OILMAN Article: Software Supply Chain Security in the Digital Oil Field

OILMAN Magazine published a featured article by Michelle Pellon, DevOps Information Security Manager of W Energy Software, in OILMAN Magazine’s May-June 2021 digital publication. Titled  ‘Software Supply Chain Security in the Digital Oil Field’, Pellon discusses the importance of safely doing business in the digital oil field by safeguarding data, ensuring business continuity, adding value, and innovating around cyber security. Read it now:

By Michelle Pellon

A surge of cyber-attacks over the last few years has moved hackers from virtual back alley deals to main street shops. The organized crime of digitally exploiting businesses for profit, especially from ransomware, is now big business and here to stay. Recent reports place cybersecurity failures among the top mid-term global threats with corporate information technology teams in 2021 facing an estimated 623 million ransomware attacks (a 105 percent year over year increase). It is estimated that cyber-attacks will cost companies around the globe $10.5 trillion annually by 2025, which is a $7.5 trillion increase from 2015, representing the biggest transfer of wealth in history.

It’s not just large enterprises that are under assault. Small and medium-sized businesses are increasingly the target of more advanced, frequent, and devastating cybercrime. The Cost of Cybercrime Study from Accenture cites 43 percent of all cyber-attacks now target small to medium-sized businesses, yet only 14 percent of these companies have the people, processes and technology in place to defend against cybercrime.

The energy industry is at risk as well, more so than other sectors due to the unique complexities and vulnerabilities of the digital oil field. Cyber risks continue to evolve as digital transformation of the energy sector accelerates along with the associated information systems, from wellhead SCADA and flow meters to the back office and city gates.

Energy companies are vulnerable targets, as well as the software they use to run critical oil and gas business functions, including accounting, land management, production management, logistics and regulatory. Because of these software supply chain risks, energy companies must ensure that each of their vendors has the right strategy, processes and partnerships to stand guard and rapidly respond to cybersecurity threats.

Understanding Digital Oil Field Software Supply Chain Risks

Oil and gas teams would never skip the crucial step of running title on land they plan to lease. Of course not, because the title process is standard operating procedure for ensuring that ownership is correct, not just for the current mineral owners, but for every previous owner chaining it all the way back to sovereignty, i.e., the chain of title. We do it to prevent defects and risks from creeping into leases. Software supply chain security works in a very similar fashion.

Think of all of the software your team uses each day. For upstream, this ranges from field data capture, allocations and production reporting to lease administration, GIS, division order and revenue disbursement. Midstream needs a raft of software too, including gathering, transportation, gas processing, terminal management and marketing. and all energy businesses share a common need to manage core financials, regulatory and tax. That’s a lot of software.

Your software supply chain is defined by the primary pieces of software you run your business on. Let’s assume you have 10 (and that’s a low estimate). Those discrete products might be provided by a multitude of vendors, each built with different technologies at different times and with varying levels of innovation. But understanding where your software supply chain vulnerabilities are isn’t a simple matter of analyzing your 10 pieces of software and ensuring you are running on the latest version that is patched against known exploits. Energy companies need to understand the thousands of sub-components, open-source libraries and databases your vendors have built their products on.

In today’s complex cyberspace and ever evolving digital oil field, software vendors who claim to provide secure solutions must also vouch for each and every piece of software they have used to build their products, a very long supply chain that most vendors can’t even begin to untangle.

Software Bill of Materials Defined

If chain of title is standard operating procedure for leasing land, then oil and gas teams need an SOP for licensing their software. A software bill of materials (SBOM) is just that, a transparent and documented record of third-party components, licenses, copyrights and security references. So, the next time you think about your production accounting software, for example, understand that it’s just the tip of a vast iceberg underneath the surface and that without an SBOM from your vendors, your team is in dangerous waters indeed when it comes to cybersecurity.

In our industry, there are three types of software vendors. First, are the startups and pure play software providers, focused on one type of software and inevitably snapped up and acquired by the second type, which may have started off as a pure play but now resorts to growth through acquisition. Let’s call the latter software holding companies. The third type is a diversified software provider who offers many solutions but maintains a single code base even when it acquires other software vendors.

Software holding companies have a critical flaw when it comes to cybersecurity. By nature, they tend to acquire innovative solutions, then immediately stop innovating or investing, which has major ramifications for cybersecurity. Secondly, these vendors tend to amass vintage software that is built with obsolete or unsupported on-premise legacy technology. And, finally, the result is often a mishmash of products where vendors offer multiple flavors of the same type of software.

So, if your vendor offers 40 different products, it should be responsible for providing you with an SBOM for each. But the nature of these energy software holding companies is to overinvest in sales and underinvest in innovation, especially cybersecurity.

The Value of a Unified SaaS ERP for Cybersecurity

W Energy Software has built a modern, energy-focused ERP specifically designed to harness the power of the cloud and sophisticated security capabilities of the Amazon Web Services (AWS) cloud. That’s a strong foundation for cyber security because it provides a single perimeter to safeguard versus dozens. Importantly, W Energy Software has fully funded the processes and people needed to stand guard every moment, proactively thwart threats, and partner to ensure continuous vigilance.

An advantage of our approach is that a unified solution set means a unified bill of materials, enabling us to show our clients at any time that we not only know how deep our software supply chain is, but also that we are only working with secure third-party code. W Energy Software has also adopted Software Package Data Exchange® (SPDX®), an international open standard (ISO/IEC 5962:2021) for communicating the contents of our software supply chain in a format that is expected to become widely adopted in the oil and gas community over the next few years. In an industry that is seeking to harden its cybersecurity, it is now common for oil and gas companies to require proof of basic IT security from software vendors and other suppliers on RFPs and contracts for license renewal. Increasingly, new levels of cybersecurity readiness like SBOM and SPDX will become the new norm.

About W Energy

W Energy Software, headquartered in Tulsa, Oklahoma, revolutionizes the oil and gas industry with its leading cloud-based energy platform. Made for upstream and midstream companies, our platform combines advanced software with deep industry knowledge, offering solutions spanning Field Service Management, Production, Accounting, Land, and Transportation. Countless energy professionals turn to W Energy to help their businesses adapt and grow. As the energy industry evolves, so does W Energy, continuously refining our platform to empower today’s needs and tomorrow’s advancements. Visit us at www.wenergysoftware.com to see how we’re shaping the future of energy operations.