Part 1 – Is Your Oil & Gas Business Built on a House of Cards?
The US digital economy has seen a triple-digit increase in cybersecurity threats with a wartime posture among bad actors that is only accelerating the overall trend toward increasing sophistication, size, and volume of cyberattacks. As energy leaders navigate mounting cybersecurity challenges, key concerns are top of mind including how to ensure business continuity, keep business data safe, and thwart rapidly growing attacks with shrinking IT budgets. W Energy Software’s manager of cybersecurity, Michelle Pellon, brings her voice of authority to our blog where she presents an essential checklist for protecting your software supply chain by working with vendors who understand the risks, have a disaster recovery plan, implement certified security controls, and continuously collaborate with security partners.
Your team would never skip the crucial step of running title on land you plan to lease. Of course not, because the title process is standard operating procedure for ensuring that ownership is correct not just for the current mineral owners but for every previous owner chaining it all the way back to sovereignty, i.e., the chain of title. We do it to prevent defects and risks from creeping into leases and in a way software supply chain security works in a very similar fashion.
Right now, defects and risks are lurking in your software, ticking time bombs of vulnerability that expose your organization to cyber-attacks. These might manifest as ransomware at best or high jacking of oilfield assets or complete erasure of the digital ecosystem that your operations and revenue depend on. Your software supply chain could be a house of cards, ready to tumble down at any moment.
Software Supply Chain Defined
Think of all of the software your team uses each day. For upstream this ranges from field data capture, allocations, and production reporting to lease administration, GIS, division order, and revenue disbursement. Midstream needs a raft of software too, including gathering, transportation, gas processing, terminal management, and marketing. and all energy businesses share a common need to manage core financials, regulatory, and tax. That’s a lot of software.
Your software supply chain is defined by the primary pieces of software you run your business on, let’s assume you have 10 (and that’s a low estimate). Those discrete products might be provided by a multitude of vendors, each built with different technologies at different times and with varying levels of innovation. But understanding where your software supply chain vulnerabilities are isn’t a simple matter, if you can even call it simple, of analyzing your 10 pieces of software and ensuring you are running on the latest version that is theoretically patched against known exploits. No, you need to understand the thousands of sub-components, open source libraries, and databases your vendors have built their products on.
In today’s complex cyberspace and ever-evolving digital oilfield, software vendors who claim to provide secure solutions must also vouch for each and every piece of software they have used to build their products, a very long supply chain that most vendors can’t even begin to untangle.
The Big Gotcha for Legacy Software and “Product Soup”
If chain of title is standard operating procedure for leasing land, then oil & gas teams need an SOP for licensing their software. A software bill of materials (SBOM) is just that, a transparent and documented record of third-party components, licenses, copyrights, and security references. So, the next time you think about your land management software, for example, understand that it’s just the tip of a vast iceberg underneath the surface and that without an SBOM from your vendors, your team is in dangerous waters indeed when it comes to cybersecurity.
In our industry, there are three types of software vendors. First are the startups and pure play software providers, focused on one type of software and inevitably snapped up and acquired by the second type, which may have started off as a pure play but now resorts to growth through acquisition. Let’s call the latter software holding companies. The third type is a diversified software provider that offers many solutions but maintains a single code base even when they acquire other software vendors. That’s W Energy Software.
Software holding companies have a critical flaw when it comes to cybersecurity. By nature, they tend to acquire innovative solutions then immediately stop innovating or investing, which has major ramifications for cybersecurity. Secondly, these vendors tend to amass vintage software that is built with obsolete or unsupported on-premise legacy technology. And finally, the result is often a mishmash of products, or product soup, where vendors offer multiple flavors of the same type of software.
So, if your vendor offers 40 different products, they should be responsible for providing you with an SBOM for each. But the nature of these energy software holding companies is to overinvest in sales and underinvest in innovation, especially cybersecurity. Ask them for an SBOM and you won’t get 40, you’ll get nothing and a whole lot of promises. But promises won’t prevent defects in their software from crashing your business.
The Beauty of a Unified SaaS ERP is a Single SBOM
W Energy Software has built a modern, energy-focused ERP specifically designed to harness the power of the cloud and sophisticated security capabilities of the Amazon Web Services (AWS) cloud. That’s an awesome foundation for cyber security because it provides a single perimeter to safeguard versus dozens. And, this is important, W Energy Software has fully funded the processes and people needed to stand guard every moment, proactively thwart threats, and partner to ensure continuous vigilance.
A big upshot for our approach is that a unified solution set means a unified bill of materials, enabling us to show our clients at any time that we not only know how deep our software supply chain is, but also that we are only working with secure third-party code.
I strongly encourage your team to challenge your software vendors and ask for an SBOM covering each of the products they license you. I suspect this request, if acknowledged, will trigger a fire drill at your vendor and culminate in a spreadsheet of copy and pasted code libraries, open source components, and other software dependencies. That’s not an SBOM, that’s a smoke screen. In today’s mature digital economy, oil & gas teams deserve what has become common place in other industries, such as healthcare that is about 5 years ahead of energy on the cybersecurity front. Instead of a spreadsheet, W Energy Software has adopted Software Package Data Exchange® (SPDX®), an international open standard (ISO/IEC 5962:2021). And this level of commitment to the security of your data and business continuity is exactly what you should expect from your software vendors.
That’s a wrap for this blog. If you missed the introduction, be sure to read it here to understand why cybersecurity threats are skyrocketing and don’t miss my next post where I’ll delve into what your software vendors should be doing to protect your oil & gas data.