The Intelligent Approach to Energy Security
Oil and gas infrastructure is vulnerable to attack, especially in potentially unstable countries. Can a responsive, intelligence-led approach improve security? In the run-up to Arena International's Energy Asset Security Summit in Egypt, Chris Lo speaks to energy security consultant Stephen Phelps to find out.
Under the nose of the global oil and gas industry, a more shadowy business is trying to turn a profit. Around the world, oil companies are regularly targeted by groups looking to disrupt or exploit local energy infrastructure.
Whether financially or politically motivated, these attacks are particularly prevalent in countries like Iraq and Nigeria, where unstable conditions make security a logistical nightmare for even the largest global majors. The Niger Delta might offer companies lucrative opportunities with its massive oil reserves, but militant groups like MEND, angry about the treatment of local people affected by the oil industry's pollution, are a persistent threat.
In August 2010, Royal Dutch Shell admitted that sabotage on its pipelines in the Niger Delta was on the rise, with three attacks on its Cawthorne Channel - Bonny pipeline in that month alone. Incidents on offshore rigs are a continuing problem as well, the most recent example being the kidnapping of seven Afren workers from an oil platform offshore Nigeria (the workers were released several weeks later).
Stephen Phelps is an independent energy security consultant who has worked with large oil and gas companies in countries like Nigeria, Iraq and Russia to supervise security operations. He will be speaking at Arena International's Energy Asset Security Summit in Sharm El Sheikh, which is taking place on 25-26 January. We talked to Phelps about the benefits of an intelligence-based security strategy and the challenges involved in integrating these programmes into an energy business.
Chris Lo: What assets are the key security priorities within an oil and gas company's local infrastructure?
Steven Phelps: In terms of physical assets and infrastructure, a lot of the companies focus on the big ticket items, the high value infrastructure assets that would take months to replace if they were heavily impacted or even destroyed. I am talking about the gas plants, the liquification plants, export terminals, offshore facilities like FPSOs and so on. But in Nigeria, we had an environment where there were thousands of kilometres of pipeline which were largely unpatrolled and unprotected.
These pipelines, including flow stations, manifolds and compressor stations, link all the high-value assets together, and without the pipelines, those assets are just lumps of metal in the countryside. If you cannot get your product to market then you are simply sitting on reserves. So I spent a lot of time looking at threats to the pipelines, because everything else was being looked after reasonably well.
CL: What are the different security approaches required for onshore and offshore energy infrastructure?
SP: Protection of onshore assets largely becomes a matter of delivering a point defence capability, where you look after the asset on site; you form a perimeter and you protect yourself in that perimeter. Of course, there are outreach programmes designed to reduce threat and risk that go beyond the perimeter protection of the facility.
Offshore, the environment is geographically less constrained so you can push your protection further out, using field security vessels. You can also use technological systems, which give you a longer reach and look at the environment, which are not necessarily going to be effective or permitted by the host nation onshore. The offshore environment has some advantages - you can see things further away, obviously.
However, the difficulty with offshore operations is that when an incident occurs, there's nowhere to go - if you're there, you're there. So your protection has to be just as robust offshore, in terms of point defence, as it does when you're onshore.
CL: What kinds of technologies, physical or software-based, are proving particularly useful for security applications?
SP: There are technology systems which monitor the flow of products through pipelines and detect anomalies in that flow, which can be caused by metering failure, a technical failure, an integrity failure in the pipeline structure, or human interference.
The latter can result from either sabotage or crude oil theft from the pipelines. There are technology systems out there that can detect such intervention; they're not my particular field of expertise, but in my function in the past, I've looked at the data generated by those systems as a form of early warning indicator of interference with the pipeline.
The capability I conceptualised, designed and delivered for the company I worked for in Nigeria was built around a software-based all-source fusion centre which would allow analysis of high volumes of data and generation of graphic visualisations of that data which are delivered in an easily understood snapshot. This allows busy managers to see very quickly what the operating environment looks like from a threat perspective.
