Spooks, vampires, zombies, apparitions … what’s not to love?
By Geoffrey Cann
Halloween. A gory and ghastly night of ghouls, ghosts, and goblins. And as with previous years marking All Souls, I reflect on the latest digital demons molesting the oil and gas industry, how best to exorcise them, and how to speedily return them to the land of the undead.
Cyber Spooks
The oil and gas industry is under constant attack by outside assailants at a level that exceeds that of other industries:
The industry is cash rich, and perceived to be well off. Ransom payments are likely to be swiftly paid.
The industry’s product (petroleum) and its supply chain (gas plants, pipelines, refineries) are environmentally hazardous. Some assailants, such as state actors, are not in it for the money but want to disable the company for other reasons.
The industry’s footprint is vast, with millions of discrete end points (wells, pumps, sites, valves, tanks). The probability of finding a weak entry point is higher than confronting a big monolithic system.
The attack surface is growing. The industry is adding more devices and sensors, more robots, and bigger networks to deal with looming shortages of people. Fifty percent of experienced industry engineers are entitled to retire in the next 10 years, and young people now avoid the industry because it appears to be a career dead end.
The war in Ukraine is creating two robust armies of well-equipped and tested cyber warriors, presently intent on disabling each other’s energy infrastructure. The tools and techniques perfected during this war will inevitably make their way to the Dark Web where they’ll be sold to criminals and used against the rest of oil and gas.
The recent cyber attack on the downstream business of a large Canadian oil company illustrates the risk. Product sales were interrupted, the loyalty system was down for weeks, and it’s rumoured that the company even needed to do an extensive swap out of its end user devices (laptops, tablets, phones).
Successfully beating the cyber spooks means treating cyber on par with safety, educating employees on the risks, practicing good cyber hygiene, testing the defenses regularly, and insisting that cyber be built in.
Cloud Vampires
It’s hard to believe, but 60% of global oil and gas companies started their adoption of cloud computing in just the past 2 years, according to a presentation I recently took in (World Petroleum Congress, or an SAP Users Group, can’t quite remember). At first, I didn’t think this was all that plausible, but on reflection, it’s probably right.
We know that COVID 19, which kicked off in the spring of 2020, certainly triggered a massive shift in working patterns. One of the biggest and most enduring has been the work-from-home model. The majority of my calls today still involve people working from home (WFH).
WFH also drove huge shifts in work processes. Paper forms switched to digital, Zoom and Teams experienced a big spike in adoption, phones with cameras became essential data devices (QR codes are everywhere now). The big winner was cloud computing that enabled all of this change.
But cloud computing has its own blood-sucking risks. Oil and gas companies are ever alert to creating rent-seeking opportunities for their suppliers, and left unchallenged, cloud computing looks like the perfect candidate to transform into a leech vampire, hoovering out all the value.
Using a cloud company means you have surrendered some compute infrastructure security to the supplier. Personally, I have more confidence in the huge resources of Amazon Cloud Services or Google to operate big data centers and works, provide back up, deliver uninterruptible power, and provide for some cyber support. But better to test this out than deal with a ghastly surprise later.
Moving cloud contracts at scale from one supplier to another looks neigh impossible. Over time, the volume of data in storage becomes ridiculous, and moving cloud suppliers while keeping the business running looks like flying a plane while swapping out the engines. You’ll likely experience a fiery crash.
To keep the undead in the casket, try moving an inconsequential cloud service (apps and data) to a different supplier. At least you’ll then know what you’re up against if you ever decided to move everything.
Zombie Systems
My wife’s iPhone is a model 7. The other day we noted that the phone was no longer being automatically updated by Apple’s routine software releases. Her phone still functions fine for what she uses it for, but forget buying an Apple Watch to pair it with, or a new set of AirPods this Christmas. Her phone is now a zombie technology—it still works, but it progressively slows down, the battery fades, it’s vulnerable to hackers, and it can’t embrace new innovations.
SAP is the workhorse technology for oil and gas and has migrated to a cloud computing structure, with in-memory processing, advanced support for generative AI, an App Store, built-in blockchain capabilities, and heaps more. It’s more secure, much faster, more intuitive to use, easier to work with, and more complete.
But many oil and gas companies remain stuck on their legacy versions of SAP. At a recent SAP energy industry users group event I attended, SAP asked for a show of hands from across the dozens of oil and gas companies attending who had voted to be part of the future (SAP S/4HANA). Only two hands went up with the balance electing to turn SAP into a zombie system.
Zombie systems are a disaster for business. Zombies impede change. New capabilities can’t be adopted. Work arounds have to be hand tooled. Cyber criminals target zombies because they’re often behind the patch cycle. Hiring employees to keep the zombies alive becomes harder, leading to expensive outsourcing. Zombies build up a huge technical debt to be eventually paid, and if history teaches anything, it’s that the debt will become due at a terrible time. Some of these zombie systems are veritable Frankenstein’s monster of modified code.
Unfortunately, there’s no easy way to deal with the zombie, other than to layout a multi-year plan to drive a stake into its heart.
AI Apparitions
At a recent panel discussion I was asked about the impacts that generative AI (GenAI) tools would have on oil and gas. The fact is that GenAI is already in use in oil and gas, but managers don’t know where.
One of my favorite examples of GenAI in action is its simple search-and-retrieval capability on enormous private datasets. Almost a decade ago, Woodside Energy loaded all of its accumulated 30 years of project files on the Northwest Shelf Project into IBM Watson, which could sift through this huge pile instantly and supply answers to complex engineering questions. Woodside claimed to be saving 80% of total engineering time with this one move. And I’d argue there was nothing generative going on.
Here’s some more recent examples. Recruiters are using GenAI to write job profiles and sift through applications and resumes. Applicants are using GenAI to write resumes and cover letters. Employees are using GenAI to write their performance review inputs. Managers use GenAI to write up employee performance reviews and letters to file. Meeting organizers use GenAI to translate meeting minutes in real time and create task lists.
In short, GenAI is speeding up by a factor of 10+ a huge range of activities that were at one time the sole purview of humans.
It’s becoming clear that someone who is using GenAI is going to perform at a level quite superior to someone who is not. You will not lose your job to AI, but you will lose your job and your company to an AI-equipped competitor.
The apparition part of generative AI is that it hides true personal human capability. How do you assess the communications skills of an employee who uses GenAI to craft their communications? How do you gauge the engineering capability of a junior engineer if they’re using GenAI to do the engineeering? How do you rely on a project report if it’s been largely composed by a GenAI model that was itself based on swallowing the Internet and spitting it out?
AI Apparitions are already stomping hard on all the ideas, practices, approaches, models and structures we have about measuring and rewarding human performance at work. And we are simply not prepared for this monster on the loose in our organization.
Conclusions
When you open the front door to this season’s mob of treat-hunting ghouls, just remember that your work world is not only facing its own cyber spooks at the gate. There’s a better than even chance that you have more than one zombie system staggering around, AI Apparitions secretly messing up your performance system, and a cloud vampire sharpening its fangs.
Good luck.
Artwork is by Geoffrey Cann, and cranked out on an iPad using Procreate.
Share This: