5 Business Critical Things Every Energy Company Should Know About Their Software and Cybersecurity – Part 2

Part 2 – How to Defend Your Data in the Digital Oilfield

The US digital economy has seen a triple-digit increase in cybersecurity threats with a wartime posture among bad actors that is only accelerating the overall trend toward increasing sophistication, size, and volume of cyberattacks. As energy leaders navigate mounting cybersecurity challenges, key concerns are top of mind including how to ensure business continuity, keep business data safe, and thwart rapidly growing attacks with shrinking IT budgets. W Energy Software’s manager of cybersecurity, Michelle Pellon, brings her voice of authority to our blog where she presents an essential checklist for protecting your software supply chain by working with vendors who understand the risks, have a disaster recovery plan, implement certified security controls, and continuously collaborate with security partners.

Right at the beginning of the COVID-19 pandemic, many information security professionals had more than a few sleepless nights as they responded to a massive surge of cyber-attacks with ransomware leading the charge. That’s because companies sent their employees home to work on computers and devices that were not immediately under corporate information technology management. For hackers, the start of the pandemic was a field day. Many companies lost data, had important intellectual property corrupted, and suffered lasting brand damage from the ripple effect to their customers.

This example of a cyber catastrophe demonstrates two important lessons for protecting your valuable business data. First, assumptions are dangerous – many employers assumed that their data is safe on their corporate local area network, guarded by a digital firewall. Work from home policies showed how assumptions can backfire as staff worked outside the security zone, creating asymmetrical threats. Second, the weakest security link in every organization are “end points,” i.e., people on your team, contractors, vendors, and suppliers. Oil & gas teams need a quality network firewall and virtual private network for their employees and, importantly, they need a human firewall to give your data the best chance of survival in the digital oilfield.

Top Threats to Your Oil & Gas Data

The digital oilfield has been around for a while, with the physical networks of SCADA devices and meters in the oilfield having been built out over decades. From a security perspective, the actual devices are theoretically safe because they are air gapped (control network is physically separated from a business network), but the PC’s that are used to manage a lot of oilfield digital infrastructure still run on old versions of Windows that are no longer supported, patched, or protected. Why? Because it’s less disruptive to do nothing, and, well, why fix or pay for it if it isn’t broke? This pervasive attitude across the entire digital oilfield – SCADA, legacy on-premise ERP, cloud, mobile devices – really sets the industry up with a host of vulnerabilities that bad actors are increasingly exploiting.

You can’t really understand just how devastating a cyber-attack can be until your organization has been impacted. More than at any other time we rely on data to make daily decisions in the oil & gas business. And our digital oilfield ecosystem is under assault from myriad threats, including:

• Rise of organized cybercrime has made ransomware an everyday threat to your data and bottom line.
• E-mail, text messages, or calls lure you to open malware or unknowingly provide passwords (phishing attempts) aim to intercept wire transfers or to obtain confidential data to sell.
• Account takeover/theft of your oil & gas business’s identity and credibility to phish your customers and supply chain.
• Spillover to your organization from vulnerabilities and cyber-attacks on your supply chain (recall the SolarWinds hack?).

And many more threats are out there with an ever-evolving arsenal of vectors to get past your defenses, including computer viruses, trojan horse hacks, and worms.

Defending Data in Your Software Supply Chain

In my last blog, I advised oil & gas teams to ask vendors for a software bill of materials, exposing vulnerabilities and risks in their software supply chain from the hundreds or thousands of subcomponents and open source code a single solution is built on. Today, I’m advising you to ask your providers how safe your business-critical data is in their hands.

For our part, W Energy Software is a vendor whose #1 priority is your data, which is why we selected Amazon Web Services (AWS) as our application, data, and security foundation. Our clients benefit from SOC 1 & 2 (Types I & II) compliant physical and digital infrastructure, which W Energy Software has extended to provide additional application-level controls using technologies such as AWS Web Application Firewall (WAF) and AWS Shield. Each of our clients’ data is completely isolated, protected with bank-grade encryption, and only accessible over the web using Secure Sockets Layer (SSL). And we never assume that our data backups are stable, which is why we test every backup from our platform to ensure integrity.

W Energy Software has built a world class human firewall through superior knowledge and training. Every W Energy Software DevOps team member has achieved a minimum of AWS Certified Solutions Architect Associate, demonstrating extensive expertise of AWS virtual computing and platform services. Adding firepower, all of our developers, quality assurance, and DevOps staff complete extensive training on the Open Web Application Security Project (OWASP) Top 10, which is the gold standard for web application security. Security education starts on day one for every W Energy Software employee, requiring all staff to demonstrate their knowledge of security best practices.

Finally, everything is documented. From training and security controls to audits and response plans, our IT Security Policy is meticulously maintained to meet evolving threats head-on. At the end of the day, we want our clients to know that W Energy Software is the right vendor with the right people, processes, and technology in place to safeguard the business data your oil & gas operations run on.

That’s all for now! Stay tuned for the next blog in my series on software supply chain security where I’ll explore just how damaging a cyber-attack can be and the ways W Energy Software can help you recover from a disaster. Also, if you haven’t already, check out my previous blog in my series where I advised oil & gas teams on how to ask vendors for a software bill of materials.

About W Energy Software

Headquartered in Tulsa, Oklahoma, W Energy Software offers the oil & gas industry’s only unified ERP solution built for the cloud that is relied on by more than 130 upstream and midstream companies to accelerate business performance, improve operational efficiency, and drive costs down.  W Energy Software combines precision-built software in one extendable cloud-based workspace with an intimate understanding of the oil & gas business to deliver solutions that offer flexibility, affordability, and continuous upgrades.  Unlike other ERP software that loosely ties together a mix of legacy solutions and fragmented technologies, W Energy Software designed a unified upstream and midstream ERP platform to seamlessly track oil, gas, and NGL from the wellhead through transportation and marketing, eliminating data silos as well as the burden and costs of maintaining multiple systems.  With W Energy Software, oil & gas companies stay lean and agile with the tools they need to adapt to market changes and meet evolving customer needs head-on, all while gaining the confidence that their business is running on the latest technology. For more information, please visit www.wenergysoftware.com.

Michelle Pellon, DevOps Information Security Manager at W Energy SoftwareA native of Houston, Michelle began her IT career as a programmer on the Human Genome Sequencing Project. Her passion for security quickly shaped her career as she moved into a critical role working with Federal law enforcement teams to fight child exploitation online. Michelle directs the DevOps and Cybersecurity strategy for W Energy Software, connecting corporate operational and security objectives to business initiatives. Additionally, she shares her message about evolving how people think about and approach security, privacy, and trust through speaking engagements at various conferences and other events. When not engaged in security research and advocacy, she is also an accomplished sailor with the Houston Yacht Club..