This week’s Pipeliners Podcast episode features Annie McIntyre of EverLine discussing the evolving cyber threat landscape in the oil and gas pipeline industry.

In this episode, you will learn about the importance of cybersecurity in the oil and gas industry. The conversation will cover lessons learned from various cyber security attacks, such as the recent high-profile Colonial Pipeline Incident, and how these attacks have pushed for more proactive compliance.

Russel and Annie also discuss what pipeline operators can do to protect themselves during the current Russian/Ukrainian war. Finally, Annie provides a glimpse into the future of cybersecurity technology.

Pipeline Cyber Threat Landscape: Show Notes, Links, and Insider Terms

• Annie McIntyre is the Director of Security at EverLine. Connect with Annie on LinkedIn.
  • EverLine provides fully-integrated compliance, SCADA/IT, control room, and security services to pipeline operators and other companies in the energy industry.
  • Annie was the founder and CEO of Ardua Strategies, Inc., which was an operational security consulting company that focused on critical infrastructure and energy. The corporation was acquired by EverLine in 2021.
• Sandia National Laboratories (SNL) is one of three National Nuclear Security Administration research and development laboratories in the United States. Their primary mission is to develop, engineer, and test the non-nuclear components of nuclear weapons and high technology.
• ICS Security (Industrial Control System Security) involves safekeeping and securing industrial control systems and the necessary software and hardware used by the system.
• Colonial Pipeline Cybersecurity Incident: In May 2021, a cyber attack was launched against Colonial Pipeline that eventually resulted in the payment of $4.4 million to resolve the attack. The attackers gained access to Colonial’s systems and data through an unmonitored VPN by stealing a single password.
• NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is a plan that is designed to secure assets required for operating North America’s bulk electric system.
• SolarWinds Incident: On December 13, 2020, a highly sophisticated cyber intrusion leveraged a commercial software application made by SolarWinds. It was determined that the advanced persistent threat (APT) actors infiltrated the supply chain of SolarWinds, inserting a backdoor into the product. As customers downloaded the Trojan Horse installation packages from SolarWinds, attackers were able to access the systems running the SolarWinds product(s).
• Stuxnet is a type of virus known as a computer worm that targets SCADA systems. It is commonly referred to as the first cyber weapon.
  • Duqu is a collection of computer malware discovered in September 2011 that was thought to be related to the Stuxnet worm.
• Shamoon disables computers by overwriting a crucial file known as the master boot record, making it impossible for devices to start up. Former U.S. Defense Secretary Leon Panetta said the 2012 Shamoon hack on Saudi Aramco was probably the most destructive cyber-attack to date on a private business.
• Nashville Bombing: On December 25, 2020, Anthony Quinn Warner detonated a recreational vehicle bomb in downtown Nashville, Tennessee, killing himself, injuring eight people, and damaging dozens of buildings in the surrounding area.
• TSA Pipeline Security Guidelines require owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions. 
• PHMSA (Pipeline and Hazardous Materials Safety Administration) is responsible for providing pipeline safety oversight through regulatory rulemaking, NTSB recommendations, and other important functions to protect people and the environment through the safe transportation of energy and other hazardous materials.
• Master Service Agreement (MSA) is a contract used by oil and gas companies to enter into an agreement in advance with their contractors that specifies the terms and conditions that will govern the contractors’ work.
• API 1164 (Pipeline Control Systems Cybersecurity) 3rd Edition was released in April 2021. The new version of the RP provides a comprehensive approach to cyber defense for critical infrastructure.
• IEC 62443 was developed to secure industrial automation and control systems (IACS) throughout their lifecycle.
• NIST Special Publication 800-53 is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information system security, and on ITL’s activity with industry, government, and academic organizations.
• ISO/IEC 27032 refers to “Cybersecurity” or “Cyberspace security,” which is defined as the protection of privacy, integrity, and accessibility of data information in cyberspace.
• Operational Technology (OT) cybersecurity references the software, hardware, practices, personnel, and services deployed to protect operational technology infrastructure, people, and data.
• The Cybersecurity and Infrastructure Security Agency (CISA) is a United States federal agency, an operational component under Department of Homeland Security (DHS) oversight. Its activities are a continuation of the National Protection and Programs Directorate (NPPD).
• SCADA (Supervisory Control and Data Acquisition) is a system of software and technology that allows pipeliners to control processes locally or at remote locations.
• W. Edwards Deming is the founder of the Plan-Do-Check-Act cycle referring to a framework for achieving continuous improvement in pipeline operations, such as in a Pipeline Safety Management System (Pipeline SMS/ PSMS).
  • Total Quality Management (TQM) is a combination of quality and management tools by which management and employees become involved in the continuous improvement of operations.

