Oilfield Review Summer 2002 - Networking with the

Networking with the World
The infrastructure of wires, cables, antennae, satellites and system
software makes possible the rapid communication necessary in today’s
business environment. Whether the information is real-time data from a
production well or a processed seismic section being discussed simultaneously on two continents, secure networking is essential.
Jeff Groner
Conoco Inc.
Houston, Texas, USA
Larry Gutman
Michael Halper
Franklin Maness
Lee Robertson
Jim Sullivan
Dana Graesser Williams
Houston, Texas
Trevor Harvey
Catherine Robertson
BP
Aberdeen, Scotland
Ian McPherson
Aberdeen, Scotland
For help in preparation of this article, thanks to Jeffrey T.
Buxton, Cara Cejka, Samuel Edwards, Thien B. Nguyen,
Natasha Noble, Lee Russell and Robert Sanchez, Silvio Savino,
Houston, Texas, USA; and Mark Sambrook, Aberdeen, Scotland.
DeXa, DeXa.Badge, DeXa.Net, DeXa.Port, DeXa.Touch,
iCenter, myDeXa and SpaceTrack 4000 are marks of
Schlumberger. Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated. Microsoft and
Windows are registered trademarks of Microsoft
Corporation. UNIX is a registered trademark of The Open
Group in the United States and other countries.
18
Asset management today requires rapid
responses to changing conditions. Enormous
quantities of data are captured, transmitted, analyzed and stored, often with each of these activities occurring in a different location around the
world. An extensive and sophisticated infrastructure is necessary to transmit these bits and bytes
from place to place and to protect information
flow from inadvertent or malicious interception.
Using satellites, companies can transmit communications and data from virtually anywhere in the
world. Secure, private broadband networks can
deliver the data in real time, while security tools
ensure that the data can be seen and accessed
only by those with proper authorization.
Most geoscientists, engineers, procurement
specialists and planners expect to have information at their fingertips, without worrying about
the logistics of having those data provided to
them whenever and wherever they need it. An
information technology (IT) infrastructure must
exist to enable and secure these activities. The
Schlumberger DeXa Suite of Services supplies IT
solutions that help exploration and production
(E&P) companies focus on their core business of
finding and extracting hydrocarbons.
This article discusses the current state of IT
infrastructure technology in the E&P business. A
specialized community of interest, the Oil
Partnering Network, is part of a service that provides connections worldwide through satellite
and fiber-optic links. We discuss network security
provided by Schlumberger, including smart cards.
A complete IT outsourcing solution designed for
Conoco exemplifies these services.
Connecting the Reservoir to the World
Multiple-site connectivity on a global basis—
within a company, with customers and with suppliers—is paramount to linking the right
information with the right people, at the right
place and at the right time. Extended communications via satellite, wireless and secure, private
broadband networks allow access to all pertinent
data and information. Such communications are
critical for allowing real-time decision-making.
This capability means that experts can have the
same impact at any remote site as they would
have at their home offices, or can do work as efficiently in the home office as they would on a rig.
Oilfield Review
Summer 2002
400
100
1993
2001
75
300
50
200
25
100
0
Measurement Wireline (per
and logging while triple-combo)
drilling (per well)
Near-well
monitoring
(per day)
Marine seismic
(per vessel per day)
Gigabytes of data
1985
Megabytes of data
With the decreasing size of the industry workforce, connecting to the best expertise becomes
increasingly critical. With end-to-end secure
connectivity all the way to the data source, the
capabilities of both internal and external partners
can be fully leveraged in a collaborative but
secure electronic environment.
The quantity of data in typical E&P activities
has grown dramatically within the past two
decades (right). A significant infrastructure is
needed to transmit, store and manage this
information and ensure that it contributes to an
operator’s bottom line profit statement.
The DeXa.Net Secure Network Connectivity
Services solution delivers secure, integrated
global connectivity from all users to the data,
employing satellite telemetry or fiber-optic links.
Satellite communications extend global networks
to bring real-time communication capabilities to
rigs and other remote locations.
