OTC 2022 header image

HOUSTON—It’s unrealistic to expect to protect all assets from the threat of a cyberattack, but it is possible to minimize risk, according to a cybersecurity expert.

“You’re not going to protect everything all the time,” Nicholas Andersen, COO at Invictus International Consulting, said May 2 during “The Cyber War Among Us” executive dialogue at Offshore Technology Conference (OTC) in Houston.

Instead, he said, companies can prioritize protection for areas that could have the “highest consequences” if a cyberattack succeeded and then build layers of defense around that.

And the entire industry is facing a cyberwar.

“Each of you is on the front lines of this war that was never declared,” Andersen said.

It may not have been declared, but attacks are constantly evolving, and it would behoove the industry to have a community of people with whom they share information, he added.

“With cybersecurity, what affects you today is going to affect me tomorrow,” he said. “New vulnerabilities and attack methods are being discovered every day.”

One method is to breach a system and linger hidden for some time as they work to gain influence, he said.

“It doesn’t matter that you don’t see them today. They don’t want you to see them today. They want to lay in wait until a time of their choosing,” he said.

Andersen said information technology (IT) and operational technology (OT) teams should work much more closely together. The conversation needs to start with prioritizing potential consequences and should have risk owners “who can drive change on the OT and IT sides.” 

And groups like Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC) can help with things like teasing out root cause analysis, he said.

While the industry has a strong focus on safety, Andersen said cybersecurity should be just as integral.

“Cybersecurity needs to be baked into that safety conversation,” he said.

And there are many potential points of entry into a company’s system.

“One of the greatest vulnerabilities we have is visibility into the supply chain,” including things that are integrated into the systems, he said.

Things to consider when working with original equipment manufacturers include how an item is being built and secured and how it would be maintained over the course of its life cycle, Andersen said.

And maintaining cybersecurity is becoming even more difficult as more connected devices enter the world and the Internet of Things increases in scope.

The market is exploding with the technology in such a way that it’s difficult to understand the whole supply chain and how they’re managing security, he said. That means there is a lot of risk associated with those items, he said.

“We’re still losing sleep over traditional IT systems and the vulnerabilities there, and that’s been around for years,” he said. He does, however, anticipate changes in requirements for IoT devices.

But as a cybersecurity expert, there are certain things he doesn’t do.

“I don’t have a smart anything in my house. Alexa’s not getting through my front door,” Andersen said.


How BP is Optimizing Gulf of Mexico for Net-zero World

Turning US Offshore Wind Challenges into Opportunities

Diversity Failures are Hurting the Bottom Line

Full-Field Development—Revitalizing Oil and Gas Fields: Schlumberger