The oil and gas industry has always been plagued by security concerns; throughout its history, the sector has been subject to environmental protests, labour disputes, vandalism, piracy and terrorist attacks, and, more recently, cybersecurity breaches. While the majority of these incidents have occurred at onshore facilities, in recent years, particularly over the last decade, offshore infrastructure – including fixed offshore production platforms, mobile offshore drilling rigs and FPSOs – has become an increasingly popular target for groups such as terrorists, pirates and extreme environmentalists.
This has been particularly noticeable in areas that are unstable economically and politically, such as Nigerian territory, which was subject to a series of significant attacks on oil and gas facilities and vessels between 2006 and 2010. This sustained campaign of attacks on oil and gas infrastructure offshore Nigeria and in the southern Niger Delta reportedly resulted in more than 200 foreign workers being taken hostage and reduced Nigeria’s oil production by around 25%.
The consequences of any large incident at an offshore installation, whether it is caused by operating errors or security breaches, can be catastrophic. And, while the BP Macondo spill was a result of the former, this event is perhaps the most pertinent demonstration of the extensive consequences a single incident can have: not only did the spill cause loss of life and result in criminal charges against executives, and massive environmental damage, it also had significant financial impacts on all parties involved, as well as the wider oil and gas sector.
For these reasons – in addition to the escalating demand for oil and gas (which will meet about 60% of global energy demand in 2040, up from 55% in 2010) – oil and gas operators are increasingly focusing on improving and upgrading their security strategies, determined to avoid costly and life-threatening incidents in the future.
This can be illustrated by the increase in security spending we are set to witness over the coming years. Indeed, according to recent analysis from Frost & Sullivan, the oil and gas infrastructure security market is set to almost double from 2011 to 2021. The market earned revenues of $18.31 billion in 2011, and the report estimates this to reach $31.27 billion by 2021.
So, in the offshore sector, which is made up of remote installations where it can be difficult to react when facing an incident, given the distance from shore-based support, what are the main factors that need to be taken into account when improving security regimes, and how can operators effectively and efficiently integrate security into their business models?
Technology and human behaviour: finding the right balance
Advanced technology, of course, is absolutely essential to detecting potential attacks early and protecting offshore platforms from intrusions, whether physical or cyber. This can include everything from radar video surveillance to security CCTV cameras for live facility monitoring, security lighting to deter covert actions, and access control for protecting restricted areas.
However, individual pieces of technology implemented in an ad hoc fashion will not be effective; an integrated and comprehensive strategy is required, as well as ensuring that the people involved in the process are properly screened in order to prevent errors and sloppy behaviour.
"Security is not necessarily a problem you can throw money at; spending needs to be wise and technology is not always the best answer," explains Dr Gal Luft, co-director of the Institute for the Analysis of Global Security (IAGS), a Washington-based think tank focused on energy security.
"For example, many operators prefer to invest a lot of money in technology rather than dealing with the human factor, i.e. better employee screening and better understanding of who is allowed onto the rigs. Many vulnerabilities are a result of human behaviour, such as lack of discipline and not following simple procedures. It makes no sense investing millions in cyber-defence technologies, for example, if the employees use sloppy passwords."
Indeed, for Luft, most operators are very competent in the arena of security, but problems often come from within. "At IAGS, we therefore try to focus on highlighting neglected vulnerabilities like paying proper attention to information security, cybersecurity and employee screening," he says.
Third-party specialists: essential to success
Certainly, technology is not the only factor oil and gas operators need to take into account when improving their security strategies; kidnap and ransom response, manned security, risk assessment and mitigation, and intelligence assessment are only a few of the other essential elements of an effective security regime. And, for this reason, it’s key for oil and gas operators to work with specialist third parties that are well versed in creating integrated and comprehensive security strategies.
"Operators are in charge of oil and gas operations. Security is usually assigned to professionals, staff or contracted, who make their proposals to the management," says Jean-Louis Kibort, chair of the International Association of Oil & Gas Producers’ (OGP) Security Committee. "The key is to be able to rely on a robust and sound security organisation. This ensures all participants are well informed of their roles and responsibilities, and that the security policy in place is adapted and balanced."
Indeed, third-party security and risk-management firms, such as G4S, Maritime Security Solutions and Drum Cussac, among many others, are increasingly offering holistic security solutions, which include services such as risk assessment and mitigation, consulting, the integration of technology and processes, anti-piracy services, vessel protection in high-risk waters, armed and unarmed vessel escorts, and resilience planning.
