On explosion proof phones and oil and gas cyber security

Neil McNaughton notes a perfect cyber security storm brewing as industry calls for more use of consumer technology and opens plant IT to office networks. Maybe we need an ATEX spec for IT?

On my way the SPE Digital Energy conference (DEC—report in next month’s Journal) I found myself in a duty free shop where a chunky little mobile phone caught my eye. It was the antithesis of the iPhone. While not quite the whip-antennaed monster that Tommy Lee Jones brandishes briefly in Mars Attacks, it had something of the same anachronistic pizzazz. Upon further investigation, it turned out to be an explosion-proof Sonim cell phone1 with ATEX certification for use in oil refineries and offshore platforms. If you doubt the capacity of a cell phone to start a fire (and if you are not squeamish) you should check out the video2 on Atex Systems’ website. As I rarely visit refineries these days, I was not about to spend €400 on such a device, but I’ll get back to the Sonim later.

In last month’s Journal we reported on Steve Ballmer’s address at CERA Week where he argued that today’s IT paradigm is of consumer technology, such as instant messaging, migrating into the business environment. Ballmer opined, ‘Opportunities open up with these technologies in business and specifically, in energy.’ He managed to get in a plug for the X-Box 360 Kinect controller, whose gesture capture ‘can be harnessed and applied anywhere, from a classroom to an offshore platform.’ Maybe he has something. Perhaps a smart programmer will one day turn geoscientists’ arm-waving into a well plan.

On the other hand, in the interests of disclosure and to underline that no simple statement should ever be taken at face value in IT, it behooves me to note that in his new book3, Paul Allen categorizes Microsoft as a company whose ‘core strength is software for business,’ and which ‘is not positioned well for the move to a consumer-focused mobile platform.’

In any case, the arguments for and against ‘consumer’ technology stand whether or not such is to be sourced from Microsoft, Apple or Google—so I will plug on with my investigation.

At one level, the ‘consumer to business’ shift has already happened. We now all use ‘commodity’ if not quite ‘consumer’ hardware. Windows has effectively displaced much (but not all) ‘business’ systems, as companies like DEC, HP and IBM, SGI and Sun can testify, well those that are still around can at least.

At the (other) DEC and elsewhere many speakers have argued that social networking, for instance, should be used more in the enterprise. Another trend is the advent of multiple devices—read iPad, Blackberry et al. that are eroding Microsoft’s hegemony in the enterprise, and causing IT managers to rethink their provisioning. IT itself is opening up to more ‘consumer’ provision, with ‘cloud’ offerings and software as a service.

Another given is that ‘office’ IT is inevitably seeing more and more connectivity with plant IT. Of course this has to be weighed up against the security risks. All of which makes for a perfect storm of ‘fear uncertainty and doubt’ (FUD). On the one hand we tout the yet-unrealized benefits of desktop access to every tag in the plant. On the other hand we give ourselves nightmares about a new Stuxnet destroying the facility.

We have been here before. In fact we reported from an SPE Security conference back in 2005—and I have just put the full report4 in the public domain. At the time ‘deperimeterization’ was all the rage—tinged with a little FUD from the ‘Slammer’ worm that had just infected a US nuclear plant. There was also a call for an industry-wide security standards body which as far as I know has come to nothing. In our 2009 report5 from the API Security Conference (also now in the public domain) we learned that ‘mobile devices can mean really rough gaps in security,’ and that, ‘management involvement in security appears to be work in progress.’ There were also suggestions that some ‘reperimeterization’ of the facility might be in order. Judging from the 2011 DEC, it appears that little progress has been made.

I take it that the brave new multi device world is populated by Blackberry and iPhone/iPad users. Instead of the IT department laying down the law about what devices are approved for use, we are now asked to cater for anything. It is not all that long ago when we were talking diskless workstations sans USB slots. Now it seems that the latest ‘always on’ gizmo that ‘calls home’ with positional information every few minutes is fine. Of course I am not privy to such matters but I have a sneaking feeling that the boardroom crowd is responsible for this ‘deregulation’ of the communications space. I notice that the boardroom applications de rigeur are Diligent’s Boardbooks6 or ICSA’s Board Pad7. I have a mind’s eye view of the board all traipsing into the oak paneled boardroom with their iPads and Blackberries, going online and checking their stock quotes and generally bypassing anything that IT in its wisdom has put in place.

Beyond the security risks, perhaps the worst aspect of consumer IT is the objectionable agendas that providers have. Their business model is to extract personal information from individuals and sell it to advertisers who then target you. Do you really want your providers to go around sniffing your wireless networks and recording passwords? Is it OK for them to store your location information in secret files on your mobile devices? Even if the information is not secret—is it OK for it to be stored in a proprietary format to which only they have the key? Do you want them to share this with others? And what happens when they get it wrong and lose your personal/business information to hackers? Is it OK just to say ‘sorry?’ Will this be enough for your shareholders?

I was going to conclude with an accolade for ATEX-compliant devices like the Sonim and how we really do need an IT-ATEX spec for enterprise IT. Unfortunately, the Sonim may not cause a conflagration, but since it has a USB port is unlikely to pass muster in terms of IT security! If this has whetted your appetite for more, you may like to consider attending the WRG Oil & Gas Cyber Security Conference to be held in Houston in June8.

1 www.oilit.com/links/1104_33.

2 www.oilit.com/links/1104_34.

3 ‘Idea Man’—www.oilit.com/links/1104_35.

4 www.oilit.com/links/1104_36.

5 www.oilit.com/links/1104_37.

6 www.oilit.com/links/1104_38.

7 www.oilit.com/links/1104_39.

8 www.oilit.com/links/1104_40.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.