Tying this all together requires a network of
global scale. Schlumberger has deployed and
managed a substantial private global network for
nearly two decades in support of its own field
operations. That network is now available as a
0
> Rapid growth in industry data. Improved tools, increased data storage on
those tools and higher telemetry rates generated an immense increase in the
amount of data captured during the period from 1985 to 2001. With the typical
tools used in each year, the amount of data acquired while completing the
same tasks—measurement and logging while drilling, wireline logging and
marine seismic acquisition—increased dramatically. Permanent well monitoring was not available in 1985, but the amount of data available now can
reach 100 megabytes each day for a highly instrumented wellbore.
19
secure private network for clients (below). It provides global coverage with bandwidth on
demand, which delivers network capacity when
and where it is needed. Private channeling and
security assure that client data remain confidential.
Several service options are available to ensure
that the most important data are prioritized for
transmission through the network.
This type of ubiquitous network connectivity,
combined with secure connectivity centers and
virtual private networks, enables real-time data
collection, real-time analysis and, ultimately,
real-time decision-making. Two types of communications contribute to the integrated network.
Satellites link remote sites such as rigs, platforms or vessels to centralized earth stations,
> Global computing network. The DeXa.Net system links high-speed, high-bandwidth land lines (blue)
with global satellite communications. The earth stations (antennae) provide communications almost
anywhere in the world. Smaller teleport stations in Algeria and Norway are not shown here.
> Marine satellite communications. Rugged design and satellite tracking
capability make the DeXa.Net SpaceTrack 4000 very small aperture antenna
ideal for any kind of marine vessel.
20
known as teleports; and fiber-optic cables facilitate onshore communications.
The DeXa.Net service supplies the
SpaceTrack 4000 stabilized antenna for marine
applications (bottom left). This very small aperture
antenna requires minimal space but is rugged
enough for service on semisubmersible, divingsupport and seismic vessels, barges and floating
production systems. With a high degree of tracking accuracy, it maintains a lock on a satellite
even in rough seas. Companies that operate communications satellites are careful about allowing
access to their systems. The SpaceTrack 4000
stabilized antenna, installed by experienced
personnel, meets the stringent controls these
companies enforce before allowing connection.
The E&P business operates in many remote
parts of the world where a surface communication infrastructure, such as fiber-optic or traditional telephone lines, does not exist. Yet, rapid
communications independent of distance have
become imperative in the industry. Satellite linkage is essential for communication to locations
such as in the Algerian desert or in deepwater
areas off the coast of western Africa. A portfolio
of satellites is required to provide global coverage because communications satellites are
placed in geosynchronous orbit.1 Managing bandwidth on the right satellites to communicate with
all of a company’s locations can be daunting.
Schlumberger manages satellite communication
and through the DeXa.Net service resells bandwidth in solutions tailored for client needs.
About 14 satellites cover strategic E&P
provinces worldwide. Teleports located in
Aberdeen, Scotland; Stavanger, Norway; Houston,
Texas, USA; Sedalia, Colorado, USA; Macaé,
Brazil; Lagos, Nigeria; Hassi Messaoud, Algeria,
and Singapore provide global coverage. Any location—no matter how remote—can be linked to
the data network. Client offices connect to the
teleports through fiber-optic networks, and
through the Schlumberger DeXa.Net core system, clients obtain a global network connection.
The DeXa.Net system provides a turnkey, end-toend communications solution.
Secure Private Partnering
BP was the primary sponsor of the first Oil
Partnering Network (OPNet), established in
Aberdeen, Scotland in 1994 to facilitate critical
oilfield operations, engineering projects and E&P
partner reporting. An OPNet uses several elements of the DeXa.Net solution to offer secure,
managed networks for a closed, private community of companies.
Oilfield Review
Field partners
Outsource partners
Billing systems
Local and international
connectivity
Secure data network
Oil Partnering
Network (OPNet)
Service companies
Field management
company or asset group
Voice and data
Field operator
Satellite hubs
Commercial and
financial-sector services
Offshore installation:
platform, rig vessel
E-mail exchange
> Participants in the Aberdeen local private network. The Oil Partnering Network in Aberdeen joins a
variety of North Sea stakeholders into a seamless community.
