Robert Roell, Valaris: Industry can benefit from standardized cybersecurity risk assessment

By Stephen Whitfield, Senior Editor

For Robert Roell, the world of operational technology (OT) cybersecurity represented a holy grail. As an OT Cyber Security Analyst at Valaris, he’s been into computers and technology since childhood. He recalls playing around on his father’s DOS machine as a kid in Louisiana and being fascinated with the concept of “one machine talking to another machine.”

However, OT isn’t just about computers. In drilling, it involves components that manage critical systems like the top drives, the mud pumps and the drawworks. A coding error or an unchecked threat could have a catastrophic impact.

“OT is a very different world,” Mr Roell said. “Anything that isn’t supposed to touch that network becomes a potential risk the moment it does. A driller might bring in a personal hard drive to move family photos, unaware that it carries ransomware. Once that reaches our systems onboard, you could have a disaster. Those are the scenarios that keep you up at night.”

As a cybersecurity analyst, much of Mr Roell’s job involves understanding the threats to an OT ecosystem, like ransomware attacks from malicious actors, or careless behavior from someone on the rig. However, one of the bigger challenges he has faced since assuming his current role in 2022 has been simply handling the operating conditions of OT systems.

Because OT devices manage equipment that may be exposed to extreme conditions – high temperatures and pressures, high voltages – their design has always prioritized personal safety and process reliability over data security. OT systems typically have a much longer service life than IT devices, so their hardware and software may be upgraded and patched less frequently.

Historically, cybersecurity of OT assets involved segregating them from IT systems and the internet in order to prevent malicious access. But now, with operators and drillers working in an increasingly digitized landscape, these systems are nearly always connected to an IT network, or directly to the internet. This increases their susceptibility to cyber threats.

“The biggest learning curve in OT cybersecurity is figuring out how to make modern technology work alongside legacy systems,” Mr Roell said. “I must ensure that any protocols we implement don’t interfere with our equipment’s ability to meet operational demands. At the same time, we need to make sure devices can connect safely, which means having the strongest defenses possible. With some of the legacy systems in oil and gas, that challenge can be significant.”

Mr Roell sees AI as a key enabler in bolstering network security without engaging in extensive upgrades to legacy OT systems.

“It can be very expensive and time consuming to change out legacy systems – in some instances, you’re talking about a year of downtime to upgrade an entire system and make sure that new system goes through all the required tests,” he explained. “We need our vendors to provide technologies that are not only effective at helping us spot threats and keeping our systems safe but are also cost effective and time effective.”

Mr Roell took over as Co-Chair of the IADC Cybersecurity Committee in 2023, alongside Darren Ruhr of Precision Drilling. Since then, the committee has undertaken a major initiative to develop a standardized cybersecurity risk assessment checklist. IADC member companies typically manage cybersecurity risk at an enterprise level, deploying companywide cybersecurity programs that conform to their internal policies, as well as external standards.

Operators usually provide risk assessment checklists to drilling contractors prior to the start of a campaign to ensure conformance to the operator’s cybersecurity programs, but these checklists can vary wildly in terms of the types of questions being asked. For instance, operators might prioritize different types of high-level controls in an assessment – one assessment might focus on the segregation of industrial control systems, another might focus more on training and security awareness.

Over the past two years, IADC has worked alongside the American Petroleum Institute and various multinational operators to establish a set list of controls for member companies to provide.

“The idea here is to get everyone to agree on a set cybersecurity assessment list, so that every driller can go by it and every operator knows what to expect,” Mr Roell explained. “Not only do I think that will save us so much time, but it will also help us be safer.”

A final draft of the assessment checklist should be ready early this year, he said. DC

Click here to learn more about the IADC Cybersecurity Committee.