30 Sep Weaponizing Digital Against Oil and Gas
The recent attack on Saudi Arabia’s oil infrastructure using weaponised drones has unleashed the potential for copycat attacks. Expect to see a wave of investment to harden the industry.
In case you’re not across the story, person or persons unknown launched a series of unmanned armed aerial attacks on Saudi Aramco’s most important oil production facilities. As many as 25 guided missiles and drones precisely targeted critical oil processing infrastructure, blasting holes in tanks and processing units, triggering intense fires, and forcing several million barrels of daily oil production off line.
It’s not clear where the drones originated, but it’s unlikely that they launched from inside Saudi Arabia. Oil is too important to the state. Using Google Maps, I plotted straight line flight distances to states in the neighbourhood to see how far the drones may have flown. It’s only 150km to Qatar, and Iran is 350km just across the Strait of Hormuz. Iraq is 500+km distant, and Yemen far away at 800+km. To carry a robust weapon payload a long distance, the drones must have been fairly beefy, not your garden variety play toys, and able to fly beyond line of sight.
Oil facilities around the world are considered critical industrial assets. Generally they are large scale structures, are easy to find, and are co-located for efficient access to logistics and services. Many are close to oceans (over 60% of crude oil is loaded and unloaded at tidal port facilities). A lot of product is on site—a mid-sized refinery might have a hundred or more storage tanks. As a result they are uniquely vulnerable to attack. They all feature high fences, security cameras, guards and dogs. In 2006, two assailants loaded a vehicle to the brim with explosives and tried to crash through the first of three electric gates at one of the same facilities just attacked. Aramco promptly boosted perimeter security, as did most other, if not all, oil plants.
It’s not as if Saudi Arabia under-spends on national defence. The country is in a hostile neighbourhood and involved in a war with Yemen. It is one of the world’s largest buyers of military hardware, and protects its key facilities with fighter jets. I would be very surprised if any other major oil producing state allocate military assets to the task of protecting oil infrastructure. It’s probably safe to assume that most oil infrastructure is unprotected from drone attack from the air.
The Drone Curve
Here’s the problem. As technology advances, drones are getting smaller, lighter, faster, cheaper, need less fuel, carry bigger loads, and fly further. They’re on Moore’s Law, after all. Many companies are building new kinds of drones to satisfy a growing commercial demand for unmanned aerial equipment. Drone service businesses are springing up too, including taxi drones big enough to ferry people about (think suicide bombers). And don’t ignore the non-flying drones — submersibles are on the same flight path, as are the terrestrial variety.
Just about anyone today with a few hundred dollars can buy a pretty decent aerial drone. Someone with a bit more money and an agenda will be able to purchase much more substantial bots. Heck, the day is close when instructions to 3D print a dangerous bot will be available on the dark web.
Finding targets is fast becoming a trivial problem. Google Earth gives very precise geographic locations for points on their maps. Many governments conveniently capture and publish the coordinates of oil and gas infrastructure as a matter of public record.
Certainly the capabilities of a military missile drone (hardened war head, high velocity, force of impact, shrapnel) won’t be available in Walmart anytime soon. But the availability of such drones is not zero either, and even small drones can wreak havoc on an industrial site.
Drone attacks may well go up, in light of the success of this attack. And the attacks may be directed at other kinds of energy infrastructure such as nuclear facilities.
A feature of the most recent attack is the number of drones involved, which arrived in a kind of swarm. Like a denial of service attack that overwhelms defences, a drone swarm attack overwhelms whatever shoot-em down defence is protecting the target.
Saudi military grade defence gear, tuned to ward off fewer, bigger and more substantial aerial threats (like incoming aircraft), didn’t successfully counter the drone threat. Radar may not be up to the task of detecting multiple small fast incoming objects. Defensive weapons for picking out incoming targets the size of large birds and hitting them in mid air might lack the necessary precision.
Not all drones in a swarm need to be armed. Throw in a few fakes, and suddenly planners confront the possibility that the one drone that is armed will get through unscathed. It begs the question: how will we distinguish between a drone swarm with intent, versus just a lot of drones?