One other capability that I tried to bring in was a discreet surveillance capability which we could deploy against our own assets, so that if we had information suggesting that a particular node in the pipeline system was vulnerable to sabotage or criminal activity, we could put a very discreet autonomous capability on the ground that would look at that asset in a very intelligent way, and would gather information which would be of sufficient accuracy and integrity that it could stand up as evidence in court, for instance.
CL: How important is it for a company to be able to integrate geopolitical data into its security operations?
SP: I think it's critical for oil and gas operators to understand the drivers of geopolitical instability in the environments in which they're operating. So they look at the political level of events, and this is the old traditional horizon scanning, this has been in place for more than a decade, and in an informal manner probably for a lot longer. But the need for tactical intelligence has escalated since the end of the Cold War.
As the world has become more unstable, the number of insurgencies and terrorist activities around the world has increased dramatically. That has driven forward a need for a much more granular understanding of the environment, rather than the macro picture that was sufficient in the past.
In terms of interacting with communities, one of the strategies we attempted to roll out in the Niger Delta was to develop a relationship with the host communities whereby they saw the company as an asset rather than an imposition or a threat. There was a strategy developed which incorporated intelligence-led communications, design and delivery of community development projects, employment programmes, review of the contract award process to ensure equitable and transparent contract awards systems were in place and a number of other strands.
The gathering of local information at the grass roots level was absolutely vital to supporting all of that activity.
CL: What are the main challenges of developing security intelligence within a company's practices?
SP: Firstly, the corporate decision makers have to identify the need. That's not necessarily always an easy position to achieve. There's a resistance in some circles to innovative ideas and new strategies. Trying to introduce a security capability into an environment where there is a siloed information culture can be very challenging. If people aren't prepared to report laterally, but simply go up and down their chain of command, then it can be very difficult to be effective.
Security is always seen as a cost centre rather than a profit centre, so trying to introduce new capability into the security function is seen as an additional cost. So securing a budget can be a challenge. Persuading the business that having an intelligence function will generate added value to the business is very difficult, because essentially what you're doing is generating knowledge and awareness.
It's hard to put a dollar value on that unless there is an irrefutable failure that could have been prevented and there was an intelligence report that clearly identified the threat and that threat manifests in the face of a lack of delivery of mitigation. Then you can say, "Hang on, this intelligence report could have prevented that incident if you'd reacted appropriately." Then you can measure the value of that intelligence by looking at the impact on the business of the incident.
So justifying the existence of an intelligence capability through cost, value for money and return on investment is a challenge, but not an insurmountable one. Of course, some business leaders will be very reluctant to acknowledge that incidents might have been preventable if different decisions had been made.
CL: Do you think that companies have better at managing security issues over the last few years, or is the situation as risky as ever?
SP: That's a difficult question to answer. Firstly what we have to establish is that the oil industry is a dynamic industry. It thrives on innovation and new ideas and new technology, so it's not averse to bringing in new capabilities. Most of the oil companies that I've experienced have a progressive attitude towards security intelligence. That's encouraging, and I think the evolution over the last 10 years demonstrates that the industry is reacting positively and effectively to the emerging and changing threat environment. The key thing is how effective this new capability is, and of course the adversaries - the terrorists, the angry communities, the organised criminal groups, all have the initiative. They can choose what they do, when they do it, and where.
When you have a very highly dispersed infrastructure, it's difficult to protect all of it all of the time. So having an intelligence capability actually acts as a capability multiplier, in that it allows you to monitor the environment, gather local gossip from multiple sources and anticipate threats to your business in a much more effective way. This allows your security risk mitigation response to be more cost effective and more focussed; you're not running around trying to protect everything against everything.
Arena International's Energy Asset Security Summit will take place in Sharm El Sheikh, Egypt, on 25-26 January.