There have, of course, been some notable upstream losses and near misses over the last two years, notably in Malaysia, the North Sea, and the US. At the time of publication, none of those losses were valued at over the US$189 million property damage threshold to qualify for the 100LL. However, it should be noted that the eight-year absence of entries from 1993 to 2001, was followed by 14 entries into the 100LL over the subsequent 15-year period. This reinforces the importance of maintaining strong risk management protocols and effective mitigation of complacency creeping into the collective industry psyche. Similarly, the rate of tier one process safety events over the past decade has remained somewhat constant[4] which underlines that there remains further room for improvement for safe working practices in the upstream sector.
A question of if, or when, cyberattacks will feature in the 100LL
Currently, none of the entries in the 100LL directly result from a cyberattack, and it will be interesting to see if this changes in the coming years. In May 2021, we saw the effect of the ransomware attack on the Colonial Pipeline, which was one of the largest publicly disclosed cyberattacks against critical infrastructure in US history. Although there was no direct property damage from this incident, it did impact the company’s operations, and sounded alarm bells for governments, regulators, and communities. For the time-being, it appears that the objective of cyber perpetrators is to cause disruption, rather than destruction. That said, the Triton malware, which specifically aims to breach safety control systems, and the Stuxnet malware, which targets supervisory control and data acquisition (SCADA) systems, both serve as reminders that cyberattacks do have the potential to result in large-scale property damage and loss of life.
Conclusion
There has been a significant reduction in new entries to the 100LL over the last two years, compared to recent history, and the energy industry should certainly be commended. However, it is perhaps premature to conclude that there has been a fundamental improvement in operational, inspection or maintenance practices, or overall risk management maturity, as this improved performance may be attributed, at least partly, to a decrease in site-based activity, or short-term operational measures in response to the COVID-19 pandemic. The longer-term risks associated with the pandemic remain to be seen, and cyber-related risks remain a growing area of concern.