Cyber-threats as political risk : increased risk for the oil and gas industry

Mc Ewan, Kayla Ann (2020-03)

Thesis (MA)--Stellenbosch University, 2020.

Thesis

ENGLISH ABSTRACT: The oil and gas industry has always had a high vulnerability to risk, despite the high risk associated with the industry companies continue to invest in the industry because of the potential high profit return. Traditionally one of the biggest risks facing oil and gas companies is the political risk of terrorism. Since the early 1990s international oil and gas companies have been the target of terrorist groups with the number of attacks increasing yearly. The advent of the Internet and the rapid development and advancement of technology has brought with it a new political risk: cyber-threats. In comparison to terrorist attacks on oil and gas companies, cyber-threats are more of a recent phenomenon with cyber-attacks only starting to be documented over the last ten years. Two of the most well-documented cases of cyber-attacks on oil and gas companies were the 2012 attack on Saudi Aramco and the 2014 attack on Norwegian oil and gas companies. These two cyber-attacks resulted in greater attention being paid to the risk of cyber-threats facing the oil and gas industry and their overall influence. This study argues that while cyber-threats are a more recent phenomenon, they are already having a noticeable influence on international oil and gas companies. Cyberattacks are starting to occur more frequently and increasing the political risk faced by international oil and gas companies, as well as forcing them to change the way that they think and do risk mitigation and management. As such, the main research question informing this study seeks to determine whether or not cyber-threats increase the political risk which oil and gas companies face; it specifically analyses the Shamoon attack on Saudi Aramco and the cyber-attack on Statoil and other Norwegian oil and gas companies. The aim of this study is to answer this question along with three others, which complement and support the main research question. The first sub-question concerns which vulnerabilities of cyber-threats can be identified and used by companies in the oil and gas industry in order to help them manage and/or mitigate the risk of cyber-threats. The second looks at whether cyber-attacks will result in oil and gas companies losing revenue and halt their operations. The third sub-question looks at the possibilities of international oil and gas companies mitigating the risk of cyber-threats, or whether cyber-threats are a risk that can only be managed. Findings suggest that cyber-attacks are increasing the political risk faced by international oil and gas companies in various ways and they will need to change the way they approach risk management in order minimize the impact of cyber-threats.

AFRIKAANSE OPSOMMING: Die olie- en gasindustrie was nog altyd baie vatbaar vir risiko’s. En tog, ten spyte van die hoë risiko’s wat met die industrie geassosieer word, gaan maatskappye voort om in die industrie te investeer omrede die potensiële hoë winsopbrengs. Tradisioneel is terrorisme een van die grootste politieke bedreigings in die olie- en gasbedryf. Sedert die vroeeë 1990’s word internasionale olie- en gasmaatskappye deur terroriste groepe geteiken en was daar jaarliks ‘n toename in die aantal aanvalle. Die koms van die Internet en die vinnige ontwikkeling en vooruitgang van tegnologie het ‘n nuwe politieke risiko, nl. kuberbedreigings meegebring. In vergelyking met terroriste aanvalle op olie- en gasmaatskappye, is kuberaanvalle ‘n meer onlangse verskysel wat eers gedurende die afgelope tien jaar gedokumenteer word. Twee van die mees gedokumenteerde gevalle van aanvalle op olie- en gasmaatskappye, is die aanval op Saudi Aramco in 2012 en die aanval op ‘n Noorweegse olie- en gasmaatskappy in 2014. Hiedie twee kuberaanvalle het daartoe gelei dat meer aandag gegee word aan die risiko van kuberbedreigings wat die olie- en gasbedryf in die gesig staar, asook die omvattende impak daarvan. Die uitgangspunt van hierdie studie is dat ten spyte daarvan dat kuberbedreigings ‘n baie onlangse neiging is, dit reeds ‘n beduidende impak op internasionale olie- en gasmaatskappye het. Kuberaanvalle vind al meer gereeld plaas en verhoog die politieke risiko wat deur internasionale olie- en gasmaatskappye ervaar word. Verder dwing dit die maatskappye om hulle denkwyse te verander en, risiko’s te verminder en te bestuur. Vervolgens is die primêre navorsingsvraag van die studie om te bepaal of kuberbedreigings die politieke risiko wat olie- en gasmaatskappye in die gesig staar, toeneem al dan nie. Die studie analiseer spesifiek die Shamoon aanval op Saudi Aramco en die kuberaanval op Statoil en ander Noorweegse olie- en gasmaatskappye. Die doel van die studie is om hierdie vraag in ooreenstemming met drie ander aanvullende en ondersteunende vrae te beantwoord. Die eerste subvraag het betrekking op watter kwesbaarhede in die kuberaanvalle geïdentifiseer en gebruik kan word deur die maatskappy om sodoende ‘n bydrae te lewer tot die bestuur en/of vermindering van die risiko wat kuberbedreigings inhou. Die tweede vraag is gerig op die moontlikheid dat kuberaanvalle op die maatskappy sal lei tot ‘n verlies aan inkomste of selfs die staking van produksie. Die derde vraag ondersoek die moontlikhede dat internasionale olieen gasmaatskappye die risiko van kuberaanvalle verminder, of indien daar ‘n risiko van kuberaanvalle bestaan, dit bloot bestuur kan word. Volgens bevindinge verhoog kuberaanvalle die politieke risiko wat die internasionale olie- en gasmaatskappye in die gesig staar op verskeie maniere en maatskappye sal die wyse waarop hulle risikobestuur benader ten eide die aanslag van kuberbedreigings te verminder.

Please refer to this item in SUNScholar by using the following persistent URL: http://hdl.handle.net/10019.1/107876
This item appears in the following collections: