Sidebars to accompany the second installment of the Digital Oilfield.
Editor’s Note: PBOG Magazine asked Lance Tolar, president of Tolar Systems Inc., to comment on how technology is transforming the oilfield. He’s done that, both in this issue and in last month’s installment of this series, but he also indicated to us that there is a tradeoff that is sometimes involved when human beings plunge deeper into their technological toolboxes. He supplied us with the following comments that share just what that tradeoff is about.
The Human Ingredient
Companies must have good, accurate communication. It’s long understood that battles are won or lost and companies grow or fail based of the quality of their information.
Face-to-face communication between people is more than the transmission of words and information—it is an exchange that is wrapped in body language. Body language is a valued component of the conversation. That’s what can make collaboration in the digital age a challenge. When we have conversations in the digital age (remotely) we often lose the body language component. This is demonstrated well with video conferencing. We all accept, and even advocate for, the benefits of video conferencing and we use this technology because it is better collaboration than a phone conference and more economical than an airline ticket. But it is not the equivalent to a face to face encounter. We compromise the best communication practices for the instant benefit of a digital conference room; it is a good trade in most cases. Anytime we introduce technology to replace human or personal communication we usually gain speed and perhaps accuracy but at a cost, and that cost is the ingredient that is conveyed via with body language.
Most people do not realize that when a person’s function is replaced with a machine we lose body language. When we interact with equipment, we engage in the dynamics of a conversation. It may be a one-way or mostly one-sided conversation, but still, it’s a conversation, one in which information is transferred. The important thing to remember is that the equipment lacks the communicative nuance that a person would bring to the conversation—something can be missing, and we need to at least be conscious of that.
When a person is on-site he is hearing with more than just what a stick measures. That’s easily forgotten as we move toward greater and greater automation and remote monitoring.
When I was first working in the oil and gas industry I toured a basic well site outside of Abilene. The person giving the tour emphasized all the information that the person who maintains the well ingests when he is on-site every day. It was so much more than just levels. He inspected the line, checked the levels and pressures, listen to the sound of the equipment. He absorbs and processes the health of the site with all of his senses. That is difficult to duplicate with a machine. However, a machine can monitor and report 24/7/365 in greater detail and can monitor specific critical points often better than a person can even when that person is on-site
When we introduce technology we must deal with the fact that we cannot act behaviorally as if we are meeting in person or engaging with the human element. This is true in the digital oilfield as well. We must adapt our processes to integrate the immediate, accurate, specific information that is available to us using digital methods while we don’t compromise the valuable information that a person can gather and receive instinctively.
Technology is able to deliver information faster and smarter, in greater depth, and with greater accuracy, every day from anywhere on the planet. The planet is indeed shrinking and the most successful companies will be the ones who are able to marry the benefits of technology with the tried and true methods of personal communications and apply the two to the digital oil field.
—Lance Tolar
The Evolution of Threats
How concerned should oil and gas companies be about their information technology and its security? It’s a question we put to Brian Engle, chief information security officer for the State of Texas.
Engle answered by pointing to the steady evolution that we’ve seen, not just in oil companies’ increasing technological sophistication, but in the evolutionary track followed by a company’s potential nemesis, the “actor” that might someday attack.
And that word, incidentally, is a word that people in our industry need to become better acquainted with: “actor.” That’s the language of cyber security, and the sooner our industry tunes it in, the better. For more on threats and “actors,” see the accompanying item on that topic.
“If we trace things back in time, we see that the threat—or at least our perception of the threats that we may be facing—well, those threats have been things like credit card data and other such things that were easily monetized. Things like identity data. And so manufacturing interests and companies in theoil and gas industry and other forms of heavy industry would sit back and say, ‘We just don’t deal with the consumer at that level. We’re not really at risk of having those kinds of threats or attacks.’ But now, what we absolutely are seeing now, is that there are threats that are trying to compete internationally with information that they can utilize to leapfrog over the advancements that we’ve made as a country. And that can include oil and gas resources.”
Engle suggested that it’s possible for some entity, foreign or domestic, to want to ‘leapfrog’ the developmental costs of years or decades of industry research and refinement, and to try to do that by means of corporate espionage or some other means. Corporate espionage often takes the form of cyber attacks.
Till recent times, companies, if they looked around them for signs of corporate espionage, looked mainly at their competitors at home. Increasingly, companies are looking at threat “actors” on a global scale.
“The realization is, is that those competitors are global,” Engle said. “And I don’t want to be painting a ‘fear tactic’ kind of scenario, but there are nation-state actors and countries that are putting resources behind this because their ability to compete on that level is significant for them.”
Engle asked, “Is an oil and gas company going to be able to muster the protection capabilities that are summoned by some of these more advanced threats? Threats that have been working their way towards being very good at what they do over a long period of time? The challenge of protecting any system is great, and then you have the fact that most of these multinational oil and gas companies are spread across the globe, so they have hundreds of systems to be on top of. And, too, there are organizations out there that have been formed largely through consolidations and mergers. They’re bits, parts, and pieces of networks that have been hooked together over the course of time. There’s a lot of surface area there to think about, as to how that needs to be protected and how it could be attacked. And so I think, then, that those risks become pretty serious.”
