Editor’s Note: In this, our first-ever look at Information Technology (I.T.) as it pertains to the oilfield, we spoke with two experts in the field, one who heads the cyber security functions at a global, multinational oil company and one whose company provides I.T. and data security services for a variety of clients in West Texas. From one we get the global perspective and from the other the more local/regional, hands-on, consultancy perspective, but what is interesting is that each source confirms that cyber security knows no local-global distinctions. What works for the biggest operators is necessary for the smallest. What happens in the smallest entities, when something bad happens, is rarely a “local” event. It’s one world out there, and the Digital Oilfield, which is everyone’s oilfield, is connected to every single part of it, for good or ill, here or abroad.
by Jesse Mullins
Just how ever-present is the risk of information security breaches? It’s this simple, this immediate, and this insidious:
“There’s an easy example to share, and it’s everywhere. Companies invest a great deal of money in their corporate firewall—used for filtering the Internet and blocking threats. Yet they let everyone in their office who has a smart device, an iPhone, an Android Phone, a tablet, any of those devices—they say to them, ‘Here is our wireless password.’ And every one of those devices is a Trojan horse that comes in around the firewall.”
Lance Tolar speaks readily and purposefully when talk turns to cyber security. It’s his business. Sitting in his corner office on the fourth floor of the United Centre in downtown Abilene, the president of Tolar Systems, Inc., makes a case for security in a business world where misconceptions abound and remedies require not just technology but that most precious of company commodities: employee buy-in.
Meanwhile, though, Tolar shared with PBOG Magazine some foundational truths where information security is concerned. Asked why it is that conversations about cyber security increasingly seem to include talk about the oil and gas industry, Tolar suggested it could be because the technological revolution in oil and gas has brought that industry fully into the realm of data-crunching, data-sharing information technologies. A major paradigm shift is at work, and oil and gas has its own part to play in that. And its own challenges to surmount.
“When you talk about I.T. security in any industry, and especially in oil and gas, I think really you have to start with education and good information. If there’s a deficit to be found somewhere, it is that, (A) people they make assumptions that may or may not necessarily be accurate, or in some cases are totally misinformed, and (B) that people tend to focus on one area of security where they are unaware of or they ignore other areas of security.
“The oil and gas industry is in an explosion of growth,” Tolar said. “And like all industries in growth mode, they are exploring ways whereby they can work quicker and smarter. People need information at a faster rate and technology exists today that didn’t exist 5, 10, 15 years ago to deliver information in near real time. People are using this technology in every other aspect of their life and so it’s natural to implement I.T. into the oil and gas industry as well. Companies want good information as soon as they can have it.
“Historically, the best way to do that has been for them to put a man in the field and have him write up a report. Yet the technology now exists where we can minimize—can’t remove, but we can minimize—putting that person in the field, which is a cost savings and provides consistent information.”
Savings, yes, but right there, risks arise that never existed before. Yet few today are troubling themselves about security risks when they are achieving such profound cost reductions.
Says Tolar: “Many organizations’ security could be seen as a sort of replication of a Western movie set, where the buildings are really facades or they’re made of fake brick. When you look at them from a certain angle, in a certain light, they look legitimate. They look solid, but they’re really fakes. This facade doesn’t deter the hacker or the bad guy. What it does do is lead the organization itself into a false sense of security. It does nothing to minimize the risk or their exposure.”
According to a chief information security officer at a major oil and gas company–one who requested that his name and company not be disclosed–changes in the oilfield are giving rise to new kinds of risks never encountered in this sector before.
Asked why it seems to be growing faster in oil and gas than in other industries, the source said that “industrial control systems” are one of the risk areas.
“It comes down to the way that oil and gas operates today in the field: those industrial control systems,” he said. “The digital oilfield. Modern oilfields are automated in some way, shape, or form. There’s always a level of automation. What used to be human functions are now usually done by industrial control systems. Motors and valves will turn, temperature readings and pressure readings will be taken. But these systems are controlled by computers. If someone takes control of the computers, they can take control of the industrial control system, and you lose control of the entire system.”
It’s modernization, he said. “It’s just the business of technology-marches-on. It catches up everywhere and oil and gas is no exception. It was inevitable that the ‘Digital Oilfield’ would be something that would arrive and would be here to stay.”
But isn’t cyber security just an issue for large oil companies to worry about? This source thinks otherwise.
The smaller companies absolutely should be tuning this in, he said.
Why? “Because the smaller you are, the harder it is to recover from an incident. So if a Deepwater Horizon-type well blowout happens, because of a cyber attack, to a small-to-medium-sized organization, chances are they would not survive the litigation.”
While it may be true that smaller companies need the security, what’s different for them is the scope.
“Those companies can operate with a scaled-down version of what the larger companies employ,” he said. “We’re a global multinational, so we have operations around the world.”
Those smaller companies don’t need a presence that extends globally, of course, but they still need an intelligence function to understand the adversaries and define the controls they definitely need, as well as an operations arm that watches the environment and that can generate enough information so that they can see the adversaries that happen to be inside.
“And do the incident response and the cleanup work that has to be done,” he said. “They still need a governing structure. They still need the basic forms and function of a security program. They just won’t need it worldwide. And they may be able to outsource more of those functions to a managed service provider, versus having in-house expertise. But capability-wise, the program should be almost identical.”
In our concluding Part II, you will hear from Brian Engle, who is Chief Information Security Officer for the state of Texas, as well as from other authorities and experts in the field of information technology as we delve deeper into this rapidly emerging trend of the Digital Oilfield.