DNV working hard on AI and cybersecurity issues
(While at SPE Offshore Europe last month in Aberdeen, Scotland, World Oil had a chance to visit with two of DNV’s section heads handling various aspects of the digital side of upstream oil and gas. What follows are some highlights of that visit and specific projects that DNV is undertaking.)
As a global assurance and risk management company, DNV has been safeguarding life, property and the environment for over 150 years. As such, the firm also has stayed at the forefront of advances in digital technology. So, it’s not surprising that DNV has been taking a deep dive into artificial intelligence (AI) and cybersecurity issues.
In addition, complementing DNV’s rules, standards, and recommended practices in maritime, energy and other sectors, the firm now publishes recommended practices (RPs) on assurance of digital assets. These RPs include the firm’s latest report: AI insights: Rising to the challenge across the UK energy system, Fig. 1. For that report, DNV interviewed organizations across the UK energy sector to understand what AI means for the future energy system. The firm connected with all industry verticals to gather feedback on the emergence of AI and discuss associated challenges, opportunities and strategic enablers.
“With strong oversight, we believe AI can play a critical role in enabling the energy transition,” DNV’s head of Innovation & Digital, UK & Ireland, Graham Faiz, told World Oil. “So, why did we write this book? As I’ve been saying, technological advances in artificial intelligence (AI) have sparked imaginations and really invigorated the conversations around the medium about what is possible across all industries. Energy is no different. However, it's generally believed that that careful consideration should be given to the issue of long-term impacts of this type of technology.”
Additional reasons to assemble the book, noted Faiz, were what AI could do for tackling climate change; working on decarbonization; establishing the current landscape as the starting point to move forward with AI; ensuring that the technology is a benefit and not a risk; and gauging how the industry feels about AI and whether firms are ready for it.
Challenges with AI. Indeed, one of the key themes identified in the DNV report is the number of challenges involved with implementing AI. “Organizations are cautious about new and unexpected technology, such as this,” explained Faiz. “Achieving trust is integral to unlocking the benefits of AI across the energy system.” And how to achieve that trust comprises many of the challenges of implementing AI. He said there has to be responsible use of AI, along with “an encompassing ecosystem of trust” that covers technology, users and the environment. Building that trust ecosystem will require overcoming both the information and communication challenges that exist in the energy sector.
“One of the major challenges,” continued Faiz, “is technology systems and processes used in the energy industry, based on what we call legacy hardware and software and almost any small pieces of technology that the company inherently sets up for. You know, big data, lots of mathematical or computational processing, and certainly not for sharing and connecting systems, as the energy sector, itself, has to continue to become a little bit more integrated.”
Opportunities with AI. On the other side of the coin, “there are some great opportunities for this technology moving forward and for digital technologies in general,” said Faiz. “We have adapted assurance principles and practices. For example, technology qualification can be used to ensure an AI solution functions reliably within specified limits when deployed. The interconnected nature of AI requires a holistic approach to assure that both the digital assets and the systems they affect can connect to them to operate within each other. Again, we have a basis that's really important within energy. The concept of digital assurance can absolutely be used to generate an ecosystem of trust, based on transparent arguments about, or claims about, capability or risks within an AI solutions.”
Cybersecurity advancements. Meanwhile, World Oil also visited with DNV’s head of Industrial Systems Cybersecurity, Shaun Reardon, who provided some highlights and details from the firm’s 2023 Cyber Priority Report. He noted that digital technologies—set to be enhanced by AI—are being connected to control systems and other operational technology in the energy industry, where safety is critical. The industry, he maintains, needs to manage the cybersecurity risk and build trust in the security of these vital technologies.
Asked whether the upstream sector seems to have been the most reticent portion of the oil and gas industry to adopt some of the cybersecurity measures he advocates, Reardon said he doesn’t think the problem only resides in E&P firms.
"No, I wouldn't say they stood out,” analyzed Reardon. “I think it's an industrywide thing, where, and for fully understandable reasons, we're talking about investment and the pressures on [companies]. So, I think it's quite often, if we can make the case or the case can be made, that most board members will take into consideration [factors other than cybersecurity risks]. As I often like to say, how can the boards understand the exposure, if they don't know the risk in the first place? The answer there is to go through pretty rigorous and comprehensive risk assessments, and those standards already exist. You have the international ones, you have the ones in the U.S., and particularly in the U.S., there's some really good stuff coming out from CISA (Cybersecurity and Infrastructure Security Agency). But, security must be built in from the very beginning, and this is standard cybersecurity practice. The difficulty is that when you're rushing to get something to market, or to fit in an immediate need, sometimes security falls by the wayside. Security is all about the mindset.“
With those comments in mind, World Oil asked Reardon what he thinks are the biggest cybersecurity risks for upstream operators at present. This, too, elicited a firm response from the Industrial Systems Cybersecurity head. “I think the biggest challenge that everyone's facing is this concept of convergence,” declared Reardon. “Twenty or 30 years ago, you'd have an engineering workstation safety system, and it was completely, utterly [useless]. And they're very, very expensive, as you know. They have a shelf life, which is in the life cycle of maybe 15 to 30 years. They were never designed with security in mind. But as things get more expensive and technology advances, they're using more and more of what we would call I.T. components in the process control device, engineering, workstations. Yeah, almost certainly Windows-based, which isn't a bad thing, almost like an open Windows. It could be Linux-based or something like that. But those bits of bespoke hardware were very, very expensive. So, more and more, we're seeing there are new or simply legacy operating systems, or Windows XP is still used all over the offshore industry.”