From cyber attacks to internal security breaches, cybersecurity is an issue in oil and gas that has deservedly come to the forefront. Rigzone even identified cybersecurity as having the potential for significant job growth in coming years.
Industry leaders convened Feb. 16 to discuss the future of cybersecurity in the oil and gas industry at a breakfast hosted by Bloomberg.
An increased need for connectivity is common among the industry now, but while there are benefits from connectivity, you also get a lot of risks, Major General Brett T. Williams (Ret.), president of operations and training for IronNet Cybersecurity, said during the breakfast.
“Boards and CEOs need to take [cybersecurity] on as a strategic business issue. It’s no longer just an IT issue,” he said.
Advances in technology and smarter devices – particularly in the oilfield – have made data more readily available. This means networks have to be secured and a myriad of other steps need to happen to keep information safe.
The industry is paying attention.
“As we look at productivity and sufficient solutions, especially for our customers, the whole digitization and operational technology piece has really become a much more significant concern in the last year or two … and we’re not well prepared for that. A lot of the thinking in our industry is ‘just get it done,’” said Archana Deskus, vice president and CIO of Baker Hughes.
Deskus said knowledge and awareness – making people more educated – about cybersecurity is key.
It “breaks down some of those barriers about why it’s important. It’s about protecting the entire business, not just one component,” she said.
Mark Maddox, vice president and CIO for Apache Corp., said he doesn’t look at the issue as a cybersecurity challenge, rather an information security challenge.
“What we’re really protecting is our data. It’s not just the hacker and the attacks, it’s the internal side. It’s the people side. It’s the accidental issues,” Maddox said.
Workers have to be able to secure and access the data provided because of its importance for company operations.
“Through the relationships, and in some cases, just the fear that it generates, everybody is very cooperative and collaborative – something that over the last two years didn’t exist, not because they didn’t want to be, but because they were too busy,” he said. “We were too busy to be secure in some cases. We were too busy to be good … because it was just about growth and expansion and speed. Now people are starting to realize that taking a little extra time to do things securely is better. Not everybody’s there yet, but people are getting closer.”
Taking cues from industries such as the financial services sector, considered by some as the poster child for cybersecurity, Deskus said it’s good to determine how to bring that vein of thinking into the oil and gas industry.
And while the industry transitions into that way of thinking, it’s people that keeps oil and gas leaders up at night in regards to security challenges.
“It’s people and people’s behaviors. The reason why I would pick that above everything else is because you can put the best controls in place and have the best framework and feel pretty confident, but it only takes one action – either intentional or not – to just kick off that domino effect,” Deskus said.
Maddox shared a similar sentiment, likening it to someone breaking into your home.
“If somebody wants in your house, they’re going to get into your house. There may be barriers in place – people with guns, for example – but the real fear is that your teenage son opens the door and lets [the burglar] in. He turns the alarm off because he’s convinced it’s safe,” Maddox said. “As we continue to bring forth [newer, better] technologies, extraordinarily talented and smart people are not all technology people. So things that seem normal to people can pose extreme risks.”