UK sector
Norwegian
sector
Forties
Cruden Bay
Everest
Aberdeen
Ula
No
rt
h
Se
a
AND
Summer 2002
central North Sea. CNSFTC chose Schlumberger
as the telecommunications service operator
because of the expertise the company had demonstrated in providing offshore communications.
OTL
Managing Central North Sea Fiber Optics
Although land-based communications rates and
bandwidth have improved dramatically over the
past decade, offshore communications standards
have lagged. BP recently laid a fiber-optic cable
from Cruden Bay on the Scottish coast to the
Forties field in the North Sea about 110 miles
[177 km] from Aberdeen (right). The cable
extends to Everest field in the UK sector and then
to Ula field in the Norwegian sector. Any platform
within about 25 miles [40 km] of these platforms
can connect to the fiber-optic system by using
line-of-sight microwave radio systems. The
microwave and cable links expand the telecommunications capacity of these platforms up to
1000 times. The cable supplies high-capacity,
high-quality telecommunications to the central
North Sea.5
The Central North Sea Fibre Telecommunications Company (CNSFTC), a wholly owned subsidiary of BP, manages this fiber network and
resells network capacity to other operators in the
SC
BP wanted to use OPNet to obtain greater
flexibility in communicating with various stakeholders, including equity partners, service companies and suppliers of its North Sea fields
(right). The BP goal was to achieve cost savings
by reducing infrastructure and moving management of a network to an external provider. At the
same time, improved security was a high priority.
Real-time intrusion-detection systems scan all
traffic 24 hours a day, 7 days a week.
This closed-community TCP/IP network is
used for critical oilfield operations, engineering
projects and reporting to partners.2 For example,
real-time drilling or logging information can be
transmitted securely from a drilling platform to a
company’s offices onshore or to an iCenter collaborative meeting facility.3 Logistical operations
can be coordinated more easily, such as ensuring
a supply boat or helicopter does not make a trip
partially loaded when there are supplies or personnel needing transport.
The success of the operation is evident in the
growing number of users. When OPNet began on
a trial basis in 1994, only five companies were
involved. Now, about 100 stakeholders communicate through OPNet. This includes 23 oil and gas
operators, 33 engineering companies, 14 drillingrelated companies, 7 logistics and transport companies, about 50 offshore platforms and vessels
operated by 14 companies, and 16 IT and bureau
services.4 The system has expanded beyond BP
fields to include assets of many companies in the
United Kingdom sector of the North Sea.
Additional OPNets are being established in other
parts of the world. The Houston OPNet became
operational in December 2001.
> Fiber-optic cabling for the central North Sea.
A fiber-optic cable connects the BP Aberdeen
network to the Forties field, then continues to
Everest field and into the Norwegian sector to
Ula field. Nearby platforms can access the cable
through a microwave link.
1. Satellites placed in geosynchronous orbit remain fixed in
location above a point on the Earth’s surface.
2. TCP/IP stands for transmission control protocol/Internet
protocol. The transmission control protocol assures a
reliable connection between computers connected on
the Internet. The Internet protocol controls how the
information is broken down into packets and how they
should be addressed to reach the destination computer.
3. For information on the iCenter facility: Bosco M,
Burgoyne M, Davidson M, Donovan M, Landgren K,
Pickavance P, Tushingham K, Wine J, Decatur S, Dufaur S,
Ingham J, Lopez G, Madrussa A, Seabrook D, Morán H,
Segovia G, Morillo R and Prieto R: “Lifelong Asset
Management Using the Web,” Oilfield Review 13, no. 4
(Winter 2001): 42–57.
4. Bureau services include financial and certification
companies.
5. For technical details about the central North Sea fiberoptic communications: www.cnsfibre.com.
21
Annual bandwidth cost per Mbit/sec
High cost
Before fiberoptic cable
On-line conditionRadio upgrade,
information technology based monitoring
simplification, video
applications, well
monitoring
Operators and partners in oil fields can
achieve enhanced health, safety and environmental performance, reduced operating costs,
increased production and extended field life.
Simple changes, such as moving servers onshore,
using videoconferencing to reduce offshore visits, and bringing more data to shore for analysis
will contribute to delivering these goals.
