Oil prices spiked as a result of the mid-September attack on Saudi Arabia’s production facilities but have since fallen back.
Companies can ill afford complacency, though. “The Saudi attack was a Pearl Harbour-level event. It should make the industry sit up and think about what it is doing and how to achieve security. It didn’t cost a lot of money to stage the attack but it has caused hundreds of millions of dollars of damage – and potentially more, depending on the impact on Aramco’s IPO,” Energy & Natural Resource Security’s (ENRS) CEO C Derek Campbell told Energy Voice recently.
Both companies and countries should consider security risks, of all sorts, and how best to tackle them. A failure to do so has a short-term impact, for instance of production going offline, but it also feeds into a perception of risk that has knock-on repercussions.
Developing projects in countries seen as carrying danger will see financiers impose additional burdens in order to safeguard investments. These might include higher interest rates or shorter lengths of time for repayments. Such conditions prevent operators from exploiting a resource fully, reducing rewards to both them and the host governments.
There are steps that could have been taken to safeguard Saudi Aramco’s facilities, at Abqaiq and Khurais, such as anti-drone systems. “But the question is really a broader one, of how to mitigate threats in general,” Campbell continued. “After an attack like this, companies such as Aramco are likely to go out and buy new bits of kit that promise to provide security from drones. But is buying more kit really the right answer to a complex threat like drone attacks?” For risks to be mitigated, vulnerabilities must be identified.
A better focus for companies to consider is that of integration. Effectively linking up security systems should “provide managers with near-real-time awareness of the security posture of their energy assets. By doing so, they can proactively respond to threats like drone attacks, ultimately ensuring that they can maintain their continuity of operations.”
Companies can protect themselves against such threats and part of this will be linking up with governments and authorities. “Without the right security regime, it is difficult for an investor to make sure that an investment is protected. That makes the dynamic of that return out of control, it’s not accounted for – you can’t use hope as a planning factor,” Campbell said.
A leading risk for African projects are a reliance on legacy IT equipment, the ENRS official said, which are particularly vulnerable to cyber threats. This risk was demonstrated during the Angola Oil & Gas 2018 conference, when Sonangol suffered a ransomware attack.
Aramco too has suffered from IT issues, with the Shamoon malware attack in 2012 tripping up as many as 30,000 workstations. So serious was the problem that the NOC bulk ordered hard drives and flew them in from Southeast Asia on its private fleet. Such was the scale of the purchase it drove up prices for computer equipment worldwide. This malware resurfaced in late 2018, targeting Saipem.
Terrorism was also flagged by Campbell as a threat to the African sector. Each country will have its own variety, he said, with theft being a subset of that concern. “This can either be straightforward, such as of equipment, to tapping pipelines in order to steal oil or products. Theft also extends back into the IT realm, with false reporting from companies on production of oil, for instance, or stealing valuable and proprietary data from NOCs.”
C Derek Campbell was talking to Energy Voice ahead of the Africa Oil and Power event, in Cape Town.