I would also not assume that the perpetrators of drone attacks are international terrorists bent on mayhem with their enemies. There are enough crazies in the world motivated to launch attacks from inside national borders (a few years ago, Canada had to deal with an anti gas industry crank who bombed gas infrastructure). Emerging drone capability makes close quarters strikes plausible.
How will a company tell if that drone near the refinery is delivering medicine to a local clinic, a priest to a wedding, or fire from the sky? Shutting down the plant isn’t an option. Surely the right answer, in the case of uncertainty, is to destroy the drone in the air. Who is going to do that?
An even bigger question looms: how will we be able to trust drones at all? The era of the suicide bomber may be eclipsed by the arrival of the suicide bot. What we think is an unmanned pizza delivery bot is actually the latest terror delivery system.
Contemplating a Response
Around oil and gas board room tables throughout the industry, but most obviously in the Middle East, executives will be soberly appraising the new vulnerabilities exposed by this event. It reminds me of the post 9-11 era when suddenly every airline replaced the doors to the cockpits, airports beefed up screening, security raised passenger humiliations to include shoe removal and body searches, and carry on restrictions banned pointy objects and liquids.
Those changes weren’t easy. But taking action in this case is a bit harder.
Hardening the Plants
One option is to somehow harden existing oil and gas plants from aerial threats, in the way that airlines hardened the doors to the cockpits. However, oil assets are very large. Frequent repairs and turn arounds leave few options to erect shields or barriers. Plants are designed to be open to the sky because heat rises and if there is an explosion or fire, access to the atmosphere diffuses the forces released. Burying plants isn’t really an option, except for pipelines. And there are real questions about the practical useful life of many oil assets in a world aiming for energy transition, which limits appetite to invest.
Drone Detection and Defense
Another option is to put in place a drone detection and defence service. Some bright sparks, if they haven’t done so already, will invent new technologies able to detect unmanned flying objects, and execute defensive tactics (query, intercept, block, escort, destroy), likely building on military grade gear. It will take months if not years for such technology to be fully developed and deployed, during which time vulnerabilities will remain.
A quick and dirty solution is to simply ban all drones from anywhere near oil infrastructure, as cities have done around airports. That has real negative social impacts as drones become more and more capable, and when oil and gas companies enlist drones for their own purposes (inspections and services). Remember the challenge of separating friend from foe. And banning aerial drones doesn’t solve for the same identification problems for terrestrial drones, or the submersible units.
An interesting option would be to require all drones to register with some authority, in much the same way that airplanes today all communicate with air navigation authorities. Before a shoot-to-kill order is executed, a gunner could check with the registry about the owner, the operator, the flight plan, and other details. Citizens would be able to point a smart phone at a drone and instantly confirm that it’s benign.
Such registries don’t exist yet, and many western countries struggle to create simple national gun registries. Drones may be easily stolen, and registries will lose track of them. Stolen drones could be smuggled into other countries, have their flight identifiers hacked to mask their true intent, and elude identification. In countries like the US, expect to see gun advocates fighting against rules to ban armed drones as a civil rights issue. If I can carry a gun, so can my drone.
Several critical actions are now likely underway across the industry.
Drone companies will consider how their technology can be used for no good and think about how they actively prevent their gear from being put to nefarious uses. Better to build in preventions now than add on protections later.
Consulting firms will update their risk advisory services to include new threat assessments from bad robots, along side cyber and other risks.
Oil and gas companies will be recalibrating their risk analysis, and rating unmanned aerial attacks from low probability/high impact to high probability/very high impact. Some will place terrestrial and submersible drones into the same risk profile. In time, new funding will go towards hardening and defense of these assets.
Engineering firms will update their future plant designs to include hardening features to offset threat vectors from the air, land and water.
Finally, government policy makers will now reconsider their relatively loose policies about drones and tighten up regulations about ownership, registration, usage, and controls.
Check out my new book, ‘Bits, Bytes, and Barrels: The Digital Transformation of Oil and Gas’, available on Amazon, iTunes, Audible and other on-line bookshops.