"With vast experience in the offshore sector, third-party organisations like these are able to tailor their solutions and strategies to each offshore installation, depending on its location and the geopolitical situation.
"Some operations are more secure than others," Luft notes. "Much depends on how far the platform is from the shore and what the maritime capabilities of the enemy are."
For example, in high-risk areas such as the Gulf of Guinea on the west coast of Africa, a high level of security is necessary, including having armed personnel on board offshore installations.
Of course, in all cases, one factor remains constant. "Security must be incorporated as early as possible in the lifecycle of a project or any operation exposed to security risks," Kibort stresses.
Take advantage of local military
Private security experts are not the only outside party that operators need to collaborate with; it’s equally key to work closely with local naval forces and governments in the region in which an offshore platform is located.
"In the end, most of the burden of peripheral security will be on the national naval forces, as they have security jurisdiction in the economic waters," explains Luft. "In the case of offshore facilities, communication and coordination with local naval forces is critical."
Again, in this arena, third-party security firms can help, as they have the ability to instruct local military personnel who have little training or experience in the offshore sector.
Joint training programmes can also be advantageous, particularly when a few different military entities need to act together in case of an incident. One example is the joint training programme carried out by the US Navy in 2009, which aimed to improve responses to offshore threats in the Gulf of Guinea.
It is also advisable for operators to follow the UN Global Compact for Security and Human Rights, a framework that lays out the procedures and gives guidance on how oil and security companies should interact and deal with the local communities where they are working.
But of course, things don’t always run smoothly.
"In reality, it depends a lot on the country," Luft warns. "In some countries, the military is well integrated in civilian activities and the collaboration is smooth – Israel is one example. However, in West Africa and South-East Asia, this is less so, and breakaway units from the naval forces are in fact the biggest offenders."
Cyberattacks: the latest threat to offshore infrastructure
On top of the physical threats that offshore operators have had to deal with since the birth of the industry, the oil and gas sector is now increasingly beset with problems of the virtual nature. Indeed, last year, the US energy sector (including oil and gas producers) was hit by more targeted malware attacks from April to September than any other industry, a Council on Foreign Relations report found.
Moreover, several international operators such as Saudi Aramco, which supplies a tenth of the world’s oil, and Qatar’s RasGas, have been hit by cyberattacks since 2009. The politically motivated attack carried out on Saudi Aramco by hackers from a group called ‘Cutting Sword of Justice’ in August 2012 damaged 30,000 computers and was aimed at stopping oil and gas production. Fortunately, it did not achieve its goal, but it was one of the most destructive cyberattacks on a single business and served as a warning to the industry of the disastrous consequences a successful cyberattack could have.
"Cybersecurity is one of the areas that is currently being looked at very carefully," confirms Kibort.
Indeed, in the US in June 2013, as part of the Obama administration’s commitment to protecting the country’s critical energy infrastructure, US Energy Secretary Ernest Moniz announced a new public-private partnership to strengthen the protection of the nation’s oil and gas infrastructure from cyberattacks. The initiative will create a tool that allows owners and operators to assess their cybersecurity capability, and prioritise their actions and investments to improve it.
For Luft, one of the most important areas operators should be looking at is the energy supply to the platform. "A platform is the ultimate island," he notes. "It needs to generate its own electricity, and if the power fails, the rig is deemed useless and needs to be evacuated. This is a major vulnerability that operators don’t pay enough attention to. Most rely on simple generators that can be disabled or hacked quite easily.
"Energy management offshore and the integration of multiple energy sources (solar, batteries, fuel cells and so on) in a way that optimises each energy source are very important. But, of course, the smarter the micro-grid becomes, the more it lends itself to cyberattacks, so additional layers of security are needed to ensure power cannot be interrupted."
Collaboration: to become even more important
As oil demand increases, the technology available to terrorists, pirates, hackers and other enemies of the oil and gas industry advances, and offshore platforms are erected in higher-risk areas, the list of threats to offshore infrastructure is only set to grow. Now, more than ever, it is absolutely essential for oil and gas operators to make use of the many third parties – including private security firms, and local and international militaries and governments – that can help protect their valuable assets from potentially catastrophic attacks.