Intelligent well
control, process
optimization, onshore
control room
Fiber-optic cable
2 Mbit/sec
8 Mbit/sec
34 Mbit/sec
Low cost
Projects
155 Mbit/sec
Increasing innovation
> Bandwidth cost. The cost per megabit of bandwidth to Forties field decreased, and quality and
capabilities improved when the fiber-optic cable was installed (blue line).
> Smart corporate badge. A high level of security can be put in place by using
a smart card with an embedded computer chip. This can be used for physical
access to facilities and access to computer systems.
Improved communications by fiber cable
enable fundamental changes to offshore operations (top). Telephone communications are clear
and free from delay. Videoconferencing can be of
broadcast quality. Servers onshore are as quick
and effective for offshore users as for those
onshore. High volumes of data acquired offshore
can be made available immediately onshore,
allowing more effective remote monitoring of offshore plant and process conditions.
In a speech celebrating the 25th anniversary
of the Forties field, BP Chairman Lord John
22
Browne said, “Almost unlimited bandwidth will
make offshore and onshore a single IT environment—and that will transform the way the North
Sea industry works, improving everything from
the optimisation of production to family video
link-ups for offshore workers.” He continued,
“We believe the initial investment, which
amounts to $40 million [US] will create great
opportunities for operators and service companies, reducing costs, extending field life and
enhancing production.”6
Secure Data Access
In an information-centric company, capturing and
sharing knowledge, experience and information
are crucial in creating and building a new-generation corporate digital-asset repository. This
repository must be protected—with physical and
IT security measures—while still allowing efficient access on demand. Interactions between
companies in the E&P industry are worldwide, so
a well-designed system has to account for connections that include potentially mischievous or
hostile attempts to intrude (see “Protecting the
Olympic Gold,” page 24 ).
The foundation of this security is integrated
physical and network access. A single system
authenticates the identification of people for a
variety of purposes. The system allows them to
enter certain buildings and offices, log on to
internal data systems and, finally, authorizes
them to see certain applications and data. Once
an organization has a solid identity, authentication and authorization system in place, the leverage gained from this security system is powerful.
Securing the collaborative community, authorizing access to secure areas or rigs, tracking
training and safety certifications and charging
meals at the canteen can all be tied to an integrated personal- and data-security system.
The DeXa.Badge Identity Management
Security Solutions system uses individual smartcard technology to access digital assets and
physical premises (left). The smart card provides
photographic identification, a physical-access
chip and a personal electronic certificate that
identifies and authorizes a user. In addition to
access security, transactions can be facilitated in
the networked community by encrypting documents and digitally signing transactions, enabled
by the certificate on the card.
The DeXa.Port Network Access Control
Security Solutions system guarantees similar
strong security for extranets and Web portal
applications. In this case, the collaborative community can work across the Internet to share data
and conduct transactions in a protected manner.
If the data or the transactions are of the highest
value, the security levels can be enhanced to
include biometric readers, such as fingerprint or
retinal scanners, to provide a further level of user
Oilfield Review
authentication. Thus, in addition to something
that you know such as a personal identification
number and something that you have such as a
smart card, authentication can include a third
level: something that identifies you personally,
such as a fingerprint. All of these aspects of
security are available, but they can provide the
secure foundation required for real-time activities only when combined into an integrated security solution.
This means that users can access the
premises securely, access data securely and
access Internet applications securely. The system
ensures that only authorized people see the data;
that transmitted data cannot be intercepted and
read by others; and that transactions performed
in the network can be validated and not repudiated after they are enacted.7 Knowing that the
information flow and all participants in the transaction chain are secure allows decisions to be
made confidently in real time.
Breaking Through
In December 2001, Conoco took a major step
toward a globally consistent IT capability
and reduced overall IT costs when it signed a
six-year, $300-million outsourcing contract.
Schlumberger won the contract because of its
flexible, service-oriented approach and global
presence, specifically in the many remote locations common to the E&P industry. Using integrated tools and processes, Schlumberger is
creating a worldwide IT infrastructure with selfsupport features and a global service model
for Conoco. Because Schlumberger understands
both the oil field and IT, Conoco management was comfortable outsourcing this key
strategic function.