Pipeline Cyber Threat Landscape: Full Episode Transcript

Russel Treat:  Welcome to the Pipeliners Podcast, episode 222, sponsored by EnerACT Energy Services, supporting pipeline operators to achieve Natural Compliance through plans, procedures, and tools implemented to automatically create and retain required records as work is performed. Find out more about EnerACT Energy Services at EnerACTEnergyServices.com.

[background music]

Announcer:  The Pipeliners Podcast, where professionals, Bubba geeks, and industry insiders share their knowledge and experience about technology, projects, and pipeline operations. Now, your host, Russel Treat.

Russel:  Thanks for listening to the Pipeliners Podcast. I appreciate that you’re taking the time, and to show the appreciation, we give away a customized YETI tumbler to one listener every episode. This week, our winner is McKinley Rincon with Magellan Midstream. Congratulations. Your YETI is on its way. To learn how you can win this signature prize, stick around till the end of the episode.

This week, Annie McIntyre, Director of Security at EverLine, joins us to talk about the evolving cybersecurity threat landscape. Annie, thanks so much, and welcome to the Pipeliners Podcast.

Annie McIntyre:  Thank you, sir.

Russel:  Before we dive in, I’m going to do what I often do. I’m going to ask you to tell us a little bit about your background. How’d you get into ICS cybersecurity?

Annie:  It’s a great question. By trade, my background and education background is really more in computer science and geology. Coming out of college when I did, computer science was the field to be in. I was always very interested in the energy space, but the jobs were in computer science. My background is actually in military systems. That’s where I got my start.

I was changing jobs. I was leaving federal service, the Department of the Army, taking a job with Sandia National Laboratories. If you have ever had government clearance, you know they don’t translate from one organization to another. I had a Department of Defense clearance. I needed to get a Department of Energy clearance.

My first day at Sandia, they said, “Hey, we’ve got this energy project. While you’re waiting on your clearance, maybe you’d like to take a look at the threats to oil and gas.” This was coming right off the heels of 9/11. DHS was new.

Russel:  So this was 2001 time frame.

Annie:  Yeah. It was the early 2000s. Those critical infrastructure sectors had been defined. There were a lot of steps to secure those. The landscape was wide open at that point. We all knew we needed to really address critical infrastructure security. It was like, “Where do we start?”

One thing I realized very quickly was a lot of the work that had been done in the defense sector – looking at threats, looking at mitigations, that entire landscape – could be translated to securing the energy space.

I worked for a number of years at Sandia on projects specifically for oil and gas. Those were trying to solve problems that were present today. It wasn’t 10 years out, 20 years out, 30 years out. It was how can we fix the security issues of today. I found that really intriguing and then, in 2011, decided to start my own company squarely in that space.

I had Ardua Strategies for a little over a decade. We worked across critical infrastructure, but the lion’s share of that was in oil and gas. The lion’s share of that was in the midstream space. It really just focused on securing difficult landscapes. It was geographically disparate systems, legacy systems, new systems. These were complex problems to try to solve. I found it very interesting.

Anytime you can step back and say “I’m doing something to make sure that the country runs as it should. Everybody gets their fuel. Everybody gets their heat,” that’s a very rewarding space. That’s where we’re firmly planted, in the OT world.

Russel:  Did you have any idea, when you started out at Sandia, that you’d be doing what you’re doing now?

