The cyber-attack on the Colonial Pipeline in May 2021 in the sent shivers through the US economy just at the point where demand was starting to recover from the impact of Covid-19. Six months on, it is worth remembering that security in the oil and gas sector is only as strong as the weakest part of a very extended supply chain, and that the person from IT is always worth listening too, suggests Kay Rieck, an experienced market observer and investor.
Let’s start with a couple of stereotypes.
Folk in the oil and gas sector have a reputation for straight talking. They work hard, they see the job through, and they don’t worry too much about who they offend in the process. They understand their projects, they understand their geology, and they understand their bottom lines.
The people that work in IT have a reputation for being unintelligible. They always look like they are working hard but no one from outside IT every really seems to understand what they are doing or why it’s important. If you ask them to explain what they are up to, it sometimes feels like they are trying to blind you with science.
No matter how valid or otherwise these stereotypes are, the distance between the brash oil folk and the denizens of the IT division tend to be pretty wide. They may both be experts in their respective fields, but they tend to speak very different languages. This isn’t really a issue on a day-to-day basis, but it can quickly escalate an challenge into a problem if one side doesn’t know how to listen to another.
Like it or not, IT is central
No matter where an organisation stands on the exceptionally intricate oil and gas supply chain, data and technology form an increasingly important part of the operations. As we saw with the Colonial Pipeline hack six months ago, a security network is only as strong as its weakest point, and the people that understand where the weakest point is from an information technology perspective are likely to be the people in the information technology department.
And this is only going to become more apparent over the next few years. Artificial intelligence and the blockchain offer a myriad of new opportunities but they also potentially expose an organisation to more IT risk. They could be seen as luxury items on a modest oil and gas project’s shopping list, but the drive to enhance efficiency and reduce waste from both a consumer and a regulatory perspective are only going to increase the need for IT’s involvement in a project’s operational activities. In short, the simple days are over, and no matter how much we might hanker after them, we are only going to become more reliant on IT over the next few years.
At the same time, as I said, oil and gas supply chains are exceptionally intricate, and security is only a strong as its weakest link. This means that if your oil and gas organisation decides to face the future without enhancing levels of IT literacy, it may well find that it starts to run short of partners willing to work with it. It has been suggested that in the Colonial Pipeline incident, hackers were able to access the pipeline’s systems through an obsolete virtual private network (VPN) that was no longer used but was still connected to the system somewhere downstream. It offered the hackers a foot in the door. The likelihood is that someone in IT could have pointed that out as a potential issue if someone else had been willing to listen.
Shutting the stable door after the horse has bolted…
With luck (and given the cost and furore that surrounded the incident) most organisations have subsequently made sure that they have dealt with similar security risks and will hopefully be listening to the IT people that have been warning them about them. The reality is though that the nature of cyber risk is constantly evolving, and while it’s important to make sure that you are not open to yesterday’s risks, it’s also vital to stay alert to what comes next.
In this environment, leadership teams at oil and gas projects can either go out and spend their time learning lots about the emerging IT security threats and how to mitigate them, or they can trust their IT teams and listen to them when they say that they’ve spotted a vulnerability. Just encourage them to explain it in a way that non-IT people can understand.
About the Author
Kay Rieck has been an investor in the US oil and gas sector for more than two decades. He was a financial advisor and stockbroker on the New York Stock Exchange (NYSE) for many years.
He quickly developed his interest in the oil and gas sector and related assets, building his expertise in investment banking and asset management at the New York Board of Trade and the Chicago Board of Trade.
Leveraging his exceptional network of global contacts, he founded his first oil and gas development company in the U.S. in 2008, selecting investments in the Haynesville Shale, Permian Basin, Eagle Ford Shale, Dimmit County, and anywhere else that offered and continues to offer exceptional return prospects.