At a worldwide Conoco information management (IM) meeting in May 2000, IM managers
determined that a common architecture with consistent global service would improve productivity
and achieve efficiencies of scale through leveraged resources and assets. Unifying the Conoco
IT infrastructure would result in less worker
downtime as compatible systems and new applications were introduced. A focus on process and
capabilities would increase as individual business unit IT infrastructure issues decreased.
Conoco calls the process IT Breakthrough.
This new common operating environment is
based on global consolidation and standardization through a single IT supplier with a common
infrastructure, a unified support structure and
integrated tools.
Internally, IT Breakthrough goals embrace
technology, processes and people. Externally,
this means Conoco can display a consistent face
Summer 2002
Employee has a
PC problem.
Employee goes to
the myDeXa
Self-Support Portal.
Employee goes to
the Quick Fix tool.
Employee goes to the
knowledge base.
Employee goes to
the Tickets tool.
Quick Fix attempts
to repair problem.
Knowledge base
searches for the
answer or solution.
Employee creates his
or her own trouble
ticket on-line.
Problem
resolved?
Yes
No
Problem
resolved?
No
Ticket is routed to the
Global Service Desk or
on-site support for
problem resolution.
Yes
Employee is back
on-line.
> DeXa.Touch self-support tools. Instead of immediately calling the service
desk with a PC problem, a Conoco user can access a full array of support
tools through the myDeXa icon. One of those tools, the Self-Support Portal,
offers the Quick Fix tool. Within minutes, the employee can fix many problems
that, typically, would require the attention of a support analyst. For more difficult problems, an extensive knowledge base is available. If the answer is not
in the knowledge base, the user can create a help-desk ticket on-line.
to its customers, allowing the company to
• decrease the time to market for technical
solutions
• increase coordinated solutions across business
units
• increase business flexibility.
Getting in Touch
For the nearly 20,000 Conoco workers, the
restructuring provides focus and multiple
avenues for support. No longer will they be limited to IT and help-desk support in their building.
Instead, support is offered through the Global
Service Desk, giving employees a single point of
contact for any IT-related problem or question.
Significantly, as a key part of the solution, user
communities and IT management teams can
proactively identify, resolve and track their
own technical problems with self-help tools
designed by Schlumberger. Conoco employees
throughout the world are getting a new software
application on their PCs: the Schlumberger
DeXa.Touch Self-Support Portal (SSP), which is
fully integrated into the other DeXa.Touch IT
Outsourcing service and support systems. This
tool, the first of its kind, is setting the standard in
the self-support industry.
By the end of December 2002, all Conoco
users will have the DeXa.Touch SSP on their
desktops, accessed through the myDeXa icon.
The SSP empowers Conoco PC users and IT
management teams to fix their own computer
problems quickly and independently, decreasing
user downtime and total cost of IT ownership. IT
management can focus on strategic business
processes rather than on system operations.
The SSP enables Conoco employees to use
the self-healing tools. These tools are the first
line of defense, a quick-and-easy way to troubleshoot and solve everyday PC problems.
Conoco employees can fix many application and
operating-system problems with just a click of
the mouse. In many cases, automated, user-initiated actions can reduce repair times significantly.
The goals are to increase the number of problems
that can be resolved by the SSP and continue to
reduce the cost of IT support.
A tool called Quick Fix allows users to repair
application and network problems by restoring
PCs to a known working condition (above). For
example, if someone cannot print an Adobe
(continued on page 27)
6. Browne J: “Speech for the Forties Field 25th
Anniversary Thursday 7 September 2000,”
http://www.bp.com/location_rep/uk/bus_operating/
forties_field/sjb_speech.asp.
7. In computer network security, nonrepudiation is a desirable quality that assures users are allowed access to all
resources to which they are authorized.
23
Protecting the Olympic Gold
The 2002 Olympic Winter Games in Salt Lake
City, Utah, USA were a challenge for network
systems security. This worldwide sporting
event—often the center of strong national emotions—made it a potential target for computer
hackers. Secure event results had to be delivered to the media in real time. Redoing a ski
run because of system problems was not an
acceptable option. The system had to be fully
operational by the opening of the Games on
February 8, 2002 (right).