Annie:  No. I really didn’t. I really didn’t, but I love the oil and gas space and, just having a little bit of background in geology, always found it extremely fascinating. It’s a fast-moving space. It’s a space that’s full of a lot of hard workers. I love that environment.

It’s a different problem every day to solve. If you’re a person that likes that, you like that challenge, you don’t like doing the same thing over and over again, then this is the space for you.

Russel:  That’s certainly one of the things I always tell people about cybersecurity. It’s one of those jobs where you have to stay current. You get out of the current very quickly.

Annie:  Correct.

Russel:  I recently did a presentation for an organization on cybersecurity. I started it by saying, “First off, you need to know I am not a cybersecurity expert.” [laughs] To be an expert, you have to live in this stuff every single day, and I don’t do that.

I’d like to dive into the conversation. I want to talk about the threat landscape and what’s going on. A good way to tee that up is everybody knows about Colonial. I’ve done a couple of podcasts about Colonial. How did Colonial impact what you do as a cybersecurity professional?

Annie:  It changed the whole conversation. It became the impetus for a change in the regulatory landscape, for federal involvement. It did not just include the technical conversation, where many times when you see a threat, that’s what we’re focused on. We’re focused on mitigating that threat at a technical level. This also brought in the policy discussion.

If you look back at the energy industry over decades, they’ve always self-regulated when it came to cybersecurity, with the exception of NERC-CIP in electricity. In the oil and gas space and in the pipeline space, it’s really competition-driven security.

Many times, we’d end up at a customer’s table, and they’d say, “Well, I want to know what, you know, what’s this company doing? We want to do at least that much. We want to be able to go to the shareholders and say we’re being really aggressive on our security.”

That all worked for a while, but when you start to have very public incidents with very public impact, you’re going to have government involvement. That’s really the big change with Colonial. It brought in the policy conversation. It changed the regulatory landscape. It’s a different conversation.

Colonial, itself, and ransomware, itself, is not new. The idea of a ransomware attack is not new. Every day, they’re hammering everyone. All it takes is that one open door, and then you get a very public incident. That was Colonial. It’s really changed that whole conversation.

The timing was very unfortunate. It came right after SolarWinds incident. There was the physical bombing in Nashville outside the AT&T building, so that affected the comms infrastructure. It was just scaling very quickly.

Russel:  It’s interesting. When I did this presentation, I had a little timeline about events, and it started in 2000. Between 2000 and 2005, not a lot happened, and then there was Stuxnet, and things accelerated. You look at 2010 to 2016, you see all this activity. I made the comment the reason there’s no timeline past 2016 is there’s too much going on to put it on the timeline.

Annie:  Right. Exactly. Absolutely. That’s exactly right.

Russel:  That’s five or six years ago, and five or six years in this space is several lifetimes because it moves so dadgum quick.

Annie:  It really does. It really does. There were some really big events like Stuxnet, Duqu, Shamoon. They were real well advertised, but still a lot of people felt like that’s not going to happen to us. This is such a big event. That’s not going to happen to me, small, midstream operator. It’s different really when you see something happen like Colonial, it just changes that whole view.

Russel:  I actually know several small midstreams that had major facilities go offline because of cyber hacks.

Annie:  It’s a reality. That’s the absolute reality right now.

Russel:  That happened prior to Colonial, and much of that activity stays confidential because the agencies that are involved and the operators themselves treat that as sensitive information.

I actually want to ask you this question, do you think that that practice of treating those cyber incidents as sensitive, is beneficial, or would it be better if we published that stuff?

Annie:  That’s a great question. You have to look back at the historical view of that. The federal government has tried six or seven major initiatives over the past 25 years or so on information sharing and incident information sharing even from a voluntary or anonymous standpoint. None of those had really taken off.

There’s a lot of complexities to that situation. There’s antitrust guidelines, and things like that that could potentially be violated if you’re in a conversation space with your competitors, market influences. It’s really difficult to get people to share that information.

Should it be shared? If we are collecting enough intelligence across the board to be able to warn operators that there’s a coordinated event in progress or the threat is extremely high, some specific threat, then it’s a good thing. In my mind, it’s really hard to get past all the other challenges around sharing information in the private sector like that.

