Q1) With the emergence of Data Centric ecosystems over the whole pipeline value chain (from pipe manufacturing to installation), how and when do you expect publication of standards regulating pipeline data format, storage and transfer?
Brad: This is an interesting question. We have a history of evolving formats of Pipeline data models from Esri’s ArcGIS Pipeline Data Model (APDM) evolving to Utility and Pipeline Data Model (UPDM) while in parallel the Pipeline Open Data Standard (PODS) has progressed. Today they both coexist and, in some situations, go hand in hand. We are now entering the era of digital twins which is a dramatic expansion to support the full pipeline value chain especially when you start to consider the interactions of both Gas and Electric systems. It will be a challenging task to establish a standard format, a common domain model, but you can already see major software players working towards this ambition.
Standards for storage and transfer will also be challenged by the pace of the technology, as a given technology may evolve or change before it has had enough time to be qualified. Even for companies that are always looking ahead to technology trends, there is always the risk that by the time coding is complete they already have technical debt. Successful software companies need to be nimble and responsive to technology change through continuous improvement processes.
To summarize, I do see the emergence of data format standards in the next couple of years but though you might have a standard core, each user will have an extended data model to accommodate their specific needs.
Q2) What do you think about the importance of culture change when thinking about digital transformation?
Brad: Culture change is particularly important from two perspectives; one is the willingness to embrace technology and two is security culture.
Digital Transformation means new technology and a new way of working. Employees should be open to accepting changes. Much like Covid has impacted our way of working, digitalization is also changing the way we work. We are also seeing a generational change in the industry; new engineers were born into the digital era and are more adept at the digital world but come into the position without the significant field experience of their predecessors. Digital transformation has helped bridge this ‘knowledge’ gap, bringing together all relevant data and proving contextual value to the data so the new engineers can make informed decisions. Equally important as a culture to embrace digital transformation is a security culture. As data becomes more digital, operators need to establish a security culture with programs addressing people, technology, and processes. Operators who embrace digital transformation will have a more efficient business enabling them to evaluate and pinpoint the most effective measures to ensure a sustainable business and safe operation of their assets.
Q3) Cyber security protocols are becoming critical in the technology era. As an operator what are the things we should consider?
Brad: I recommend that operators who are making a solution selection or even partnering on a joint project are vigilant about the security culture of the software provider or the partner. Security in the era of digital transformation will reflect in their investments in employees, processes, and technology. Employees are one of the weakest links in a company’s security program and it is paramount that your partners take security seriously too. When your partner is a software developer it is even more important as that company needs to embrace a security culture and maintain certified controls to ensure security standards are high.
Q4) How much money and how many resources do attackers need to implement cyber-attacks on critical infrastructures?
Tor Helge: The short answer is that it depends. The cost and complexity of carrying out a cyberattack on critical infrastructure varies significantly depending on how well the system has been designed, as well as how it is operated and maintained. We have seen recent examples of devastating attacks, that were carried out with very little cost and resources by exploiting poorly designed remote access solutions and credentials that were not effectively managed.
The bar can however be raised significantly by ensuring proper design of the control network of critical infrastructure, following strict procedures for operation and maintenance, and training all personnel involved in security awareness. By closing all the “low hanging fruits,” an attacker must employ much more sophisticated and expensive techniques to compromise systems.
Q5) What is your take on paying ransom in case of a cyber-attack?
Tor Helge: From an idealistic perspective, paying ransom is clearly not a good idea. The payment goes directly to fund organized crime groups that will use this money to increase their capabilities and attack yet other victims. As far as possible, you should not contribute to this type of activity.
Yet, the reality is not always that simple. When you are facing a sophisticated ransomware attack that is preventing you from normal operation, you could be losing significant revenue as well as inflict considerable damage to your customers down the line. In worst-case scenarios, entire companies can go bankrupt if the situation is not sorted urgently. Faced with the difficult choice between significant economic loss from the halt of operations and paying a ransom to the bad guys, in practice most companies choose the pay up. Companies should always seek advice from law enforcement in such cases, as there could be opportunities to identify and penalize the attackers and regain ransom payments after the systems have been restored.
Q6) What are the biggest challenges in delivering effective defenses against ransomware?
Tor Helge: The biggest challenge is in my view related to the human factor. Most ransomware attacks are initiated by some form of social engineering attack towards personnel with access to these systems. You cannot completely rule out this vulnerability through technical measures, and it is therefore critical that personnel are properly and regularly trained in identifying and withstanding attempts at this type of trickery. The security awareness training needs to be targeted at the audience and kept up to date with recent developments of threats and attack patterns. Unfortunately, humans are in most cases the weakest link in the security chain.
Q7) What is the real benefit of a cloud-based solution?
Brad: DNV is starting to see the industry adoption of cloud gaining momentum. Just a few years ago the industry was cloud hesitant, but now we see a greater acceptance and ask for a cloud-first approach to solutions.
We also see that operators today are more cognizant of the difference between a desktop solution deployed in the cloud and an application designed for the cloud, with a clear preference for the latter.
A cloud designed solution yields several benefits to customers.
- Performance and scalability are the most anticipated benefits.
- Offers better security – It is a common misunderstanding that cloud compromises data security whereas the reverse is true. Most Cloud providers invest heavily in security and security protocols and offer SLA’s guaranteeing data security.
- Higher quality software - While an often-overlooked benefit, a cloud-designed architecture and development process includes microservices and a DevSecOps process. Microservices equate to smaller code sets and the DevSecOps process includes extensive automated testing.
- Greater speed to market. The microservices-based architecture supports a faster time to market for features as you are only making updates to targeted areas of the code. The cloud deployment enables these updates to be pushed to the deployment more frequently as approved by the customer.
- Engaging customers more frequently - Cloud deployment enables a higher degree of customer engagement as new enhancements can be deployed and enabled for customer feedback more easily than having to do a local deployment.
- Learning faster - All the above and the fact that through telemetry, the software developer can learn how you are using the software, where you are getting stuck or having problems and can ensure an effective solution through a continuous improvement process.
Brad Eichelberger, Business Development Manager, DNV
Brad Eichelberger has worked in the pipeline industry for 10 years in various capacities from Head of Pipeline Product Center, Product Manager and Sales Manager. He currently holds a position as Business Development Manager with DNV where he’s responsible for helping our existing and perspective customers realize the value of the pipeline portfolio of solutions.
Tor Helge Kristiansen, Principal Cyber Security Consultant, DNV
Tor Helge has worked for three decades with information security technology in various areas including software development, product management, and technology strategies. He currently holds a position as Principal Cyber Security Consultant with DNV, where he specializes in cyber security for industrial control systems and critical infrastructure, helping companies improve cyber security posture through establishment, assessment and improvement of cyber security governance, technical and procedural security controls, and personnel awareness.