I have just spent an educational day and a half at the Oil and Gas Communications conference. As you might expect it focused on the ‘digital oil (or gas) field’ and the issues around communicating with, and processing data from outfits in remote parts of the world and generally inhospitable environments.
The quantity of data collected from sensors on everything from the drill bit upwards is huge and ever increasing, as is the desire to process it all in real time, online. Automation and robotics are also playing a greater part. These together with the not insignificant demands placed by crew ‘welfare needs’ (Facebook, Netflix etc), are driving the need for greater speed and bandwidth. The solutions on offer range from satellites, micro-wave links between moving platforms, to submarine cable.
However a number of the speakers made it very clear that in this business, communications was not high on the list of priorities (despite the exotic solutions). When it came to planning – “the CIO is last to know drilling starts yesterday”- and the budget? Only 0.014 percent of the daily spend on a rig goes towards communications – so where does this leave cyber security?
Cyber criminals are indiscriminate. Where there is a weakness, they will try to exploit them. Increasing the number of interfaces and the intertwining of welfare and commercial use, create a wealth of new opportunities for any attacker. An organization must understand the cyber threats it faces, and then adopt a cyber security strategy that is proportional to the risks faced – based upon the outcomes of a risk assessment.
The digital oil field is another realization of the IoT – and again raises the issue of security basics. The biggest part of any solution is not technical, but educating, training, imbuing the individuals who interact with your system with a cyber security culture. Every hack starts with a media attack? Everyone who uses the system is part of the security solution.
There was discussion around the ‘friction’ generated by security measures – a heavy- handed response could result in massive missed business opportunities/loss of revenue – and too little is ineffective. A balance must be struck on what you know – just knowing there’s an indeterminate ‘cyber threat’ out there and not putting any specific security in place will (should?) drive a cautious approach – and any attack is likely to be catastrophic for the business.
On the other hand knowing as much as you can about your environment, vulnerabilities and threats (understanding potential incident escalation paths) and then adopting the most appropriate security measures – and associated mitigation plans – will put you in a far better position. You will be able to take the big decisions and risks with confidence – you may still get attacked but will remain in business.
So back to the car, why does it need brakes? To go faster!
Take a peek at our Security Management community for more.