Understanding risk is essential to building effective cybersecurity systems
By Stephen Whitfield, Associate Editor
Digitization and automation have become key focal points for drillers looking to optimize their rig performance, and implementing the right systems to adapt to the digital age has become a necessity. To enable a complete digital ecosystem, connectivity between the wellsite and the back office will be required, where everyone is receiving downhole data at the same time to enable faster planning and execution of any drilling campaign.
In this ecosystem, it is essential for companies to ensure the security of their data, but executing the right protocol requires an understanding of what cybersecurity risk is and how to manage it, said Alex Philips, CIO of National Oilwell Varco (NOV). Speaking at the virtually held 2020 IADC Cybersecurity for Drilling Assets Conference on 3 September, Mr Philips noted a “general awareness gap” within the industry on cybersecurity risk versus the physical risk that people and equipment face at the rig site. Overcoming that gap is a significant hurdle that companies must cross.
“We’re really good at understanding physical risk,” he said. “We put up locks, and we put up bars. We can see it. But in the digital security space, you can’t really see that risk. Not only can you not see it, but most people don’t really understand it. They don’t know if someone’s watching them through their webcam right now, or if somebody is on their computer stealing data.”
Mr Philips described data management as a four-step process: gathering the data so companies can see what’s happening in their wells; diagnosing what they see with the data; predicting what will happen based on what they see in their data; and using those predictions to prescribe the right actions for generating an optimal outcome.
Being prescriptive with data – such as through the use of process automation software – allows companies to drive out inefficiencies and create more predictability in the drilling process. However, it’s important to remember that introducing new software into a digital ecosystem will also introduce new risks, and Mr Philips emphasized that it’s essential to not only identify potential threats but also act upon them, even if the threat is not imminent. The challenge is that taking action on a non-imminent threat may lead to operational delays.
“We can know about a vulnerability in the system, but the operations team is going to ask only if it’s impacting operations right now. If not, we wait,” he said. “The operational mindset that nothing stops and we have to keep moving forward is a challenge we all face. There is no such thing as ‘perfect protection.’ When you think about it from a company standpoint, you need to build a sustainable program that balances the need to protect versus the need to run your business.”
Legacy systems can also act as an obstacle to effective cybersecurity. Companies often use operating systems for longer than advised, Mr Philips noted, even beyond the end-of-life timeframe where developers cease to offer technical support. This means that building effective security into these legacy operating system is difficult, if not impossible. He urged companies to invest in regularly updating their systems so that they can be best equipped to handle emerging cyberthreats.
“Everything’s connected, and implementing security is not free,” Mr Philips said. “If you talk to the enterprise side of your company, you’ll find that they spend millions of dollars every year on their security. To make cybersecurity a reality in the operational technology (OT) space, it’s going to take some money to make the necessary upgrades.”
Some of that investment should go into hiring and training the right personnel, he noted. Rather than solely focusing on a select group of IT professionals to handle every element of protocol, companies should try to establish cybersecurity knowledge at all levels of their operations.
“It takes a level of cybersecurity expertise throughout the organization and throughout the supply chain to ensure that you have proper cybersecurity,” Mr Philips said. “The engineers in our company who design our products need to do so in a secure manner, and we need to make sure that our products are integrated into drillships and other vendor solutions in a secure manner. Even the service hands who are out working on this equipment need to understand cybersecurity.”
Resources are available to the industry to provide a roadmap for developing effective cybersecurity. On 23 July, the US National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert that outlined immediate actions for reducing exposure across operational technologies and control systems. This alert provided steps for building a “resilience plan” and hardening networks, as well as guidelines for understanding and evaluating cyber-risk on OT assets. Another available tool is the ATT&CK framework, developed by the MITRE organization in 2013. It can be used to develop specific threat models and methodologies for internet connectivity systems.
Mr Philips said these resources, and others, can help companies move away from a reactive cybersecurity approach and toward a proactive approach. “You can’t assess and protect until you can detect,” he said. “It’s a lifecycle that’s critically important.”
IADC guidance documents, through its Cybersecurity Committee, have developed for two industry-specific use-cases to help its members address cybersecurity. The IADC Guidelines for Assessing and Managing Cybersecurity Risk to Drilling Assets and the IADC Guidelines for Baseline Cybersecurity for Drilling Assets have been made available at the IADC Store.