Oil & Gas has always been an industry affected by a wide range of geopolitical, economical and technological factors. The energy transition is one of the more recent macro trends impacting every player in the sector.
Companies are adjusting their business models and reorganising their organisational structures to prepare for the shift to renewable energy. They are becoming more integrated, focusing on consumers’ broader energy needs all the while reducing carbon emissions and addressing sustainability concerns.
To enable this, the missing capabilities get acquired and unwanted assets get divested. Cyber security has a part to play during divestments. preventing business disruption and data leaks during handover. In acquisition scenarios, supporting due diligence and secure integration becomes a focus.
Digital transformation is also high on many boards’ agenda. While cyber security experts are still grappling with the convergence of Information Technology (IT) and Operational Technology (OT) domains, new solutions are being tried out: drones are monitoring for environmental issues, data is being collected from IoT sensors and crunched in the Cloud with help of machine learning. These are deployed alongside existing legacy systems in the geographically distributed infrastructure, adding complexity and increasing attack surface.
It’s hard, it seems, to still get the basics right. Asset control, vulnerability and patch management, network segregation, supply chain risks and poor governance are the problems still waiting to be solved.
The price for neglecting security can be high: devastating ransomware crippling global operations, industrial espionage and even a potential loss of human life as demonstrated by recent cyberattacks.
It’s not all doom and gloom, however. There are many things to be hopeful for. Oil & Gas is an industry with a strong safety culture. The same processes are often applied in both an office and an oil rig. People will actually intervene and tell you off if you are not holding the handrail or carrying a cup of coffee without a lid.
To be effective, cyber security needs to build on and plug into these safety protocols. In traditional IT environments, confidentiality is often prioritised. Here, safety and availability are critical. Changing the mindset, and adopting safety-related principles (like ALARP: as low as resonantly practicable) and methods (like Bowtie to visualise cause and consequence relationships in incident scenarios) when managing risk is a step in the right direction.
Photo by Jonathan Cutrer.
I have worked in the Operational Technology (OT) environment for years, predominantly in major Oil and Gas companies. And yes, we all know that this space can move quite slowly! Companies traditionally employ a waterfall model while managing projects with rigid stage gates, extensive planning and design phases followed by lengthy implementation or development.
It’s historically been difficult to adopt more agile approaches in such an environment for various reasons. For example, I’ve developed architecture blueprints with a view to refresh industrial control assets for a gas and electricity distribution network provider in the UK on a timeline of 7 years. It felt very much like a construction project to me. Which is quite different from the software development culture that typically is all about experimenting and failing fast. I’m not sure about you, but I would not like our power grid to fail fast in the name of agility. The difference in culture is justified: we need to prioritise safety and rigour when it comes to industrial control systems, as the impact of a potential mistake can cost more than a few days’ worth of development effort – it can be human life.
The stakes are not as high when we talk about software development. I’ve spent the past several months in one of the biggest dot-coms in Europe and it was interesting to compare and contrast their agile approach to the more traditional OT space I’ve spent most of my career in. These two worlds can’t be more different.
I arrived to a surprising conclusion though: they are both slow when it comes to security. But for different reasons.
Agile, and Scrum in particular, is great on paper but it’s quite challenging when it comes to security.
Agile works well when small teams are focused on developing products but I found it quite hard to introduce security culture in such an environment. Security often is just not a priority for them.
Teams mostly focus on what they perceive as a business priority. It is a standard practice there to define OKRs – Objectives and Key Results. The teams are then measured on how well they achieved those. So say if they’ve met 70% of their OKRs, they had a good quarter. Guess what – security always ends up in the other bottom 30% and security-related backlog items get de-prioritised.
DevOps works well for product improvement, but it can be quite bad for security. For instance, when a new API or a new security process is introduced, it has to touch a lot of teams which can be a stakeholder management nightmare in such an environment. A security product has to be shoe horned across multiple DevOps teams, where every team has its own set of OKRs, resulting in natural resistance to collaborate.
In a way, both OT and DevOps move slowly when it comes to security. But what do you do about it?
The answer might lie in setting the tone from the top and making sure that everyone is responsible for security, which I’ve discussed in a series of articles on security culture on this blog and in my book The Psychology of Information Security.
How about running your security team like a DevOps team? When it comes to Agile, minimising the friction for developers is the name of the game: incorporate your security checks in the deployment process, do some automated vulnerability scans, implement continuous control monitoring, describe your security controls in the way developers understand (e.g. user stories) and so on.
Most importantly, gather and analyse data to improve. Where is security failing? Where is it clashing with the business process? What does the business actually need here? Is security helping or impeding? Answering these questions is the first step to understanding where security can add value to the business regardless of the environment: Agile or OT.
Image by Kurt Kurasaki.