SchlumbergerSema designed and operated
the Games’ Information Technology Center
(ITC) and will do the same for the next three
Olympic Games. As systems integrator,
SchlumbergerSema coordinated the work of
15 companies and 1350 information technology
(IT) experts in the Games’ Technology
Consortium. With data centers at each of the
10 sports venues as well as other Games centers,
a huge IT infrastructure managed the instantaneous transmission of event results, accreditations, athlete entries, transportation and other
key processes. Real-time scoring and background information on the athletes and events
were transmitted to broadcast and print media
and to the official 2002 Olympic Winter Games
Web site at www.saltlake2002.com.
SchlumbergerSema was given the task of
ensuring data integrity and data security within
this infrastructure. The goal was to prevent
intruders, whether acting intentionally or by
accident, from impacting the smooth running of
the Games. Any attempted or successful attacks
on the network were to be tracked, allowing the
operators to respond quickly and efficiently.
In the summer of 2001, SchlumbergerSema
began a complete audit of the many elements of
the computer system. The survey established
every device connected to the system: 225
servers, 5000 personal computers, 145 UNIX
computers, 1850 fax machines and copiers, and
1210 printers. The ownership, Internet protocol
(IP) address and actual physical location of
each device were established. In addition, the
security team mapped connections to other
enterprises, such as designated terrorist-watch
and law-enforcement agencies, tickets.com, the
24
The Ice
Sheet
Ogden
Snowbasin
Ski Area
Salt
Lake
City
Salt Lake
Olympic
Square
West
Valley
Rice Eccles
Olympic
Stadium
ITC
Utah
Olympic
Park
Park City
Mountain
Resort
Park
City
Utah E Center
Olympic Arena
Oval
Deer Valley
Resort
Soldier Hollow
Heber
Provo
Utah, USA
The Peaks
Ice Arena
> Olympic network. The 2002 Olympic Winter Games involved 10 sports
venues in Salt Lake City, Utah, USA and in the surrounding Wasatch mountain range. All of the venues were networked to the SchlumbergerSema
Information Technology Center (ITC).
Olympic Museum in Lausanne, Switzerland,
news organizations and other groups that
needed to be linked with the system.
With this information, three parallel efforts
were undertaken to prepare the system—
defense in depth, policies and procedures, and
network-management and intrusion-detection
systems. Defense in depth is a military term,
indicating defensive measures that reinforce one
another, hiding the defenders’ activities from
view and allowing the defenders to respond to an
attack quickly and effectively. As a network security strategy, defense in depth uses several forms
of defense against intruders rather than relying
on a single defensive mechanism.
Two principles help effect a defense in depth.
The principle of least privilege demands that
users, applications and systems should be granted
the least privilege possible consistent with accomplishing their tasks. The principle of minimum
access demands that any access not explicitly
granted must be denied. For example, every connection into the network was linked to the specific device that was attached; only that device
could access the system at that connection.
The second effort was to establish clear policies and procedures for the enterprise network.
SchlumbergerSema drew upon its experience to
establish policies for security and network configuration. Protocols were designed for alarm
and event management. System requirements
changed rapidly with so many entities involved;
a change-management policy was imperative.
Human intervention as outlined in the policies
Oilfield Review
and procedures played a critical role in successfully protecting the integrity of Salt Lake 2002
Olympic Winter Games data.
The third effort focused on planning, building
and deploying the network-management systems
(NMS) and intrusion-detection systems (IDS)
and response procedures. The system architecture was optimized to deploy the minimum
number of intrusion-detection agents, or probe
agents, to protect the system (below). These
agents are specialized software programs that
continuously monitor network traffic. Ideally,
all traffic in and out of the system would pass
through one point so that one agent could monitor and protect the whole system. Real-world
systems are more complex, and the Salt Lake
Games system was protected using 35 agents.
The software agents prioritized the severity of
any attack on the system. This involved a
tremendous amount of systems-log analysis. The
intrusion-detection system had to distinguish
between normal system traffic and anomalies.
