Drilling advances

Picture this: An integrated service company, as part of a closely-guarded R&D initiative, contracts an independent lab to run stability tests on a tool, the results of which could give it a strong competitive edge. While highly respected within its sector, the small lab does not have the cyber safeguards intrinsic of a much larger global organization. As a result, hackers manage to pilfer the test results and tool specs, which, of course, are made available to the highest bidder.

Cybersecurity experts warn that such scenarios threaten to become all too common, as computer louts find smaller companies, with their more poorly defended networks, much easier pickings than the corporate behemoths that retained them. We’ve previously addressed the cybersecurity issue as it pertains, rightfully so, to the safety and environmental aspects of highly computerized drilling systems, but the cyber theft of intellectual property (IP), and the resulting loss of competitive advantage, holds huge economic ramifications, they say. The cyber stealing issue has grown to the point that API in November thought it prudent to sponsor a Cybersecurity Conference and Expo in Houston, to try and get some semblance of a handle on a problem that some believe will never be eradicated. At the conference, experts told the industry folks attending that sharing information on attacks they’ve encountered could help, at least, to detect trends.

In October, cybersecurity firm Alert Logic, of Houston, released an extensive analysis that presented some startling data on the percentage of computer attacks targeting the oil and gas industry, compared to the general commercial community. Alert Logic told the Houston Chronicle that it found companies in the energy sector being targeted much more often than their counterparts in other industries, to the tune of some 9,000 threats between Jan. 1 and May 23.

More specifically, the Oct. 23 report, “State of Cloud Security Bulletin on Information Security in the Energy Sector,” found that: 1) A staggering 67% of energy companies experienced brute force attacks vs 34% for other businesses that the company services. Attackers, it says, look for opportunistic points of vulnerability in networks housing confidential geophysical and other critical, and valuable, exploration data. And 2) Some 61% of energy-related organizations experienced malware/botnet infiltration attacks vs only 13% for the other concerns. These attacks, Alert Logic says, sneak into physical infrastructure systems that control key segments of the industry. The company said that while SCADA systems are most vulnerable to hacking, it emphasized that much of the problem lies with employees plugging, into the company network, personal flash drives and other appliances that may be infected with viruses and other malware.

“This industry doesn’t see the typical web application attacks. It experiences a greater magnitude of security threats that could have global repercussions for years to come,” Stephen Coty, Alert Logic’s director of security research, said in the bulletin, which is available for free download at www.alertlogic.com/csr.

Even though those among the most susceptible to cyber thieves are the subcontractors, Coty said the major companies typically do not emphasize cybersecurtity anywhere near the HSE vigilance they insist upon for their employees and contractors.

Coty went on to say that for operators working in tight hole environments, or service companies holding the formulation for a unique frac fluid, for instance, the consequences can be particularly harmful. “People are wanting to know where they’re drilling, what their secrets are, what’s the formula for their fluids? This is all data that people are interested in.”

Research pays off. He said your typical would-be cyber thief is nothing but thorough. First, the thief will research an operator, service company or other entity to discover the subcontractors who may hold information worth a bundle on the open market. He will go on to research the key subcontractor employees and acquire just enough personal information to allow him to send directed emails that would entice them to click on a corrupted link that would give him access to the company’s computer network.

Alert Logic and other cybersecurity outfits say that one of the most prevalent ways of hacking into a computer network is through brute force, as it’s known in cyber jargon. In other words, electronic thieves steal passwords that give them clear access to company data, reinforcing long-held recommendations that the best line of defense is to come up with an ultra-complicated assortment of letters and numbers that would stymie efforts to break it. However, trying to keep track of complex combinations can be an off-putting proposition, to say the least.

Well, it appears help in that regard may be on the way. In leafing through the Nov. 25 issue of Time magazine, I came across a special report on the 25 Best Inventions of the Year, one of which grabbed my attention as the perfect antidote to brute force hacking: The edible password pill.

That’s right. Venerated Motorola supposedly has come up with a pill comprising a tiny chip that can store the most complicated of passwords. According to Time, the pill is swallowed daily and activated by stomach acid, after which it emits a specific EKG-like signal that the user’s computer or phone instantly detects. Essentially, the user’s body becomes a breathing password, according to the article.

Lest one dismiss this as too bizarre to be believed, Time says the U.S. Food and Drug Administration (FDA) apparently gave its blessing to the concoction. We can only assume that the FDA is involved to ensure that it is not manufactured with any trans fat and stays within recommended dietary guidelines.