OILMAN Article: Software Supply Chain Security in the Digital Oil Field

A surge of cyber-attacks over the last few years has moved hackers from virtual back alley deals to main street shops. The organized crime of digitally exploiting businesses for profit, especially from ransomware, is now big business and here to stay. Recent reports place cybersecurity failures among the top mid-term global threats with corporate information technology teams in 2021 facing an estimated 623 million ransomware attacks (a 105 percent year over year increase). It is estimated that cyber-attacks will cost companies around the globe $10.5 trillion annually by 2025, which is a $7.5 trillion increase from 2015, representing the biggest transfer of wealth in history.

It’s not just large enterprises that are under assault. Small and medium-sized businesses are increasingly the target of more advanced, frequent, and devastating cybercrime. The Cost of Cybercrime Study from Accenture cites 43 percent of all cyber-attacks now target small to medium-sized businesses, yet only 14 percent of these companies have the people, processes and technology in place to defend against cybercrime.

The energy industry is at risk as well, more so than other sectors due to the unique complexities and vulnerabilities of the digital oil field. Cyber risks continue to evolve as digital transformation of the energy sector accelerates along with the associated information systems, from wellhead SCADA and flow meters to the back office and city gates.

Energy companies are vulnerable targets, as well as the software they use to run critical oil and gas business functions, including accounting, land management, production management, logistics and regulatory. Because of these software supply chain risks, energy companies must ensure that each of their vendors has the right strategy, processes and partnerships to stand guard and rapidly respond to cybersecurity threats.

Understanding Digital Oil Field Software Supply Chain Risks

Oil and gas teams would never skip the crucial step of running title on land they plan to lease. Of course not, because the title process is standard operating procedure for ensuring that ownership is correct, not just for the current mineral owners, but for every previous owner chaining it all the way back to sovereignty, i.e., the chain of title. We do it to prevent defects and risks from creeping into leases. Software supply chain security works in a very similar fashion.

Think of all of the software your team uses each day. For upstream, this ranges from field data capture, allocations and production reporting to lease administration, GIS, division order and revenue disbursement. Midstream needs a raft of software too, including gathering, transportation, gas processing, terminal management and marketing. and all energy businesses share a common need to manage core financials, regulatory and tax. That’s a lot of software.

Your software supply chain is defined by the primary pieces of software you run your business on. Let’s assume you have 10 (and that’s a low estimate). Those discrete products might be provided by a multitude of vendors, each built with different technologies at different times and with varying levels of innovation. But understanding where your software supply chain vulnerabilities are isn’t a simple matter of analyzing your 10 pieces of software and ensuring you are running on the latest version that is patched against known exploits. Energy companies need to understand the thousands of sub-components, open-source libraries and databases your vendors have built their products on.

In today’s complex cyberspace and ever evolving digital oil field, software vendors who claim to provide secure solutions must also vouch for each and every piece of software they have used to build their products, a very long supply chain that most vendors can’t even begin to untangle.

Software Bill of Materials Defined

If chain of title is standard operating procedure for leasing land, then oil and gas teams need an SOP for licensing their software. A software bill of materials (SBOM) is just that, a transparent and documented record of third-party components, licenses, copyrights and security references. So, the next time you think about your production accounting software, for example, understand that it’s just the tip of a vast iceberg underneath the surface and that without an SBOM from your vendors, your team is in dangerous waters indeed when it comes to cybersecurity.

In our industry, there are three types of software vendors. First, are the startups and pure play software providers, focused on one type of software and inevitably snapped up and acquired by the second type, which may have started off as a pure play but now resorts to growth through acquisition. Let’s call the latter software holding companies. The third type is a diversified software provider who offers many solutions but maintains a single code base even when it acquires other software vendors.

Software holding companies have a critical flaw when it comes to cybersecurity. By nature, they tend to acquire innovative solutions, then immediately stop innovating or investing, which has major ramifications for cybersecurity. Secondly, these vendors tend to amass vintage software that is built with obsolete or unsupported on-premise legacy technology. And, finally, the result is often a mishmash of products where vendors offer multiple flavors of the same type of software.

So, if your vendor offers 40 different products, it should be responsible for providing you with an SBOM for each. But the nature of these energy software holding companies is to overinvest in sales and underinvest in innovation, especially cybersecurity.

The Value of a Unified SaaS ERP for Cybersecurity

W Energy Software has built a modern, energy-focused ERP specifically designed to harness the power of the cloud and sophisticated security capabilities of the Amazon Web Services (AWS) cloud. That’s a strong foundation for cyber security because it provides a single perimeter to safeguard versus dozens. Importantly, W Energy Software has fully funded the processes and people needed to stand guard every moment, proactively thwart threats, and partner to ensure continuous vigilance.

An advantage of our approach is that a unified solution set means a unified bill of materials, enabling us to show our clients at any time that we not only know how deep our software supply chain is, but also that we are only working with secure third-party code. W Energy Software has also adopted Software Package Data Exchange® (SPDX®), an international open standard (ISO/IEC 5962:2021) for communicating the contents of our software supply chain in a format that is expected to become widely adopted in the oil and gas community over the next few years. In an industry that is seeking to harden its cybersecurity, it is now common for oil and gas companies to require proof of basic IT security from software vendors and other suppliers on RFPs and contracts for license renewal. Increasingly, new levels of cybersecurity readiness like SBOM and SPDX will become the new norm.


To read more, click here to visit the featured article in The Oilman Magazine’s May-June 2022 digital publication.



About W Energy Software

Headquartered in Tulsa, Oklahoma, W Energy Software offers the oil & gas industry’s only unified ERP solution built for the cloud that is relied on by more than 130 upstream and midstream companies to accelerate business performance, improve operational efficiency, and drive costs down.  W Energy Software combines precision-built software in one extendable cloud-based workspace with an intimate understanding of the oil & gas business to deliver solutions that offer flexibility, affordability, and continuous upgrades.  Unlike other ERP software that loosely ties together a mix of legacy solutions and fragmented technologies, W Energy Software designed a unified upstream and midstream ERP platform to seamlessly track oil, gas, and NGL from the wellhead through transportation and marketing, eliminating data silos as well as the burden and costs of maintaining multiple systems.  With W Energy Software, oil & gas companies stay lean and agile with the tools they need to adapt to market changes and meet evolving customer needs head-on, all while gaining the confidence that their business is running on the latest technology. For more information, please visit www.wenergysoftware.com.



Michelle Pellon, DevOps Information Security Manager, W Energy Software
A native of Houston, Michelle began her IT career as a programmer on the Human Genome Sequencing Project. Her passion for security quickly shaped her career as she moved into a critical role working with Federal law enforcement teams to fight child exploitation online. Michelle directs the DevOps and Cybersecurity strategy for W Energy Software, connecting corporate operational and security objectives to business initiatives. Additionally, she shares her message about evolving how people think about and approach security, privacy, and trust through speaking engagements at various conferences and other events. When not engaged in security research and advocacy, she is also an accomplished sailor with the Houston Yacht Club.
Share This Post
Share on linkedin
Share on facebook
Share on google
Share on twitter

Heads up!

You are about to leave the W Energy Software Website.