The U.S. digital economy has seen a triple-digit increase in cybersecurity threats. As energy leaders navigate mounting cybersecurity challenges, key concerns are top of mind including how to ensure business continuity, keep business data safe, and thwart rapidly growing attacks with shrinking IT budgets. OILWOMAN Magazine recently discussed these critical issues with W Energy Software’s manager of information security, Michelle Pellon, a voice of authority, who offers her valuable perspectives on cybersecurity in the oil and gas business.
Q: Can you tell us a little about how you got started in cybersecurity and your role at W Energy Software?
Even though I’m a native of Houston, I didn’t start out in the oil and gas business. In fact, I began my career as a programmer on the Human Genome Sequencing Project. My passion for security quickly shaped my career as I moved into a critical role working with federal law enforcement teams to fight child exploitation online.
At W Energy Software, I am responsible for directing the DevOps and Cybersecurity strategy, connecting corporate operational and security objectives to business initiatives. I am also passionate about sharing my message about evolving how people think about and approach security, privacy and trust through speaking engagements at various conferences and other events. When I’m not engaged in security research and advocacy, I am also an accomplished sailor with the Houston Yacht Club.
A recent report identified cybersecurity failures among the top mid-term global threats. Some security firms estimate that in 2021 corporate information technology teams faced 623 million ransomware attacks – a 105 percent year over year increase. Other staggering numbers include a 1,885 percent increase in attacks directed at the government, 755 percent for healthcare, 152 percent for education, and 21 percent for retail.
When it comes to our digital oil field ecosystem, there is a new world order. The organized crime of cyberattacks, especially from ransomware, is now big business and here to stay. But it’s not just oil and gas companies that are directly being targeted. Upstream and midstream rely on many types of software to run their business, creating supply chain vulnerabilities that can have a ripple effect on their customers. Each vendor must have the right strategy, processes and partnerships to always stand guard and rapidly respond to cybersecurity threats.
Q: What are the biggest cyber-threats out there and who is most at risk?
It’s not just large enterprises that are under assault. Small and medium-sized businesses are increasingly the target of more advanced, frequent and devastating cybercrime, yet only a small percent of these companies have the people, processes and technology in place to defend their organization.
Think before you open and click [on] e-mail. Most cyber-threats are coming from phishing and social engineering. There are also more targeted forms called spear-fishing that single you out versus a brute force spam approach, and whale-fishing that targets executive leadership. The digital oil field ecosystem is no exception. Despite being technology providers, most oil and gas software vendors are in the highly vulnerable small to medium-sized business category, many of which are demonstrably not interested in their own or their customers’ cybersecurity at a time when they should be laser focused on software supply chain security.
Q: Can you define software supply chain security in terms of the oil and gas business?
Think of analyzing software supply chain risks like the process of running title on a new oil and gas lease. Teams would never skip this important step because the title process is standard operating procedure for ensuring that ownership is correct, not just for the current mineral owners, but for every previous owner chaining it all the way back to sovereignty (the chain of title). Landmen and title attorneys do it to prevent defects and risks from creeping into leases and, in a way, software supply chain security works in a very similar fashion.
An oil and gas company’s software supply chain is defined by its primary pieces of software relied on to run business operations. Let’s assume 10. For upstream, this ranges from field data capture, allocations and production reporting to lease administration, GIS, division order and revenue disbursement. Midstream needs a raft of software, too, including gathering, transportation, gas processing, terminal management and marketing. And all energy businesses share a common need to manage core financials, regulatory and tax. Those discrete products might be provided by a multitude of vendors, each built with different technologies at different times and with varying levels of innovation. Understanding where your software supply chain vulnerabilities are isn’t a simple matter – if you can even call it simple. [You’re] analyzing 10 pieces of software and ensuring you are running on the latest version that is theoretically patched against known exploits. No, you need to understand the thousands of sub-components, open source libraries and databases your vendors have built their products on.
In today’s complex cyberspace and expanding digital oil field, software vendors who claim to provide secure solutions must also vouch for each and every piece of software they have used to build their products, a very long supply chain that most vendors can’t even begin to untangle.
Q: What are the risks for oil and gas companies that rely on older software that isn’t up to modern standards?
If chain of title is standard operating procedure for leasing land, then oil and gas teams need a standard procedure for licensing their software. A software bill of materials (SBOM) is just that, a transparent and documented record of third-party components, licenses, copyrights and security references. So, the next time you think about your land management software, for example, understand that it’s just the tip of a vast iceberg underneath the surface and that without an SBOM from your vendors, your team is navigating dangerous waters, indeed, when it comes to cybersecurity.
There are three types of software vendors. First are the startups and pure play software providers, focused on one type of software and inevitably snapped up and acquired by the second type, which may have started off as a pure play but now resorts to growth through acquisition. Let’s call the latter software holding companies. The third type is a diversified software provider that offers many solutions but maintains a single code base even when it acquires other software vendors. That’s W Energy Software. Software holding companies have a critical flaw when it comes to cybersecurity. By nature, they tend to acquire innovative solutions then immediately stop innovating or investing, which has major ramifications for cybersecurity. Secondly, these vendors tend to amass vintage software that is built with obsolete or unsupported on-premise legacy technology. And finally, the result is often a mishmash of products, or product soup, where vendors offer multiple flavors of the same type of software.
So, if your vendor offers 40 different products, it should be responsible for providing you with an SBOM for each. But the nature of these energy software holding companies is to overinvest in sales and underinvest in innovation, especially cybersecurity. Ask them for an SBOM and you won’t get 40, you’ll get nothing and a whole lot of promises. But promises won’t prevent defects in their software from crashing your business.
