Big data brings insights but also cybersecurity exposure
By Linda Hsieh, Managing Editor
A critical theme that ran throughout our Critical Issues in Drilling and Completions Q&A’s in the last issue of DC was around data and how that’s taking center stage in the digital oilfield. That theme continues in this issue, where you can read about the latest evolution in intelligent coiled-tubing technologies. Even in this hard-hit segment of the market – down by a whopping 41% from 2014 to 2015, then by an additional 39% in the year that followed – companies are looking toward data as the next step for advancing efficiency and cost effectiveness.
However, while data is providing more real-time insight than ever into our operations, the industry still lacks comparable insights into our cybersecurity. In fact, it’s believed that nearly half of all attacks on operational technology (OT) systems are going undetected, said Judy Marks, CEO of Siemens USA. The company, which manufactures industrial control systems, sponsored a forum on 16 February in Houston highlighting cybersecurity challenges in the oil and gas industry.
“The industry can benefit from more information sharing, like other industries do,” Ms Marks urged in her opening remarks.
However, throughout the course of the panel sessions, it became clear that information sharing, in the context of cybersecurity for the oil and gas industry, is extraordinarily complex. “If we oversimplify it, it’s going to break down,” panelist Tyler Williams, Global Technology Leader for Shell, said.
Mr Williams suggested that companies should begin by harmonizing their language of risk, which is not commonly familiar to engineers. “People talk a lot about risks and threats interchangeably, and there’s no common foundation to understand what the threat landscape is like,” he said.
“You can throw around all the information about external threats or indicators of compromise, but if we don’t have the organization established internally to consume that information… it just becomes a noise situation.”
Beyond information sharing, however, industrywide initiatives are ongoing so that each and every company doesn’t have to tackle the daunting challenge of cybersecurity on their own.
Last year, the IADC Cybersecurity Subcommittee delivered landmark guidelines for assessing cybersecurity for drilling assets. These are the only guidance developed specifically for drilling operations.
Then, in January this year, IADC participated in a two-day meeting where the development of a Cybersecurity Framework Profile for MODUs was launched. The development is being done in collaboration with the US Coast Guard (USCG) and the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE), as well as the API and other industry organizations. The profile is being designed to assist MODU operators in using NIST’s voluntary 2014 guidelines, “Framework for Improving Critical Infrastructure Cybersecurity.”
“We’re looking at what our missions and objectives are as an industry,” Julie Snyder, NCCoE Project Engineer, explained at the cybersecurity forum on 16 February. “How can we get our cyber house in order so that you’re not just protecting your own house … but lifting up the whole neighborhood to be marching in lock step with a reasonable baseline of cybersecurity practices?”
The MODU profile is modeled after a profile for maritime bulk liquid transfers, released in November 2016. “Now we’re turning to offshore operations, starting with mobile offshore drilling but looking at broader offshore, as well,” Ms Snyder said. “It will help to minimize the industry effort.” DC
Click here to review draft v1.1 of the NIST cybersecurity framework.
Click here to purchase the IADC cybersecurity guidelines eBook.