That’s why we saw in the first security directive that was released last spring, really one of the first steps was it required reporting back.

Russel:  And identifying how we’re going to communicate with you 24/7.

Annie:  That’s it.

Russel:  We should back up a little bit for people that aren’t aware but talk about the security directives. Can you give us a little background on the security directive? When is it? When did it come out? What did it say? That kind of thing.

Annie:  Sure. Right after Colonial, we saw a variety of things. There was an executive action. We saw the first TSA security directive come out, which was again focused on the reporting side of that. It targeted the top 100 critical pipelines. Those are identified based on criteria by the Department of Homeland Security. If you’re critical, you know. You’ve been contacted by them. All other U.S. pipelines would be considered noncritical unless you’ve had that designation.

About 30, 45 days after the first security directive, we had the second directive come out. That’s a very different document. The contents of that document are sensitive security information, so we can’t discuss it.

In a broader context, it’s very technical. It has a lot of detailed measures. It’s a large document with some interim timelines that the critical pipelines had to meet some very aggressive controls. The second document is very different from the first directive.

Russel:  The second document was released as a sensitive document, so you had to have the need to know to even get your hands on it.

Annie:  Correct. Correct. We had a number of our customers come to us who were noncritical, but very interested in becoming compliant or moving towards a compliant state with the second security directive just because they thought the top 100 list may change. They may find themselves on that list. They wanted to be proactive. I thought that was at least a very positive step.

We do know that the first wave of inspections against the second directive are beginning. Again, really changing that whole landscape from where DHS would come and do a CSR just to review, a tabletop discussion with you, to more of an inspection basis against some very detailed metrics.

Russel:  Interesting, very interesting. I know generally what’s in the security directive, too, and I know there’s a lot of things that are required at the endpoints that impacted field locations and remote sites, basically just hardening that stuff.

I know also that a lot of our customers got completely sidetracked for a good period of time addressing that security directive. Basically, took all projects, pushed them aside, and that rose to the top of everybody’s list pretty quickly.

Annie:  It really did. The visibility was high, and it’s continued. We’ve seen some White House initiatives that will carry on for the next 12 months on securing critical infrastructure and control. We saw a TSA information circular release last week (in February). Really the target audience was noncritical pipelines, so everyone who was not directly affected by the security directives.

That information circular had four recommendations in it, very specific things. One of those is reporting back, establishing a liaison and a relationship with DHS, and reporting incident information back to that.

The consistent message from DHS throughout is if, even if you are a noncritical pipeline, you are really urged to follow the TSA guidelines. I don’t think you would want to be a pipeline operator and not be doing some level of compliance with those documents. Even just at this point developing a path forward and a strategy to start to get compliant, it’s due diligence to do that.

Russel:  There are significant commercial issues around just having your posture heightened, if you want to say that.

Annie:  Absolutely. And some insurance benefits to being compliant, to just using good security measures. It’s now pretty pervasive across the board. We see some underwriters paying some close attention to that. If you’re a high-risk operator looking for insurance, those are questions you might get.

We’ve had some of our customers tell us that PHMSA audits have now included questions about TSA guidelines. Again, you’re absolutely right. There are a lot of reasons to do that.

Russel:  The other thing that is related to this, and I don’t know exactly what’s in the guidelines, but I do know that all of our customers are starting to reach out to us as a software provider and say, “Hey, what’s your security posture, and how do you know?”

They’re beginning to require that you’re following some standard and having some audit occur so that they have some level of confidence that you’re not going to become the vector for a hack.

Annie:  Absolutely. That’s a shift we see.

Russel:  That’s going to hit all vendors. That’s going to be just the same like your safety program, your drug & alcohol program. It’s very common in your MSAs, there’s an anti-corruption addendum. Just like you see those things in the MSA, you’re going to start seeing very detailed cyber addendums in these MSAs.

Annie:  Absolutely. Since early 2021, we’ve had a number of inquiries from customers, “Hey, can you provide us with your policies and procedures? What is your compliance basis?” Basically, they’re answering their insurers in-house.