Engle said his office wants to make its resources and suggestions available to Texas companies that want to learn more. But meanwhile, he said, a good thing to do is just to get oneself involved in the conversation.
“Getting that conversation to occur more broadly—I think gets everyone to the realization that they could be doing more,” he said. “It would be a good thing if, internally, companies discussed these subjects at the C-Suite level and on down, and discussed it at a deep enough level to understand what the risks are, how they are being addressed, what the need areas are, and how the organization is devoting resources towards those need areas.
“One of the things that becomes a concern area is when, globally, organizations don’t tend to meet the needs of something, then a regulator comes in and sets the bar for what needs to be done. This happens in the form of various different compliance requirements. If you think of the world beyond cyber security, it’s Environmental Protection Agency-type things. It’s the question of where does a regulatory body come in and establish what it is that you need to do? When an organization only performs to the level of what that regulator has prescribed needs to be done, then there are risks that the agency or that the organizations are probably still going to be faced with and the activities that they would need to do would need to expand beyond that compliance requirement. Getting the discussion to the area of what are the things we’re facing as an organization, not just what is an external regulator told us we need to be doing, would get some of the issues areas covered better or at least understood internally. If you think about the process of enacting a law to prescribe what you need to do and how long that that process takes, you’re really meeting the need of some yesterday past, not necessarily what’s happening today or tomorrow. Today and tomorrow are happening at an escalated rate in the world of technology. Things are changing so quickly that regulations and the process of bringing them out is just too lengthy for that to be the end-all, be-all of what you are doing.”
Anderson on Signals and Security
As we discussed in PBOG last month, one of the biggest issues in I.T. security today is security through the complete circuit of data transmission and communication. It’s not enough that a company have a “good firewall.” Firewalls can be compromised, and today the integrity of the data stream must be preserved through the entire path, from source to company server.
James “Skip” Anderson of Skycasters, based in Akron, Ohio, is a strong adherent to that truth. “I agree 100 percent,” he said. “And that’s why satellite signals are so effective. It’s virtually impossible to intercept a satellite signal. The signal itself, sent from, say. A remote site like an oil drilling site, is inherently encrypted. It’s transmitting our frequency up to the satellite dish in geostationary orbit to our transponder and then it comes down to our teleport in Akron Ohio. At that point it can come straight into our data center, or it’s possible for a client to host their own equipment by bringing in a T1 line so that when the data comes in it is segregated immediately and it goes out on their specific line that they own. The client can put in a VPN device—a Virtual Private Network—to receive all their data. Bottom line, it goes back to their offices. In such cases, we [Skycasters] are a ‘junction,’ so to speak, but the client’s whole traffic is segregated. And it never goes into the public internet.”
Actors, Adversaries, and TTP
Security is paramount in the digital oilfield. Data security. Information technology security. Communications security. Most modern security programs are designed with adversaries in mind. They’re called “adversarial based programs,” and through these programs one identifies who one’s adversaries are.
Why start with that mindset? It’s all about understanding the nature of the threat itself. PBOG Magazine spoke with an expert at a major multi-national oil company—a source who asked not to be named, for security reasons—and this source told us that the mindset helps a company to anticipate and detect and prepare for the threat itself.
“When you find your adversaries you usually can then understand how they will attack you,” said the source, who is the chief information security officer at the company that employs him. “The methods they use are called TTPs. Tactics, Techniques, and Procedures [a military term]. If you understand how they’re going to try to do what they do, you have a good chance to defend yourself. You can put the defensive postures, the defensive controls, in place to prevent or detect the normal attack patterns that you will see from those actors.”
“We usually lump adversaries into four categories,” he said. “Corporate espionage, cyber terrorism, cyber criminals, and hacktavists. Inside of those categories there are specific actor sets—groups of individuals. Take corporate espionage, for example. Corporate espionage has actor sets that are based in China. The national military arm of China has a bunch of actor sets. Russia has actor sets. You go down the list of who in these nation states does corporate espionage, and those become your actor sets. Each actor has certain techniques that they use, certain procedures that they use, certain pieces of malware that they use, that are specific, in many cases, to them. This will help you identify and assign attribution.’”
So what should oil companies be thinking about, given the fact that they are expanding their data collection all the time?
The source said the issue is less a matter of how much data one needs to protect than it is a question of other concerns. “That problem—of [quantity of data]—is more of a problem of availability and capacity, and less of a security problem. When generating wellhead data, we generally have to report numbers back in anyway, or we’ll share numbers with our partners. Those really don’t have a sensitivity to them. There’s not much of an impact should a breach occur.
“Cyber impact is adversarial based,” he said. “It’s somebody who wants to do something, and it has to have an impact on me. The two big impacts, when we talk about the oil and gas industry, are really, one, industrial control system failures, which leads to oil spills, and two, transaction security, since we do so much bidding and buying and selling of assets that are billions of dollars of assets. Those transactions must be secure. They must be confidential. Losing the confidentiality of those major transactions is another major sore point for oil and gas companies.”
Asked if he is hearing, from his contacts or through his channels, that oil and gas is being regarded increasingly as a matter of national security, the source offered this:
“It’s less national security, per se. More critical infrastructure. It’s not really a national security issue, although the NSA and CIA does get involved with intelligence from time to time. [But the real issues really fall] under the context or the guise of critical infrastructure.”