Cyberattacks present a nebulous and changing threat to oil and gas operations, and implementing the protocols needed to handle these threats is a process that may feature several hurdles. Companies are clearing some of the hurdles, but a trio of industry executives said other hurdles require changes in thinking at several levels, particularly in balancing the needs of information technology (IT) and operational technology (OT) infrastructures.
At a panel discussion held during an event “The Future of Cyber Security: Spotlight on Oil and Gas,” hosted by Bloomberg and Siemens, Ken Braud, Archana Deskus, and Mark Maddox spoke about the challenges operators and service companies face in understanding cybersecurity threats. Braud is senior vice president and chief information officer (CIO) at Halliburton, Deskus is vice president and CIO at Baker Hughes, and Maddox is vice president and CIO at Apache.
Deskus said that, in her time at Baker Hughes, the predominant shift in cybersecurity has been from an industrial/digital perspective, where the focus was on traditional IT security such as network servers, to a focus on OT, which includes the monitoring technology placed in drilling and processing tools, along with other remote operational activities. She said that, while the industry has progressed in developing secure IT infrastructures, operator preferences for expedience and speed on-site prevent them from implementing some of the processes needed to develop secure OT infrastructures.
“A lot of the thinking in our industry is ‘just get it done.’ You’re out in the field, or even on manufacturing locations, and it’s more about functionality, it’s about getting that automation. These aren’t the folks that are thinking about the risks that may be introduced into the organization, and so part of it is raising that awareness, why it’s important.”
To this end, last year Baker Hughes removed its inventive software, technical software, and remote operations from its product lines and into its IT organization. Deskus called the move a “big leap of faith” that may bring its own set of challenges, but that it may help keep the IT and OT operations more closely aligned.
Braud said bridging the gap between IT and OT has required Halliburton’s upper-level management to insert itself into the technology development acquisition process, developing security strategies for its operational technology deployment while putting in place phase gates for architectural reviews and security reviews.
“I think it’s easy to get into the position where you’re playing whack-a-mole, where you’re just reacting, but if you’ve got a strategy where you’re engaged with the top levels, which I believe we do, we now see security as something that could be a differentiator instead of an obstacle,” Braud said.
Effective cybersecurity efforts require data from the well, and issues of liability for service companies handling that data are still being worked out within the industry. Braud said Halliburton certifies the integrity of its data with operators and service companies, and he expects this practice to become an industry standard in the future.
Deskus said Baker Hughes looks at every contract differently, and liability considerations are based on how an operator wishes to protect its data. However, this has not created a more open environment with regards to data sharing. Deskus said operators are demanding, among other things, more rights to audits and stronger liability clauses in their contracts, and sometimes they will negotiate such specifics as the data processing center they wish to work with. Any push for open sourcing would then have to come from the technology providers, who could potentially develop more effective security software with greater access.
“I think the partnerships with some of the technology players, that’s where it comes in,” Deskus said. “That’s where we see a big push, for the technology players trying to negotiate and saying, hey, we understand the requirements but could you anonymize that data? Could you aggregate it? We could still get to the desired improvements without getting down to very specific, detailed data. Those are some of the conversations that have to take place.”
Maddox said Apache, and most other operating companies, would draw the line at sharing geological information for any cybersecurity purpose. He said there was a difference between sharing drilling data and sharing general cyberthreat information and that, to an extent, companies are already alerting each other to potential cyberattacks without divulging specifics about their operations.
“We have to disclose information under the regulatory bodies that we operate, but we are competitors,” Maddox said. “As much as we collaborate with our peers, and I do with my fellow colleagues, around what we’re doing, I don’t think you’re going to see open sourcing of drilling data.”
Archana Deskus serves as an officer of SPE's Digital Energy Technical Section (DETS). With more than 1,300 members worldwide, DETS focuses on topics such as cybersecurity, IT/OT, and information management in the oil and gas industry. Some of the activities and programs the technical section has implemented have been developing training curricula in digital oilfield and related topics, drafting and submission of technical papers to relevant conferences, engaging top IT/OT-cybersecurity experts in presenting virtual webinars, granting interviews for JPT and other publications; developing best-practice documents for industry use, and contributing to cybersecurity and IT/OT-related publications. Not a member of DETS? For additional information, email Any, Technical Activities Manager.