Plus, we’ve seen that through these executive actions, too, a lot of emphasis on the supply chain. That’s critical. You need to know your role in the national critical infrastructure, your dependencies. You need to have a strong relationship with your stakeholders.

The shift is to push the asset owners into having that clear view in their minds. If X happens, then it affects Y and Z, and not waiting until something happens to try to determine the potential impacts, is that you already know the potential scenario ahead. That’s not easy. That’s really not an easy thing. It’s time-consuming to do.

Russel:  No, it’s not. It’s a whole other capability that these companies have to build up. For the vendors, particularly the small vendors, this is going to wash people out.

Annie:  There’s some ways to combine it with other efforts. One of the things that we’re trying to do at EverLine is to combine cybersecurity assessments with our integrity, pipeline integrity assessments, so that we could provide an asset owner with “Here’s the most critical part of your line, the most critical assets in your operation. Here are your vulnerabilities. If we can reduce those, you’re basically shoring up anything that’s in the critical path.”

Russel:  For a pipeline operator, that’s a mechanism they understand. Let’s look at all of it. Let’s do a risk analysis. What are my biggest risks? We’ve got a limited budget. Let’s make sure that we’re dealing with the highest risk first.

Annie:  Yes, absolutely.

Russel:  That, to me, makes a huge amount of sense. Let’s also talk about something else that’s relatively recent. The latest version of API 1164 came out. I participated on that committee. What I remember most is it was around for a long time, moving very slowly. Then Colonial happened, and there was a very intense effort to finish and get API 1164 out the door.

Can you tell us a little bit about what’s in API 1164 and what was important about getting that out?

Annie:  Sure. Yeah, absolutely. I actually sat on the authorship board of the second version of 1164. That was back in 2006, ’07, ’08, a long time ago. It was absolutely time for an upgrade, absolutely.

I remember at the time, there was some discussion immediately after we put out the second version that they would start working on the third. I don’t think it was very long after that. That process to get the third version out was long. You’re right. I think it even reached a point of ballot. Then it went back for some revision.

I love that document. I think it’s great. It’s extensive. What I like about the third version is it maps very nicely against the federal guideline space, IEC 62443. It uses some of that same verbiage across the board. It ties it all together nicely.

One of my staff members put it to me this way, “If you were to take that as your guiding document and comply with most of what’s in there, you’re automatically going to become compliant with a lot of very other important things.”

Russel:  That’s what the committee did a really good job on, this third re-write. Oh my gosh. Some of those meetings, they got so technical, and so down in the weeds, but in this domain, that’s what’s required.

What they did a very good job of is talking about “NERC CIP says this. NIST 80 says this. ISO says this. ISA says this. What does that mean? What should a pipeline operator do? How would you do that as a pipeline operator, and check as many of those other boxes as you could?”

Annie:  Yes, exactly. The only thing that might be difficult for an asset owner is they see the size of the document and they see all the technical details, and they go “How much is this going to cost?” It is a standard. It’s not a regulation. You can begin to pick and choose the pieces that are most meaningful to you in there.

The response has been good. We’ve had a number of customers ask us to assess against it, to consider it in their total compliance landscape. I’m glad to see it out. When we did the second version, it was so old that there was stuff in there about Yahoo chat and how you shouldn’t use that technology on your OT Network. It was time for an update, for sure.

Russel:  [laughs] Yahoo chat. Oh my gosh.

Annie:  I’ve dated all of us. [laughs]

Russel:  I could go back…

Annie:  We all remember that. [laughs]

Russel:  I can go further than back than Yahoo chat, if you wanted to.

Interesting. As we’re sitting here recording this, it is February 25th. Russia and Ukraine are at war. The Colonial attack came out of that area. What’s going on in the threat landscape? Are you getting any sleep, Annie?

Annie:  No. I’m not. [laughs] We’re almost 48 hours in. I would love to get some sleep, but that’s not happening. That’s okay. A lot of our customers, members of the industry, are watching this very carefully. They’ve posed a lot of excellent questions over the last day and a half or so.

