Brier & Thorn Brief IT Risk Management: Securing the Digital Oil & Gas Company
Securing Your
IDEAS
TM 1
Alissa Knight is the Group Managing Partner with Brier & Thorn, Inc. and the Managing Director of Brier & Thorn Germany, GmbH in Stuttgart, Germany. Among other industry recognized certifications, Alissa Knight is also a certified SCADA Security Architect. Copyright Š 2016 Brier & Thorn, Inc. All Rights Reserved.
2
3
As most oil and gas companies are closely focused on preserving margins to weather the low-price storm, many are also looking ahead and thinking about how digital transformation will transform their company for cost savings, enhance the value chain, and increase production, and even fewer still are considering the IT security issues posed by that digital transformation.
“As attacks on Internet of Things “IoT” devices continues to pervade in other sectors, Oil and Gas would be wise to consider how these vulnerabilities and threats affect the new digital oil field.” –Alissa Knight Few are thinking about the information security requirements around all of this new data that will be generated for analysis or newly connected industrial control systems that were previously isolated with no connectivity. The drop in crude oil and natural gas prices has encouraged oil and gas companies to tap digital technologies to increase production, improve margins and drive cost reduction. Unlike other industries that are enjoying a sudden embrace of analytic benefits, energy companies have long depended on rich pools of data to discover and better understand the potential in their reservoirs and other production opportunities.
Even so, most have yet to understand cloud technologies and virtualization as well as how IT risk management fits into the overall digital oilfield landscape. As attacks on Internet of Things “IoT” devices continues to pervade in other sectors, Oil and Gas would be wise to consider how these vulnerabilities and threats affect the digital oil field. The return on investment of digital transformation for the oil and gas company is expansive. From new analytics platforms of big data for exploration companies promising 3-5% more oil; a field service industry standing to save $1 Billion annually by 2017 by using smart glasses to diagnose and fix problems; and drones and smart robots being used to perform what was once hazardous tasks for humans, such as pipeline and flare stack inspections; the return on investment in digital transformation is without contestation. Cisco estimates companies could see 11% earnings growth across the value chain, with most of the cost savings upstream. Several oil and gas companies have already managed to save about 10% on unit costs by digitizing a remote offshore operations center. Another reduced operating costs per barrel by about 10% and improved recoverability of reserves by applying selective applications in intelligent oilfields through collective computing and sharing real-time information at all company levels (Bertocco & de Graauw, 2016, p. 01).
4
The perceived value here is simply too high to ignore. The cost savings and increased production around digital transformation will continue as oil and gas begins to transform their assets and realize these savings. While Risk Management around health and safety has been covered extensively in the upstream and midstream oil and gas sectors, IT risk management has fallen behind the chief concerns of the IT department to understand exactly what to adopt as they transition to digital and most importantly, where and how to synthesize so much raw data. For oil and gas companies today, streamlining, integrating and analyzing the information flowing in from exploration and production activities is increasingly the key to optimizing production, improving productivity and speeding up turnaround. So the question of a digital oilfield is not if, but when, and when is now. Track and trace technologies, smart robots, and drones are starting to take the dangerous jobs in semipermissive areas that humans used to do, such as pipeline and flare stack inspections; Remote Operating Centers are beginning to fuse Operations Technology (OT) data with Information Technology; and virtual or digital representation of oil assets created with 3D scanning has enhanced maintenance of upstream and downstream assets. 3D printers are even being used to immediately create and implement broken parts in antiquated oil assets. While several frameworks have been developed in the United States by NIST in securing Industrial Control Systems (ICS), as
well as other frameworks, it does not address the security of the digital assets being brought into the oilfield. In summary, what were once isolated ICS, which includes supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations, such as skidmounted programmable logic controllers (PLC) that had no connectivity with network devices are now being replaced by digital devices that speak Internet Protocol (IP) and are now being opened up as fair game to technology that historically has had no security implemented into it as part of the design. Initially, ICS had little resemblance to traditional information technology (IT) systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cyber security vulnerabilities and incidents.
The IT Risk Management Challenge to Going Digital The paramount, most important factor to a winning digital strategy in Oil and Gas is people. Upgraded capabilities or lack there of is the most common theme with unsuccessful digital transformations. As in every other organization, people are also the weakest link in security. 5
Securing the human is far more complex than securing IP as other sectors and industries will attest.