The network-management system provided systems personnel with a clear response plan for
any type of anomaly. In addition to systems
operators monitoring the system seven days a
Internet
Router
NMS/IDS enclave
Venues
UNIX server
Firewall
Probe agent
IDS database server
NMS servers
Windows server
Switch
Probe agent
Router
UNIX server
Probe master server
Router
Router
Probe agent
UNIX server
B2B and B2C links
Probe agent
UNIX server
Remote-access server links
> Intrusion detection. Multiple means of access to the computer network made an intrusion-detection system (IDS) critical. Access to the Games and administration
network was available from the sporting venues, through the Internet, from remote servers on the internal network and with certain business-to-business (B2B) and
business-to-consumer (B2C) servers. Specialized software, termed probe agents, monitored all traffic and generated alerts when unauthorized use was detected. At
a special enclave in the SchlumbergerSema Information Technology Center, the network-management system (NMS) monitored all probe agents through redundant
systems. One route passed through a probe master server, the other passed through an IDS database server. Network security personnel monitored the NMS at all
times throughout the event.
Summer 2002
25
week, 24 hours a day, the software defense
system could send alerts by pagers and e-mail
to response personnel (right).
The management and detection systems were
tested twice, once in October and again in
December. Experts in ethical system-penetration
testing attempted to hack into the network during these tests. The vulnerabilities they exposed
were corrected.
With the three parallel tasks of defense in
depth, policies and procedures, and networkmanagement and intrusion-detection systems in
place, SchlumbergerSema compiled a global
network-operations document (below right).
The intent was to provide a manual useful for
the 2002 Games, as well as future Olympic Games.
Having policies and procedures cataloged
has little benefit unless they are followed.
SchlumbergerSema provided training for key
personnel in other systems organizations, who
then trained their groups. As in most enterprises establishing security for the first time,
there was resistance from some members of the
Games’ community to setting up restrictive policies. They feared such ideas could interfere with
the spirit of cooperation and teamwork. The
SchlumbergerSema team worked closely with
the management teams to dispel such fears and
educate them about the reasons for the policies.
The SchlumbergerSema team found creative
ways to solve problems without compromising
security. These efforts improved the level of
cooperation and avoided unauthorized attempts
to circumvent the policies.
The system did come under attack during the
Games. The site had many computers available
for use by athletes, coaches and other members
of the Olympic community. Attempts were made
using some of those computers to access inappropriate, pornographic Web sites, which the
security system detected. Some national teams
tried to add servers to the system to set up Web
portals. More serious attacks included virusinfected e-mail sent from outside to internal
staff and people trying to hack into servers from
outside. Not one attack was successful. The system was not compromised, and the Games had a
stable, secure infrastructure that allowed the
world to focus on the sporting events.
26
> SchlumbergerSema IT team in the Salt Lake Games Information Technology
Center. The computer network was monitored and controlled continuously
throughout the 2002 Olympic Winter Games.
Establish baseline
Develop and deploy
defense-in-depth strategy
Develop policies
and procedures
Build and deploy networkmanagement system and
intrusion-detection system
Compile into global
network-operations
document
Disseminate and educate
> Security preparations for the 2002 Olympic Winter Games. Three parallel
efforts led to a complete security solution for the Salt Lake Olympic Games.
The documentation will be available for the next three Olympic Games, which
also will be coordinated by SchlumbergerSema.
Oilfield Review
how to add a network printer
> DeXa.Touch knowledge base for self-support portal. The knowledge base has answers to PC, operating system and application questions. Detailed, step-by-step instructions and illustrated solutions are
included for resolving many issues and problems. Custom knowledge bases can be built for a customer’s business with existing content migrated and hosted by the self-support portal. A user can
search by key words, error messages or free-form questions, such as the one here: “how to add a network printer.” An optional advanced function offers a fine-tuned search. Browse has an index of the
knowledge base content; the user can access both summary and detailed information.
Acrobat file, help is a mouse-click away. After
logging onto the myDeXa system, the user scrolls
to “All Printer Drivers,” and finds the button “Fix
Now.” In a few minutes, the self-healing process
is finished, as the printer drivers are restored
without calling the service desk.