Most of the questions are: “What do we need to be doing? What do I need to watch out for?” I can tell you the steps that we’ve taken, and these are solid steps that any company should take.

One is to pivot into a heightened state of awareness. If you have various threat levels at your organizations, kick it up a notch. That means increased monitoring and vigilance.

We’ve put some humans in the loop of our own monitoring just to add some extra eyes on that, so that’s monitoring at the network and a system level, monitoring perimeter and edge, just being up to date with everything. Make sure your patches are up to date. Be vigilant. Not just on the cyber side, also on the physical side.

We have not yet increased the heightened state on the physical side, but if there was any indication of an event or a threat at a critical infrastructure site here or anyplace else in the world within the next short while, we probably will move into an elevated physical security state.

I know you and I have talked about this, Russel. The bottom line is you should have these protections all the time. Now is not the time to be writing a new policy.

Russel:  No. Now is the time you have people work a little bit harder. You have people work some extra hours. You turn up your vigilance. Now is not the time to be building a program because it’s too late.

Annie:  It’s too late. You’re absolutely right. Communications are really key. It’s really important in times like this that if the technical staff or the operational staff sees something that doesn’t look right, even if they’re not sure, some data that doesn’t look right, an alarm that’s going off that doesn’t look right, you need to speak up. You need to speak up.

Russel:  There’s a behavior and a screen that doesn’t look right, you’re reading something from the field and your gut’s telling you it ain’t right, any of that type of stuff, that’s a really good advisory, Annie. That’s a good advisory anytime, but particularly in the current time, it’s a very good advisory.

Annie:  The other thing I would say, too, is to just, there’s a lot of information flowing out there. We get a lot of CISA, DHS CISA alerts, and things like that.

It’s just important to assign someone to constantly keep eyes on that because like you said, Russel, if you leave this and move away from your desk for two minutes, the situation has changed. One person can’t do it alone. It really takes a team. It takes a team of folks.

Russel:  It’s one of the things I’ve always thought about. I don’t think I’d be very good at being a cyber professional because I wouldn’t want to take a week off and then come back, and be completely out of the loop on what’s going on.

Annie:  Absolutely, you’re right. It changes by the hour. As far as the road ahead geopolitically, you brought up a good point, which is we know that there have been threats coming out of that area for a while. Always stay current on your protective measures. Be able to pivot and change when you need to. That’s critical. Have those programs, policies, training in place.

Get help. If you can’t do it inside, there are lots of security vendors out there on the technology or the consultation side. Get help. You can’t ask people who have full-time jobs operating the pipeline to also become your security manager. It’s too much to do.

Russel:  The other thing I would tell people, too, and I think at this point most operators know this, but there are really multiple aspects to this kind of program. There’s a whole HR aspect to it in terms of training, equipping, and establishing accountabilities around information security for your employees and contractors.

There is all the technical stuff around what you’re just physically doing to put things in place, and then there are all the systems for managing that infrastructure. All of that has to be done with a view towards security as well as your physical security. It’s a program. It’s a capability. It’s not a look at it and fix it. It’s a capability you have to build. You have to build.

Annie:  You have to build it, and you have to maintain it. You have to consider security just like you do safety. You can’t forget about it.

Russel:  Absolutely. Annie, what would you say from a new technology standpoint holds the most promise for helping us improve our security posture?

Annie:  I like the idea of advanced monitoring. That’s key. Understanding what’s going on in your network and at the system level is imperative to success.

There’s newer technologies. That gets a little difficult to use the cloud in some of those situations, especially when you’re on your OT network and not your IT network. However, there are some vendors with some advanced encrypted technologies that are showing a lot of promise. That’s a way to outsource that big brother watching your network when you don’t have time to do it yourself. I think that’s really key.

As far as other things that may improve overall service is the use of SCADA-as-a-service or SCADA in the cloud. That entire concept makes me nervous. However, if it’s done correctly and it’s done with the right level of data security, then it actually can be really robust technology, and it can allow you to operate in a more secure, stable fashion than you can locally.

