Speakers from more than a dozen major oil and gas production companies converged at Houston's OilComm / FleetComm conference last week to explain why IIoT, cyber security, data analytics, AI, 5G, and other telecom innovations are driving a new kind of convergence within their organizations. Speaking on the event's opening general session, Noble Energy Chief Information Security Officer (CISO) Rob Nolan said the oil and gas industry has been working to better align tech-driven decisions made by information technology (IT) teams with the financial needs of operational technology (OT) teams.
"Change in the energy sector will always be driven by the financial health of the business," said Nolan. "During the last few years, our industry has adopted new technologies at an incredible pace. The reason is always the same – to make money. Following the oil price drop a few years ago, the money to be made was through efficiencies. Now that things have stabilized and business is growing again, we need greater collaboration between IT and OT organizations to not only maximize production, but also to protect assets and ensure the safety of our personnel."
ExxonMobil Cyber Security and Management Supervisor Andrew Taylor honed in on Nolan's use of the word "collaboration," defining it as a more accurate way of describing the "convergence" of oil and gas IT and OT organizations. "The reality is that cyber security risks require IT and OT worlds to share expertise," Taylor said. "Both groups now need to be talking to each other all of the time. This comes with a lot of unexpected challenges. There's even a language barrier. For example, when we're discussing a collaborative ‘incident response' strategy, the word ‘incident' could mean two totally different things to IT and OT personnel. One team has one way of doing things and the other doesn't want to be told how to do things differently. It's a tough, but necessary evolution for our businesses."
Why was it important for these oil and gas industry speakers to have this conversation in front of an audience of telecommunications vendors? BP Energy Engineering Technical Authority Dennis Brewer explained that connectivity service providers, resellers, equipment manufacturers, and other tech developers could see a change in the way they interact with the oil and gas industry customers they serve. "Being an OT guy myself, I can empathize with how confusing and sometimes frustrating it can be to interact with our industry on a purely IT level," he said. "Capability is credibility for both IT and OT, for sure. But with OT becoming more engaged and aware of the technology being used in the overall network architecture, I think you're going to see more buyers interested in the straightforward financial pitch. OT knows exactly how much money is lost when systems are down. So, if you can prove reliability with hard facts, you'll gain even more credibility with your buyers."
The IT/OT convergence discussion continued into day two of OilComm and FleetComm, with a panel focused on how these aligned operations would either control or eliminate "Shadow IT" – or unknown and/or vulnerable connected devices operating at the network edge. Paul Brager, the Executive Director of Digital Technology Security at Baker Hughes, said that IT and OT worlds are still very far apart in terms of their preferred methods of controlling devices at the edge. "I can very confidently say that it is never a good idea to tell OT leadership that the best network protection solution is a software patch," he said. "OT hates software patches, because they don't last. You have to keep applying new patches. For these unauthorized devices, OT knows that you can't just eliminate them altogether and go back to the days of pen and paper. As much as they would like that, they know we're well into the age of industry 4.0. I think a good start for creating collaborative processes involving both IT and OT is getting everyone to know exactly what's out there. It's also not a bad idea to bring in outside expertise, consultants, to just lay out the realities of the network – the strengths and vulnerabilities – so everyone has the same view."
Speaking on a Big Data Security panel earlier that day, Diamond Offshore Drilling CIO Timothy Jackson expressed very similar thoughts about outside expertise, but highlighted unique opportunities for telecommunications vendors with small- or mid-sized oil and gas clients. "There are many, many regional drillers and operators out there whose core competencies do not include telecoms management," he said. "Just because they're smaller, doesn't mean that they're not part of this critical infrastructure. Everyone's going to get hacked at some point. For the small- and mid-sized operations, they are going to be even more dependent on outsourcing their telecoms and network management. That said, some of the vendors here at OilComm and FleetComm could also be serving as both IT and OT, and converging their own thinking in how they solve technical challenges for their clients. It's a good time to be in that business."