Q: What is W Energy Software doing to protect customer software supply chains? How are you innovating and adding value?
W Energy Software has built a modern, energy-focused ERP specifically designed to harness the power of the cloud and sophisticated security capabilities of the Amazon Web Services, or AWS, cloud. That’s an awesome foundation for cybersecurity because it provides a single perimeter to safeguard versus dozens. And – this is important – W Energy Software has fully funded the processes and people needed to stand guard every moment, proactively thwart threats, and partner to ensure continuous vigilance.
A big upshot for our approach is that a unified solution set means a unified bill of materials, enabling us to show our clients, at any time, that we not only know how deep our software supply chain is, but also that we are only working with secure third-party code. I strongly encourage oil and gas teams to challenge your software vendors and ask for an SBOM covering each of the products they license [to] you. I suspect this request, if acknowledged, will trigger a fire drill at your vendor and culminate in a spreadsheet of copy and pasted code libraries, open source components, and other software dependencies. That’s not an SBOM; that’s a smoke screen. In today’s mature digital economy, oil and gas teams deserve what has become commonplace in other industries, such as healthcare, which is about five years ahead of energy on the cybersecurity front. Instead of a spreadsheet, W Energy Software has adopted Software Package Data Exchange® (SPDX®), an international open standard (ISO/IEC 5962:2021). This level of commitment to the security of your data and business continuity is exactly what you should expect from your software vendors.
Q: You mentioned security partnerships. How is W Energy Software partnering around cybersecurity?
Best-in-class cybersecurity takes more than what a single organization can muster on its own. Fighting back requires pooling all available knowledge among security partners. Partnership is just as important as systems and IT policies, which is why I like to think about the ongoing high-stakes game with bad actors as a team sport. Cyber-attackers have gone mainstream and it’s big business. As an industry, we must respond by joining forces to leverage our mutual strengths, pool intelligence, and stay several steps ahead of emerging threats.
I can’t go into the exact details about our various security partners; however, I can say that W Energy Software actively collaborates with cybersecurity firms and industry groups like the Oil and Natural Gas Information Sharing and Analysis Center. And by actively, I mean each and every day, including federal law enforcement where we are plugged into the global security posture of bad actors through daily FBI briefings.
Q: What are the costs to an organization of a successful cyber-attack directly or indirectly through their supply chain?
There are many ways a successful cyber-attack can damage your business, starting with the immediate impact that a complete loss of data will have on organizational output. If you are an E&P, that means your land department has to fallback to managing leases and tracking obligations by sifting mountains of paperwork. Field data capture comes to an immediate halt, and you instantly lose visibility into production, revenue and lease operating expenses. Oh, and that on-premise production accounting, division order and revenue disbursement software you license has been completely wiped out with no data backup safety net from the vendor, leading to organizational gridlock while all of your interest owners go unpaid.
Cyber-attacks can threaten your capacity to continue operating, which has far-ranging negative impacts not just internally, but also in terms of reputational and brand damage. Our industry is built on reputation and the trust we place in oil field transactions, all of which suffer long-lasting damage from loss, theft or corruption of your stakeholder’s data as well as the spillover – spread of malware or vulnerabilities – into your partners and customers. It only gets worse from the legal and regulatory impact of cyber-attacks, which can result in fines and other costs of not being compliant with government agencies for the period your organization is down.
Finally, there is the financial impact beyond lost oil and gas revenue, such as higher cybersecurity insurance premiums, if you are lucky enough to have any, and the cost of incident response services to recover your business continuity. Every vendor in your software supply chain should provide your oil and gas team with assurance that no matter what happens on their end, your data and ability to continue operating is a priority. Disaster recovery should be part of the license and, in my view, [is] just as important as the core business functionality you pay for.
Q: From your perspective as a cybersecurity professional in oil and gas, what is the most important priority for the industry going forward?
There are five key areas in oil and gas information security where software vendors must build trust. As I mentioned, your software supply chain isn’t just the dozen or so pieces of energy software that accounting, land, field operations, production management and regulatory teams rely on. Software supply chains are comprised of thousands of subcomponents that these “tip of the iceberg” applications are built on. As a result, managing risk in your supply chain must take into account the vulnerabilities of open source code and third-party components, which is why W Energy Software provides a software bill of materials in the industry-standard SPDX format. Our cloud architecture and unified approach enable us to provide a single SBOM. [This is] unlike our competitors, who simply don’t try because they hold a mishmash of disconnected products built on legacy and on-premise technology, making it impossible to provide their clients with clear software supply chain visibility.
The other dimensions for building trust [are] that each of your energy software vendors must have a strategy that includes driving IT security best practices with the right cloud host, being able to rapidly recover your business continuity following a successful cyber-attack, and independent certification of information security controls. If your vendors aren’t innovating and adding value around cybersecurity, then they don’t deserve the confidence your oil and gas team is placing in their applications and digital infrastructure.
Safely doing business in the digital oil field is all about trust, which is why W Energy Software has published our Trust Center, which clearly defines how we safeguard customer data, ensure business continuity, add value and innovate around cybersecurity. Take a look at www.wenergysoftware.com/trust to learn more about our Services Organization Controls, or SOC, disaster recovery plan and cybersecurity readiness training for every employee. Just like our unified, energy-focused SaaS ERP, information security and cyber-resilience differentiate us and put W Energy Software in a league of its own, providing your team with another compelling reason to move off of the legacy software providers and make the switch to W Energy Software.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.