Russel:  I have a couple of comments about this. In case you care about my opinion on it. I think you’re right. The issue though is where we’re coming from and where we’re getting to is people who looked at control room as a service, or SCADA as a service, or SCADA in the cloud, really were just looking at it conceptually.

If you’re going to look at that, you have to look at it comprehensively. You’ve got to evaluate if we go to this offering, what is the security posture of that offering, and what are they going to do, and what are we going to do, and how do we make sure they’re doing what they need to be doing or what they say they’re going to do.

That’s a deeper look. It’s more like I’m going to outsource this capability. I’m not going to outsource this service. A subtle distinction, but really important. That’s one thing I would say.

The other thing I would say is that we need to apply quality management to cybersecurity. I’ve done a bunch of podcasts on this. I’m hitting you with this idea flat-footed, so I’ll be interested to hear your response.

My MBA was quantitative and spent a lot of time looking at quality management and studying Deming, TQM, and the things that were the precursors of Six Sigma Black Belts.

What I think is that one of the things we’ve not yet gotten to yet in cybersecurity in a mature way is applying those same kinds of quality management or safety management principles to cybersecurity. What do you think about that?

Annie:  That’s a solid argument. That’s something that probably needs to be done. Absolutely on the qualitative side. On the quantitative side, that’s difficult because to say to someone your 75 percent secure doesn’t mean a whole lot.

It can be difficult to do a direct translation there, but I do believe you’re right in the sense that that’s something that has to be addressed in the future for sure.

Russel:  If you look at the whole idea of applying these process management systems to quality, safety, and so forth, there’s a whole kind of industry that grows up around understanding what are the things you measure and how do you measure.

In safety and quality, you manage how many good items do I have versus how many defective items? And, how good am I at determining defects? And, what are all the things that go into manufacturing? Those are all things you measure.

In safety, you’re measuring outcomes like how many days did I go without an incident, that type of thing. I’m not sure what you would measure from a security standpoint. An intelligent person that was looking at it could figure it out.

There are two aspects to that. One aspect is more easily quantitative, and that has to do with, “What is my traffic? How does it match the traffic historically?” That type of thing versus the more qualitative things that get to what are the humans doing.

Annie:  Exactly. Exactly.

Russel:  Most of the hacks that occur are not because of a fault in the technology. They’re because somehow I socially manipulated a person to do something that gives me access.

Annie:  Absolutely. When we were acquired by EverLine, human security became one of the three main pillars. We had physical security, cyber security, and human security. The reason we called it out specifically is because human interaction with the technology is a huge threat vector.

Whether it’s intentional, unintentional, it’s a poorly trained staff member, a glitch in the process, a human in the loop like that can create a significant amount of risk. You have to protect against that, especially with the changing and evolving workforce that we have.

What I like about your idea of applying quality management is it’s a real holistic way to look at that. You can look at the trending. You can look at what’s working. You can consider other aspects of your operations in that data.

That level of trending is something that asset owners have wanted for a while, and there’s probably not a real great way out there right now for them to get that.

Russel:  That’s what we’re working on is the tools to enable that. Look, Annie, it’s been great to have you. Thanks for coming on board. I’ve found this fun, engaging, and educational, so hope to have you back, maybe in two minutes when everything changes.

Annie:  Thank you. Absolutely. I would love to come back, after the next big hack. [laughs]

Russel:  There you go.

Annie:  Thanks, Russel.

Russel:  Thank you. I hope you enjoyed this week’s episode of the Pipeliners Podcast and our conversation with Annie.

Just a reminder before you go, you should register to win our cool, customized, Pipeliners Podcast Yeti tumbler. Simply visit pipelinepodcastnetwork.com/win and enter yourself in the drawing.

If you’d like to support the podcast, the best way to do that is to leave us a review. You can do that on Apple Podcast, Google Play, Stitcher. You can find instructions at PipelinePodcastNetwork.com.

[background music]

Russel:  If you have ideas, questions, or topics you’d be interested in, please let me know either on the Contact Us page or reach out to me on LinkedIn. Thanks for listening. I’ll talk to you next week.

Transcription by CastingWords