Vulnerabilities published affecting SCADA /DCS Industrial Control Systems by Year (source: scadahacker.com)
While digital transformation in oil and gas has its own challenges, we’ll cover the most common attack surfaces and concerns to confidentiality, integrity, and availability of that data in the digital oil field. Oil and gas companies should carefully and strategically plan through these IT risks as they develop their long-term, multiyear digital strategy. • Big Data. According to Cisco, a single offshore platform can generate 1–2 terabytes of data per day, but current satellite network bandwidth is extremely limited due to transfer speeds around 2 Mbps, making it impossible for subsurface and operations teams on the mainland to keep up with data in real time. That much data will get synthesized and stored offline while being analyzed and reported on in real-time. This makes a very attractive target where exploration data can be worth millions to a competitor, data loss prevention (DLP) and other technologies to monitor and secure access to it is a critical component of any E&P company’s information security management system (ISMS).
“While Risk Management around health and safety has been covered extensively in the upstream and midstream sectors, IT risk management has fallen behind the chief concerns of the IT department to understand how exactly to go about digital transformation with oil & gas assets.” –Alissa Knight
• OT and IT data connectivity. Oil and Gas companies are beginning to adopt a scheduling visualization system that routes time-sensitive, critical data to line management’s scheduling decisions. Availability and integrity of this data can be negatively impacted by denial of service or targeted attacks seeking to not just exfiltration that data, but also modify it. • Capacity Building in Digital. People are a necessary component of a winning digital strategy. As executives assess their team’s current capabilities and develop capacity building plans to manage change and improve technical acumen around IoT, virtualization, and cloud technologies in the adoption of augmented-reality interfaces or exchanging data and communicating in real-time with experts to evaluate corrosion issues on a pipeline, information security and IT risk should be a necessary component in that professional development, going beyond just connectivity, but also security.
6
At a time when oil and gas prices are contracting, thus restricting investment capacity, digital transformation is an area of the oil and gas business that has been decreasing in costs and tools rapidly improving. As oil and gas companies quickly move to develop strategic plans around their digital transformation journeys to gain continued competitive advantage over the next 3-5 years, they will surely take much broader steps backwards as a result of a breach because IT security was not part of that strategic plan.
adopted to properly secure it before it addresses changes to its operating model.
In an effort to not try and repeat our sins of the fathers from previous digital transformations in other industries such as retail, oil and gas should instead attempt to ensure that they fully understand the widening attack surface as their oilfield becomes digital and given IP addresses for connectivity as well as the potential consequences created along with all of this new big data that can be quickly and easily monetized in underground economies. All digital transformation plans in oil and gas should include initiatives that offer riskmanaged short-term gains that further propels capabilities to develop long-term competitive advantage. But perhaps most importantly, they should include details on what new information is created, how that information should be classified according to an enterprise-wide data classification policy, thereby driving the protection mechanisms around how that information is eventually transmitted, processed, and stored according to existing and any new security controls that must be 7
Brier & Thorn is the IT risk advisory and managed security services firm that the oil and gas industry‘s business leaders come to when they want risk managed change. Brier & Thorn helps clients build value by taking a critical thinking approach to managing IT risk. This approach helps our clients focus on their areas of increased risk, bridge silos to effectively manage risk across organizational boundaries and seek not only risk mitigation, but also pursue intelligent risk taking as a means to value creation. Brier & Thorn is a global IT risk management firm, supporting companies in their important strategic decisions on operational security, IT risk management, and managed security services in their enterprise and products – cross-industry and cross-border. Together with its clients, Brier & Thorn works towards achieving clear competitive advantages and upgrading enterprise value over the long term. Since our founding in 2010, we have been measuring our success by only one yard stick, the results of our work. We advise global leaders on their most critical IT risk management issues and opportunities across all industries and geographies. Our unique approach to traditional IT security in penetration testing, incident response and forensics, risk assessments and audits, ISMS program development, and managed security services, helps clients measure and manage risk and overcome the odds to realize results. Contact Us
8
References Bertocco, R., & de Graauw, L. (2016). Technology, Strategy & People: Becoming a Digital Oil & Gas Company [White paper]. Retrieved June 06, 2016, from http://bain.com/Images/BAIN%20_BRIEF_Becoming_a_Digital_Oil_and_Gas_Company.pdf) National Institute of Standards and Technology. (2011). NIST SP 800-63: Guide to Industrial Control Systems Security. Retrieved on June 06, 2016, from http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
9