A surge of cyber-attacks over the last few years has moved hackers from virtual back alley deals to main street shops. The organized crime of digitally exploiting businesses for profit, especially from ransomware, is now big business and here to stay. Recent reports place cybersecurity failures among the top mid-term global threats with corporate information technology teams in 2021 facing an estimated 623 million ransomware attacks (a 105 percent year over year increase). It is estimated that cyber-attacks will cost companies around the globe $10.5 trillion annually by 2025, which is a $7.5 trillion increase from 2015, representing the biggest transfer of wealth in history.
It’s not just large enterprises that are under assault. Small and medium-sized businesses are increasingly the target of more advanced, frequent, and devastating cybercrime. The Cost of Cybercrime Study from Accenture cites 43 percent of all cyber-attacks now target small to medium-sized businesses, yet only 14 percent of these companies have the people, processes and technology in place to defend against cybercrime.
The energy industry is at risk as well, more so than other sectors due to the unique complexities and vulnerabilities of the digital oil field. Cyber risks continue to evolve as digital transformation of the energy sector accelerates along with the associated information systems, from wellhead SCADA and flow meters to the back office and city gates.
Energy companies are vulnerable targets, as well as the software they use to run critical oil and gas business functions, including accounting, land management, production management, logistics and regulatory. Because of these software supply chain risks, energy companies must ensure that each of their vendors has the right strategy, processes and partnerships to stand guard and rapidly respond to cybersecurity threats.
Understanding Digital Oil Field Software Supply Chain Risks
Oil and gas teams would never skip the crucial step of running title on land they plan to lease. Of course not, because the title process is standard operating procedure for ensuring that ownership is correct, not just for the current mineral owners, but for every previous owner chaining it all the way back to sovereignty, i.e., the chain of title. We do it to prevent defects and risks from creeping into leases. Software supply chain security works in a very similar fashion.
Think of all of the software your team uses each day. For upstream, this ranges from field data capture, allocations and production reporting to lease administration, GIS, division order and revenue disbursement. Midstream needs a raft of software too, including gathering, transportation, gas processing, terminal management and marketing. and all energy businesses share a common need to manage core financials, regulatory and tax. That’s a lot of software.
Your software supply chain is defined by the primary pieces of software you run your business on. Let’s assume you have 10 (and that’s a low estimate). Those discrete products might be provided by a multitude of vendors, each built with different technologies at different times and with varying levels of innovation. But understanding where your software supply chain vulnerabilities are isn’t a simple matter of analyzing your 10 pieces of software and ensuring you are running on the latest version that is patched against known exploits. Energy companies need to understand the thousands of sub-components, open-source libraries and databases your vendors have built their products on.
In today’s complex cyberspace and ever evolving digital oil field, software vendors who claim to provide secure solutions must also vouch for each and every piece of software they have used to build their products, a very long supply chain that most vendors can’t even begin to untangle.
Software Bill of Materials Defined
If chain of title is standard operating procedure for leasing land, then oil and gas teams need an SOP for licensing their software. A software bill of materials (SBOM) is just that, a transparent and documented record of third-party components, licenses, copyrights and security references. So, the next time you think about your production accounting software, for example, understand that it’s just the tip of a vast iceberg underneath the surface and that without an SBOM from your vendors, your team is in dangerous waters indeed when it comes to cybersecurity.
In our industry, there are three types of software vendors. First, are the startups and pure play software providers, focused on one type of software and inevitably snapped up and acquired by the second type, which may have started off as a pure play but now resorts to growth through acquisition. Let’s call the latter software holding companies. The third type is a diversified software provider who offers many solutions but maintains a single code base even when it acquires other software vendors.
Software holding companies have a critical flaw when it comes to cybersecurity. By nature, they tend to acquire innovative solutions, then immediately stop innovating or investing, which has major ramifications for cybersecurity. Secondly, these vendors tend to amass vintage software that is built with obsolete or unsupported on-premise legacy technology. And, finally, the result is often a mishmash of products where vendors offer multiple flavors of the same type of software.
So, if your vendor offers 40 different products, it should be responsible for providing you with an SBOM for each. But the nature of these energy software holding companies is to overinvest in sales and underinvest in innovation, especially cybersecurity.
The Value of a Unified SaaS ERP for Cybersecurity
W Energy Software has built a modern, energy-focused ERP specifically designed to harness the power of the cloud and sophisticated security capabilities of the Amazon Web Services (AWS) cloud. That’s a strong foundation for cyber security because it provides a single perimeter to safeguard versus dozens. Importantly, W Energy Software has fully funded the processes and people needed to stand guard every moment, proactively thwart threats, and partner to ensure continuous vigilance.
