This week’s first IADC Cybersecurity for Drilling Assets Conference examined the spectrum of issues and challenges facing the global drilling industry as it generates tremendous amounts of data that must be securely communicated between on-site systems as well as to remote centres of operation.
More than a lucky coincidence, the event, held in Houston, Texas, took place during the US National Cybersecurity Awareness Month (NCSAM), held every October. The goal of NCSAM is to facilitate a collaborative effort involving government and industry to raise awareness of cybersecurity issues.
Although an intangible for many – something everyone is aware of but not sure of the extent it affects their activities – cybersecurity protects assets and enables a culture of safety.
The two-day conference covered a full range of cybersecurity topics, from an examination of conditions that open the door to intruders, to a look at how networks can be designed to prevent security breaches while allowing crews to take advantage of web-based communications and entertainment.
Throughout the two days, presentations included a look at where the weakest security links can be found, most often on the human side of the equation. Ineffective passwords, including the often used “password” or “1234”, for example, render security measures ineffective. Likewise, the use of USB drives or personal computers infected with malicious software or one inadvertent click on a spear-phishing email can compromise a rig’s network. And most ominous, an intentional “insider” cyberattack by a disgruntled employee.
On the positive side, cybersecurity solutions for rig systems take advantage of state-of-the-art solutions, not only for the latest kit, but for legacy drilling assets as well. The challenge is to effectively apply available cybersecurity measures.
Planning makes perfect
From a practical perspective, security planning, including heightened awareness through training – think cyber hygiene – will go a long way towards building a strong cyberattack defence.
In part, the path to successful cybersecurity has been provided by a number of industry guidelines and standards, including those generated by the IADC itself.
Path to successful cybersecurity
One strong takeaway from the conference is that to succeed in implementing effective cybersecurity measures and developing strategies and guidelines, industry actors – companies as well as governmental and private organisations – must work together, sharing experiences with both what has and hasn’t worked to thwart cyberattacks.
On day two, a lively paned discussion took up the initiatives and policies that regulatory authorities are considering as well as those that are already being disseminated. The panel included representatives from Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), an industry body which works with the oil and gas industry to facility cybersecurity information sharing, and the US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), which is tasked with protecting US critical infrastructure from physical and cyber threats. The panel’s overall message was that collaboration and communication about cyberattacks and defence is a sure means to strengthen cybersecurity effectiveness.
As with any thought-provoking conference, a number of issues were raised that warrant further discussion – both by presenters and delegates’ questions and comments – including topics such as data ownership, defining where liability for cybersecurity issues lie, as well as how new standards can be developed to keep pace with a nimble, ever-changing cyber threat.
Congratulations to the IADC conference program committee for a successful, thought provoking inaugural conference, one that deserves to become an annual event.