The case against keeping it in-house

from World Pipelines February 2022

Understanding complex anomalies

Vicki Knott, CEO and Co-Founder of CruxOCM, Canada, considers pipeline cybersecurity in 2022 and argues that promoting your IT head to ‘CSO’ is a recipe for disaster.

How are cybersecurity, control systems, and digital transformation related? Spoiler alert – they are the only way our industry will make it into the future and they require innovation. Times, they are a-changing. Let’s start with the ultra hot topic: cybersecurity. I will say this upfront and repeat it over and over again: please do not promote your 20+ year IT veteran employee to Chief Security Officer (CSO). Think about it from this perspective – how much have cell phones changed in the last 20 years? Do you think the same engineers that built the 1990s old school car phone built the iPhone? It’s unlikely. So, why are we expecting our engineers and IT professionals that have epic amounts of organisational-specific business acumen to also learn how to build cybersecurity capabilities that evolve at an unprecedented pace every year? Doesn’t it make more sense for them to keep the core business running and pass down critical operational knowledge to new team members? Based on what I have seen in the industry, promoting internal folks to unrealistic roles is far too common. Not only are we setting up tenured, loyal employees to fail, but we are also hurting the business’s bottom line by wasting time and money implementing non-optimal solutions. As an industry, when we set employees up to fail, we unknowingly contribute to a culture of risk aversion. Risk aversion is important in our industry, but not to the point where employees cannot discern between business risk and safety risk – a line I see people in the industry blurring more and more these days as the market plunges us all into a scarcity mindset. Risk adverse employees who have been set up to fail by leadership are then asked to be innovative? Doesn’t sound like a working recipe to me. Bottomline, it’s critical to hire the experts. Hire the firms that have a team of coders who set up honey pots to lure in the hackers and learn their behaviours. They exist, we just have to look beyond the walls of our pipeline organisations. And I’ll repeat, this is not something your in-house team can learn.

Control systems What seemed far fetched and down right questionable 30 years ago is now very much an operational norm. I had a control room operations lead look at me once

and say, verbatim, “five years ago I would have told you to leave and kicked you on your way out the door – now, we’re in need of automation. These kids treat SCADA (Supervisory Control and Data Acquisition) like a video game. They just don’t have the same field knowledge us old guys have”. Our industry has changed dramatically in the last 30 years, and it’s evolved even faster in the last five.

Centralised SCADA systems are a must for current pipeline operations. Another fun way to think about them is the operating system for your pipeline. One of the current weaknesses of these systems is the inability to push frequent updates (think your phone again). For cybersecurity reasons, on-prem SCADA systems make sense. With the rise of virtual commissioning via VPN tunnels, there is no reason that updates to the pipeline operating system (aka SCADA) cannot be pushed more frequently. One of the reasons they are not is because of the way our industry is used to purchasing SCADA systems, which has historically been through perpetual licenses. Procurement teams are so used to this model that when they see a subscription pricing model they push back, ignoring the fact that the software world has moved to SaaS (subscription) pricing because it includes updates and maintenance. Gone are the days of perpetual followed by egregious bills for custom consulting. It’s in the best interest of the pipeline company and the software provider to keep software up-to-date. For pipeline companies this ensures that the software they have paid for is constantly providing value. This keeps software providers accountable. It also enables a reliable revenue stream for software providers to fuel growth in order to build new solutions the industry needs. Software subscription pricing models for pipeline control systems are a pure win-win. Trust me, I have been on both sides.

Allowing our amazing SCADA providers to transition to a subscription pricing model and allowing updates via VPN are two very low touch ways to ensure your SCADA system is resilient and ready for at least the next five years. Adding a RIPA platform to automate your control room operations is a revenue generator, sure to take care of talent scarcity issues, ensure safety through automation and maximise volumetric throughput where needed. Might as well keep moving into the future with new control room automation software capabilities.

Digitalisation Digital transformation has been underway for what now – a decade? Not to beat a dead horse, but hoping you didn’t promote those internal folks to head of digital transformation as well. If you did, all is not lost, assuming of course you didn’t also then hire a massive cloud provider and imagine they will solve all of your problems that you didn’t know you had, with solutions you didn’t know you needed. Oh you did do that? I’m sorry. Ok, let’s start again.

Now is an excellent time to promote long-term employees to ‘Solution Lead(s)’, then ensure the company is not inadvertently promoting a scarcity mindset that’s contributing to business risk aversion (while innocently claiming that its safety risk aversion). The winning recipe? Domain expert Solution Leads with decades of industry experience having the autonomy to work with any new company/vendor they like to design the solutions the industry needs, all while unencumbering the companies they work with to enable them to scale and serve the industry as a whole.

Sounds like a pipeline utopia to me. Building software products in-house has never been successful in our industry and the push for digital transformation is not going to magically make them work. For example, I know of a large pipeline company that built its own SCADA system over a decade ago. They have since replaced it with an off-the-shelf SCADA system due, in part, to their inability to support it in-house over the long-term. Imagine the total bill of that internal effort over the duration that the homegrown system was in place. Another thing this particular company has done is kicked off an in-house innovation department. I have heard that it is struggling and not producing the results that were anticipated. For readers not familiar with the literature on why big companies fail to innovate, here is an article from Forbes, to which the opening statement is: “There are thousands of books, articles, briefings, blogs and tweets about why companies fail to innovate. They offer insights about why the usual – almost always successful – suspects fail to innovate. Which is the first clue. Why do successful companies fail, where start-ups succeed?”1 The book ‘The Innovator’s Dilemma’ is quoted in this article and I believe it should be mandatory reading for all executives in the pipeline industry today.2 Spoiler alert as to why big companies fail to innovate: “Research tells us that even when competition stares right in the face of successful companies, they still fail the innovation test. Worse, when there’s no competition they don’t even show up. So, what’s the innovation secret? If anything above is accurate, there’s only one way to innovate: disrupt the company, not the business model or key business processes that make all the money. More accurately, leave the company behind, and under no circumstances threaten the revenue streams that make everyone rich, and never touch the business model that fuels personal and professional wealth”.

It’s important that we share innovation and digitalisation failures with others in our industry so that we can all learn. We all hear these stories through the grapevine, but they are very rarely openly discussed in a forum like this. If anyone has any digitalisation and innovation stories they would like to share anonymously, please do send them to me on Linkedin or via email and I will incorporate them into future articles for the greater learning of the industry (completely anonymously, of course). Cybersecurity, control systems and digital transformation are all related by the need for innovation in the pipeline industry. As an industry, let’s embrace start-ups and discuss our failed in-house projects – they will ultimately provide the talent and ideas needed to push the industry forward for the better.

References

1. https://www.forbes.com/sites/steveandriole/2020/08/26/why-companiescannot-innovate--why-they-will-keep-failing--unless-they-end-runthemselves/?sh=23a6c2f75a52 2. CHRISTENSEN, Clayton, M., ‘The Innovator’s Dilemma: The Revolutionary Book that Will Change the Way You Do Business’, 2003.