By Siv Hilde Houmb, IADC Cybersecurity Subcommittee Chair
Over the past several years, malicious malware has infiltrated hundreds of thousands of organizations, and the impacts have ranged from mild to severe disruptions. In every case, it had negative impacts on the ability to conduct everyday business.
Drilling contractors are no less susceptible to a cyber attack than any other industry. The reality is that rigs and the technology required to successfully drill holes deep within the earth are prime candidates for a cybersecurity incident. The risks are real. We need only to look at the recent Petya and WannaCry malware attacks that affected our industry. It is our responsibility to develop, invest in and implement cybersecurity requirements that protect against attacks that have the potential to paralyze operations.
In 2014, the IADC Advanced Rig Technology (ART) Committee established a Cybersecurity Workgroup under the Drilling Control Systems (DCS) Subcommittee because it understood that cybersecurity represented a clear threat. The workgroup became a Subcommittee in January 2016 and was tasked with developing solutions to this critical need. As the Chair of this group, I believe that IADC members are a leading voice on cybersecurity issues facing drilling contractors.
In 2016, IADC released Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets. It offers drilling contractors a first step in improving their cybersecurity. Understanding the risks associated with each rig allows contractors to better develop a plan to become more secure.
This year and next, we are following up with five additional guideline documents: Guidelines for Minimum Cybersecurity Requirements for Drilling Assets (draft form already complete); Guidelines for Network Segmentation; Cybersecurity Training; Guidelines for Hardening of Control Systems Focusing on Existing Drilling Assets; and Guidelines for Security Monitoring and Audit.
It’s an ambitious slate, but we have a committee of engaged professionals who understand the threat and are committed to providing solutions.
Beyond the development of these guidelines, we are also working closely with other industry groups, like the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), the American Petroleum Institute (API) and the International Association of Oil & Gas Producers (IOGP). The IADC subcommittee also monitors US and international standardization and regulatory activities, including those of the US Coast Guard and the International Maritime Organization (IMO). In August, six drilling contractors participated in a cyber-themed tabletop exercise organized by the Maritime and Port Security Information Sharing and Analysis Organization, the US Department of Homeland Security’s National Cyber Exercise and Planning Program and the US Coast Guard.
It is a certainty that regulations addressing cybersecurity concerns will eventually be implemented. Nobody understands our assets and how they work better than we do, and it is important that we have a voice with legislators and regulators on how best to implement cybersecurity to avoid incidents. It is prudent for our industry to have a strong voice while regulation efforts are still in their infancy. Through the work of the IADC Cybersecurity Subcommittee, we are paving the way for a strong collaboration and working relationship with regulators worldwide.
Arming a company against a cybersecurity attack is costly. The nature of economics in the industry has made it particularly difficult for drilling contractors to justify the expense of implementing a cybersecurity program. Unfortunately, the threat does not recognize industry downturns. Bad actors will target assets that are easily infiltrated. Thus, we must remain on high alert to guard our operations from malicious malware attacks.
I’ve had the opportunity to speak at industry conferences and events, and I believe that there is an overall sense of awareness of the vulnerability of our assets and a commitment to protect ourselves from cyber risks. The guidelines that the subcommittee has put together is a great start, as they provide drilling contractors with the building blocks to develop their own cybersecurity programs. Similarly, the inroads we are making with regulators are valuable for the future of cybersecurity and its implementation by drilling contractors.
We are at the beginning of a long journey. I encourage anyone who has an interest in working with the subcommittee to join us and help in shaping the future of our industry. DC