By Alex Endress, Editorial Coordinator
Growing up on a dairy farm in Norway outside of Lillehammer, Dr Siv Hilde Houmb learned how to ski at an early age and dreamed of competing in the Olympics. When a torn knee ligament sidelined her skiing career in 1993, Dr Houmb initially opted to forge a career in sports science and sports biomechanics. However, during her studies at Telemark University College and the Norwegian University of Sports and Physical Education from 1993-1994, she found herself increasingly fascinated by something entirely different – computers. “A computer is logically built. It is made by people, which means it has a finite defined state that it can work in, so you can learn everything about the computer. You can master it,” Dr Houmb said.
She ended up transferring to Ostfold University College in 1994 to study computer science. While still in school, she started working in the IT department for Norwegian telecommunications company Telenor. It was there that she gained her first experience with cybersecurity, when the “ILOVEYOU” virus hit companies around the world, including Telenor, in May 2000. The virus arrived as an email attachment and tricked users into opening the malware. “Social engineering is the main way for hackers to compromise systems. The coding is just a small part of it,” Dr Houmb said. The virus overwrote files and automatically sent itself to more contacts within the user’s address book. “No one was prepared for this type of thing.”
The virus resulted in an estimated $7 billion in damage worldwide, according to Dr Houmb. At Telenor, a security and mobility group was created to search for and fortify weaknesses in the company’s computer systems. In particular, Dr Houmb participated on the group’s “Tiger Team” – white hat hackers tasked with attacking new digital services being developed by Telenor. The goal was to mimic malicious, outside hackers and try to figure out what they might target, then find ways to protect those assets.
Dr Houmb stayed with Telenor until 2010, during which time she also earned a master’s degree and a Ph.D. in computer science – the former from Ostfold University College and the latter from the Norwegian University of Science and Technology. It was also during this time that she became involved with the European Telecommunications Standards Institute, helping the organization to write cybersecurity standards. “In the beginning of cybersecurity development, there was no formal methodology to follow,” Dr Houmb said. “I ended up focusing on quantifying risk and how it makes financial sense to implement certain security solutions based on what companies need. That’s what I believe is the first step in cybersecurity.”
In 2010, she founded Secure-NOK after seeing the damage done by the computer worm Stuxnet. It hit Iranian nuclear facilities, causing centrifuges that enrich uranium to fail. “Cybersecurity was not yet of any interest in the operational technology space,” Dr Houmb recalled, noting that Stuxnet also got the attention of oil and gas companies. “They had started looking into it, but it was not until Stuxnet that people actually realized it was a problem.” Most modern rigs have very simple network connections and are not hard for hackers to infect with malware, she said. “My colleagues and I also saw that these systems are very vulnerable. It’s not rocket science to hack into or take down a rig.”
At Secure-NOK, for which Dr Houmb serves as Chief Technology Officer, the focus is on protecting rig control systems from cyber attacks. In January, the company launched a control system monitoring software called SNOK. It can be installed on rig control systems to monitor for and block malware like Stuxnet. “You could call it the control system version of an antivirus software,” she said.
Dr Houmb currently serves as Chairwoman of the IADC Cybersecurity Subcommittee. Earlier this year, the group released the “IADC Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets,” which she called the first big step for drilling contractors in improving cybersecurity. These guidelines focus on risk assessments, which are critical because they allow drilling contractors to understand their true asset risks and account for them. “After you assess your rig’s cyber risks, you can figure out what you really need to do to become more secure from a technical point of view.”
The next step after risk assessments will be network segmentation, a process of separating critical operational equipment and control systems from open network connections, such as those linked to personal devices. It also includes the removal of outdated software. “That’s the low-hanging fruit. By removing accounts and software you don’t need, you get down to the bare minimum that you need to operate.”
This should be followed by cybersecurity training, where employees would be given basic rules, such as not plugging personal devices into rig control systems. “I call it cyber hygiene. The industry needs to be better trained in this area to know that you can’t just hook your computer up to anything on the rig because it may have brought old viruses onboard,” she said. Training would also include rules to help employees avoid being fooled by social engineering attempts.
Over the coming year, the Cybersecurity Subcommittee will release additional guidelines on network segmentation and training. They should be able to help companies avoid downtime caused by malware.“These are the small steps you can take to reduce all the hassle in dealing with a virus.” DC
SNOK is a registered trademark of Secure-NOK.