Drilling advances

Last summer, after security experts exploited the wireless Internet connection of a Jeep Cherokee’s onboard entertainment system and remotely crashed the vehicle, the automaker had to scurry to plug the security hole in its software. That demonstration could serve as a cautionary tale for an increasingly connected drilling community that has been tardy in making cybersecurity a key component of risk management programs.

“Think about the ability of someone to hack into these [drilling] systems and shut-in your BOP,” says Trey Mebane, V.P. of innovation for National Oilwell Varco (NOV).

Mebane was among speakers at the International Association of Drilling Contractors’ (IADC) Drilling Engineering Committee’s (DEC) quarterly Technology Forum in March, which put cybersecurity squarely in the spotlight. The one-day Houston confab showcased efforts underway to protect interconnected drilling networks, which, compared to electrical power grids, refining and other energy complexes, are well behind when it comes to implementing cybersecurity measures. The gap is narrowing, however, as remote operations with more computer-to-computer conversations, as well as the accelerated drive to automation, are inspiring upstream initiatives to confront the serious threats posed by highly sophisticated cyber-goons.

“Within all our operations, we’re more data-driven now than probably ever before, and it’s only going to increase, as we provide ourselves more intelligence with all these sensors,” says Mebane. “There’s tremendous value in all this information, but we must safely manage it.”

To that end, early this year, the IADC established a formal subcommittee, with the expressed purpose of developing drilling-specific cybersecurity guidelines that are both “pragmatic and practical,” said Transocean Director of Engineering Terry Loftis. “We felt there was a definite need to get ourselves engaged, and begin driving the science behind what we perceive as serious risks within our drilling community. We saw a need, as there are no specific cybersecurity or digital security standards for protecting offshore and onshore drilling assets.”

Well-financed. It is important to recognize the evolving nature of what the industry is up against, says Victor Vela, Weatherford’s R&D software manager. “Back in the ‘90s, hackers were college kids and kids sitting in their garages, hacking into sites and trying to break through servers. In this day and age, the hackers are being funded, either by a country or an organization. Now, they’re getting paid to do this. It’s not just a pass-through thing.”

With any number of companies collecting and transmitting various data sets during a drilling operation, the first wall of defense against malicious breaches should be erected before the spud date, Vela said. “You need to make sure everybody understands the data being acquired, who is sending the data that’s being acquired, and at what rate it’s being sent. Basically, you should have an understanding of how the information is being segmented out between the different companies, so nobody is penetrating either each other’s network or a closed-loop network. Everybody is segregated, and controls are in place that allow you to share data, but not breach each other’s zones.”

Having a plan in place, he said, will enable any breaches to be quickly identified and addressed. To that end, specific standards should identify the various data sets being transmitted, be it raw and real-time data, to end-of-well reports. “Just like following the money when investigating a crime, it is most important to follow the data, anytime your network has been compromised. With a defined structure, when a breach happens, you’re able to quickly identify that something’s not following the plan that everybody discussed. You must have some kind of monitoring system in place, to make sure everybody is sending the information required of them. That way, if anyone intrudes into your infrastructure and starts looking at your data, the breach can be easily identified. You have to make sure controls are in place, because if you don’t know the [defined data] path when an attack happens, you won’t know where to start.”

Vela said one of the biggest hurdles to overcome is the cloak of secrecy that is immediately thrown over any breach. “The prevailing attitude is to keep cyberattacks a secret, as they don’t want anyone to know their data has been compromised. They want to keep it down low and resolve it. Perhaps, we really need to look at some sort of consortium that shares data with regard to different threats. That’s the only way we’ll get ahead of it.”

ISO 27001. Another approach that would go a long way to help ensure that data remains secure, is complying with the ISO 27001 international standard for Information Security Management Systems (ISMS), enacted in September 2013, says Anil Wadhwa, Baker Hughes’ global director of Remote Operations Services.

“This is not a security standard per se, but more of a management standard, depending on your business and objectives,” he said. “ISO 27001 is so flexible that every company has different ways of implementing it. The core of this standard is a risk assessment-based approach, where you look at the different threat vectors within your environment, and then put specific processes and controls in place.”

Remote operations pose distinctive challenges, as mud logging, downhole and rig sensor data are typically streamed via satellite through a two-way data store. The ISO 27001-certified model installed within Baker Hughes’ information management system includes distinctive human resources, physical-environmental, systems and network security systems, he said.

“No matter how thorough you are, however, there will be incidents, but the ISO standard gives employees the processes to deal with any incidents that occur.”  

About the Authors

Jim Redden

Contributing Editor

Jim Redden is a Houston-based consultant and a journalism graduate of Marshall University, has more than 40 years of experience as a writer, editor and corporate communicator, primarily on the upstream oil and gas industry.