective. Cyber-attacks on energy companies could lead to equipment being pushed outside of its safe operating envelope, the manipulation of pipelines, inventory theft, or the misappropriation of commercially-sensitive well and reservoir performance data.
As digitalisation accelerates, so does our vulnerability to cyber-attacks. Even more concerning is the estimation that up to 60% of cyber-attacks are instigated by insider threats. So how do we protect ourselves in a world where both the frequency and sophistication of these attacks is escalating? Well, we can draw some useful lessons from the place where one of the first ever cyber-attacks took place – Jurassic Park.
No expense spared
“The most advanced amusement park in the entire world… we spared no expense,” is the opinion of the park’s flamboyant creator, John Hammond. In 1993’s highest-grossing movie, Hammond’s company has cracked the scientifically impossible, and successfully brought an island theme park full of dinosaurs back to life.
The plan is to showcase them to the world. But there’s a snag: the park’s insurers are nervous. So a team of dinosaur experts is flown in – along with Hammond’s grandchildren – to experience the attractions first-hand, ahead of the grand opening. What follows are some of the most memorable scenes in movie history, as the dinosaurs, including a T-Rex, escape and wreak havoc. In the end, the protagonists are lucky to make it off the island in one piece.
The chaos was caused by the actions of a single disgruntled employee. In an attempt to steal intellectual property, computer programmer Dennis Nedry created a “back door” and brought down the park’s entire security system so he could make his escape.
There are several parallels that can be drawn between the challenges posed by process safety and cyber security. Personal safety is often prioritised in place of the less-visible process safety. Although he won’t be winning any awards for his skills as a grandparent, Hammond had correctly “spared no expense” on moats, electrified fencing and motion sensors to keep the dinosaurs contained. Unfortunately, he had ignored the invisible threat of cyber security.
Forewarned is forearmed
Before being spat at and devoured by a Dilophosaur, Nedry is consumed by his own money troubles: “Your financial problems are your own,” snapped an angry John Hammond. Nedry had been planting malicious code and performing practice runs for weeks, all undetected by the park’s security team. Had there been robust cyber security controls in place, these weak signals would have been flagged via background checks and/or IT access monitoring.
Your company should have a sound understanding of the cyber security risks posed by all of its stakeholders, including from employees and those outside of the organisation, such as competitors and customers. Maturity assessments can tell an organisation where it needs to focus their attention, while a robust cyber response plan should be implemented to respond to an incident.
Cyber security has become a credible threat to process safety and we should all be aware of the risk it poses. IChemE has a wealth of resources on its website to help you, including presentations from previous Hazards conferences, and podcast episodes from its Safety Centre.
Forewarned is forearmed – it is crucial that best practices and key lessons are adopted before a cyber incident occurs. Much like process safety, behavioural aspects come into play, and the actions of our people can drastically tip the scales in our favour. Anyone working in the energy industry, including engineers, operators, managers and beyond, should understand that simple actions are vital to maintaining cyber security. These include: not sharing passwords, locking screens when away from devices, steering clear of unsecure coffee shop Wi-Fi, and avoiding clicking on any suspicious links in emails.
The assumption that cyber security plays no role in process safety may have been correct over a decade ago, but the digital transformation has turned that on its head.
“We were over-dependent on automation…Next time it’ll be flawless” remarks Hammond at the movie’s conclusion. Sequels may grant Hollywood an opportunity to correct their mistakes but with cyber security – and process safety – we have to get it right first time, and prevent incidents from occurring in the first place.
This article was originally published in the Chemical Engineer https://www.thechemicalengineer.com/features/the-greatest-teacher-accidents-are