An advantage of our approach is that a unified solution set means a unified bill of materials, enabling us to show our clients at any time that we not only know how deep our software supply chain is, but also that we are only working with secure third-party code. W Energy Software has also adopted Software Package Data Exchange® (SPDX®), an international open standard (ISO/IEC 5962:2021) for communicating the contents of our software supply chain in a format that is expected to become widely adopted in the oil and gas community over the next few years. In an industry that is seeking to harden its cybersecurity, it is now common for oil and gas companies to require proof of basic IT security from software vendors and other suppliers on RFPs and contracts for license renewal. Increasingly, new levels of cybersecurity readiness like SBOM and SPDX will become the new norm.
The Cost to Energy Companies of Doing Nothing
Energy teams and their software supply chain must be bullet proof against cyber-attacks. There are many ways a successful cyber-attack can damage oil and gas businesses, starting with the immediate impact that a complete loss of data will have on organizational output. For an E&P, this means the land department has to fall back to managing leases and tracking obligations by sifting mountains of paperwork. Field data capture comes to an immediate halt, and teams instantly lose visibility into production, revenue and lease operating expenses. On-premise production accounting, division order and revenue disbursement software will be completely wiped out with no data backup safety net from the vendor, leading to organizational gridlock while interest owners go unpaid.
Cyber-attacks can threaten an energy company’s capacity to even continue operating, which has far ranging negative impacts not just internally, but also in terms of reputational and brand damage. Our industry is built on reputation and the trust we place in oil field transactions, all of which suffer long lasting damage from loss, theft or corruption of stakeholder data, as well as the spillover (spread of malware or vulnerabilities) into partners and customers. It only gets worse from the legal and regulatory impact of cyber-attacks, which can result in fines and other costs of not being compliant with government agencies for the period an organization is down.
Finally, there is financial impact beyond lost oil and gas revenue, such as higher cybersecurity insurance premiums and the cost of incident response services to recover business continuity.
W Energy Software’s Disaster Recovery Plan
Every vendor in your software supply chain should provide your oil and gas team with assurance that, no matter what happens on their end, your data and ability to continue operating are a priority. Disaster recovery is just as important as the core business functionality you pay for. A solid cybersecurity insurance policy is part of the solution but, just like trying to get life insurance, if a vendor’s information security health is questionable, it may not even qualify or be forced to pay outrageous premiums that it passes back to customers.
W Energy Software not only has great cybersecurity insurance, but we also know exactly what healthy information security looks like, build cyber-readiness into our DNA, and ace our insurance application every year. But vendors must do more.
W Energy Software delivers software as a service, or SaaS, hosting 100 percent of our solutions and customer data on the world-class AWS cloud. When your solution is delivered as a SaaS solution, reliability of the security apparatus that protects customer data is the responsibility of the vendor versus on-premise oil and gas software that sidesteps the responsibility of ensuring data and business continuity.
We provide our clients with robust disaster recovery options using technologies such as AWS Simple Storage Service (S3) and Cross-Region Replication. We provide daily backups of your oil and gas business data, stored in geographically distributed locations online and physical media, and importantly we test our backups to ensure they’ll work when needed.
W Energy Software goes even further to help recover clients from a cyber-attack by minimizing spillover. Each client’s data is completely isolated, protected with bank-grade encryption, and only accessible over the Web using Secure Sockets Layer (SSL), so one impacted client can have less impact on others.
One major advantage of W Energy Software is our unified energy-focused SaaS ERP. If you rely on 10 software vendors to run your oil and gas business, that leaves a lot of room for potential threats to creep into your organization. On the other hand, upstream and midstream clients of W Energy Software can minimize their software supply chain footprint with a single vendor through our integrated suite of oil and gas solutions, all while running their business on the latest technology optimized for the cloud and safeguarded with the right measures to protect and even rapidly recover from cyber-disasters.
Because of the critical nature of data in our industry, oil and gas companies must be able to confidently rely on their software vendors who are integrally linked to their digital pipelines, data assets and ability to operate. Safely doing business in the digital oil field is all about trust, which is why W Energy Software has published our Trust Center, which clearly defines how we safeguard your data, ensure business continuity, add value, and innovate around cyber security.
Please visit wenergysoftware.com/trust to learn how your team can trust W Energy Software on every dimension.
Michelle Pellon is a native of Houston, and began her IT career as a programmer on the Human Genome Sequencing Project. Her passion for security quickly shaped her career as she moved into a critical role working with federal law enforcement teams to fight child exploitation online. Pellon directs the DevOps and Cybersecurity strategy for W Energy Software, connecting corporate operational and security objectives to business initiatives. Additionally, she shares her message about evolving how people think about and approach security, privacy and trust through speaking engagements at various conferences and other events. When not engaged in security research and advocacy, Pellon is also an accomplished sailor with the Houston Yacht Club.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.