Software Supply Chain Security: It’s Time to Have “The Talk” with your Software Vendors
The US digital economy has seen a triple-digit increase in cybersecurity threats with a wartime posture among bad actors that is only accelerating the overall trend toward increasing sophistication, size, and volume of cyberattacks. As energy leaders navigate mounting cybersecurity challenges, key concerns are top of mind including how to ensure business continuity, keep business data safe, and thwart rapidly growing attacks with shrinking IT budgets. W Energy Software’s manager of cybersecurity, Michelle Pellon, brings her voice of authority to our blog where she presents an essential checklist for protecting your software supply chain by working with vendors who understand the risks, have a disaster recovery plan, implement certified security controls, and continuously collaborate with security partners.
When it comes to your digital oilfield ecosystem, there is a new world order. Quietly and without press releases from the bad actors, a surge of activity has moved hackers from virtual back alley deals to main street shops. The organized crime of cyberattacks, especially from ransomware, is now big business and here to stay. But it’s not just energy companies that are vulnerable targets – if your team relies on any type of software to run your oil & gas business, then you are at high risk unless each of your vendors has the right strategy, processes, and partnerships to always stand guard and rapidly respond to cybersecurity threats.
An Evolving Cybersecurity Landscape
A recent Global Risks Report places cybersecurity failures among the top mid-term global threats. Security firm SonicWall estimates that in 2021 corporate information technology teams faced 623 million ransomware attacks, a 105% year-over-year increase. Other staggering numbers include a 1,885% increase in attacks directed at the government, 755% for healthcare, 152% for education, and 21% for retail.
The energy industry is also at risk, more so than other sectors with our unique complexities and vulnerabilities of the digital oilfield. Cyber risks continue to evolve as the digital transformation of the energy sector accelerates along with the associated information systems, from wellhead SCADA and flow meters to the back office and city gates.
The Energy Software Supply Chain Security Challenge
Your software ecosystem is the most complex and challenging space to manage cybersecurity risks. If you use 5 different software packages as an upstream operator, say production accounting, division order, lease admin, financials, and revenue accounting, then you inherit the risk from all of the subsystems and open source software those 5 packages are built on, which exposes your team to hundreds or even thousands of potential vulnerabilities. Software supply chain security also extends to your vendor’s IT security and the capabilities they provide for data security, business continuity, and auditing of internal controls. Importantly, best-in-class cybersecurity is also built on partnerships and continuous innovation.
Ransomware operations are truly starting to look and feel like a business, albeit organized crime, with specialists who source prospects, infiltrate, and manage customer service/payments. But that’s as good as it gets in cyberspace, at least these bad actors are in for the profits. But threats and postures can be very fluid. Regimes that suddenly find their energy sector under international sanctions today may respond in turn with cyberattacks on global energy infrastructure tomorrow. We all need to be prepared.
Top Cybersecurity Questions Vendors Should Have Great Answers To
It’s time to have “the talk” with your energy software providers. If they don’t have great answers to each and every one of the following questions, then those vendors who claim to have your interest as a priority are simply neglecting your interests. Use these questions as a conversation starter the next time your team is invited to a technology update (i.e., sales presentation) or visit to a vendor’s innovation center with the red carpet treatment.
- What is your strategy for software supply chain security?
- What are you doing to protect my data right now?
- How quickly can I recover my software/data if attacked?
- What service organization controls (SOC) do you have in place?
- When it comes to cybersecurity, how is your team innovating/adding value?
Multiple energy software vendors make for a lot of awkward conversations. W Energy Software has taken the leadership position in cyber resiliency, protecting our organization and SaaS ERP clients with continual threat assessment, disaster recovery and business continuity readiness, and by collaborating with security, energy, and law enforcement partners. Plus, because we provide a single code base for upstream (accounting, land, production ops, tax) and midstream (plant accounting, terminal management, transportation, marketing) having the talk with our clients is simple while enabling us to provide the right answer to each of these questions.
Over the course of the next 5 blog posts, I’ll show you why W Energy Software should be your vendor of choice, starting with our approach to managing your software supply chain vulnerabilities, so stay tuned!