What about applications on the hard drive? If
an error message indicates Microsoft Word has
failed, with a few clicks the user can repair the
application immediately. The service desk would
be available, but unnecessary in this automated
repair solution.
SSP administrators create protection schemes
and job schedules to define the applications and
operating-system settings that will be protected
or backed up for a particular set of PC users. The
SSP probes the machines to identify all application components that must be protected.
A weekly protection run is, for the most part,
transparent to users. They may hear the hard
drive churning and see a new icon in the bottomright corner of the menu bar. During this process,
the software is backing up applications and settings that are used later if a problem occurs. This
procedure is automatic, but users can run the
protection manually, if necessary.
Summer 2002
This system-protection run copies registry
keys, settings and drivers; application and system files; executable and INI files; the dynamic
link library (DLL); and component object models
(COM) in working condition. When there is a failure, self-restoration of a user’s system can be
accomplished in fewer than 10 minutes, rather
than waiting for a technician who could take a
few hours to make a service call. Productivity at
Conoco is expected to increase dramatically.
Besides Quick Fix, the DeXa.Touch SSP
includes the following:
• a knowledge base offering support information, organized effectively so users can find
answers and solutions to their problems
quickly and independently (above)
• a directory of the most common PC-related
tasks
• system information, giving users details about
the hardware and software that is installed on
their PCs
• password-protected management reports,
giving service-level agreement information,
including outage, error and performance
reports, plus system-management and firewallsecurity reports
• a global ticketing system, allowing users to
submit and view the status of problems that
cannot be self-healed.
Conoco management understands that it cannot change the habits of its worldwide employees quickly and without effort. The company
sponsored an awareness campaign about the
self-healing tools, including a Web site. Forty
Conoco IM managers held workshops for their
employees. Next, myDeXa champions were chosen within each unit to offer expertise as needed.
Also, Schlumberger hosted training seminars for
all of the business units.
Standing By
When a Conoco employee has a problem that he
or she cannot resolve, a Schlumberger Global
Service Desk is the single point of contact for
application, desktop, network, connectivity and
security issues in any region of the world 24
hours a day, seven days a week. This first-class
support has teams covering the globe, each with
an in-depth knowledge of Conoco operations.
By using this service solution, Conoco is
leveraging the Schlumberger worldwide infrastructure of best practices, expertise, tools, technology and processes. Additionally, Conoco no
longer has to manage IT human resources, such
as recruiting, hiring and training. Time, effort and
resources that once were expended on support
27
> Link performance report. Through proactive network monitoring, the Schlumberger Service Management Center is able to produce
real-time reports detailing exactly what is occurring on a customer’s network over a given time period; these reports are accessible
through the self-support portal at any time. The example shown indicates link load or the percentage of a network segment that is being
utilized by traffic. The report also shows response time for network devices at the input and output ends of this particular network segment, tracked by monitoring the amount of time in milliseconds that the devices take to respond back and forth. An IT manager can see
network availability for traffic, the volume of traffic going across the network and the load on the network devices managing this traffic.
28
Oilfield Review
issues now can be refocused on the core business, allowing Conoco to strengthen its competitive edge.
Service personnel are globally linked and
their functions integrated through a centralized
infrastructure, allowing them to operate as a single, virtual service desk. All support personnel
access the same tickets and data through a custom-developed system and workflow for ticket
tracking, notifications and metrics collection.
When a user calls the service desk, a support
analyst collects information and opens a ticket,
automatically sending an e-mail to the user. The
message has the ticket number, as well as problem details and status of the fix. Each type of
supported device—such as a desktop PC, server
or network switch—is bound by its own set of
service levels. A priority setting is assigned to
each issue based on its impact on Conoco business activity.
Historically, 90 percent of the calls to
Schlumberger Global Service Desks are
answered within 120 seconds, the industry standard for these calls; 50 percent of the calls are
resolved at first contact.
Conoco has contracted six Schlumberger
Global Service Desks around the world, including
Houston; Ponca City, Oklahoma, USA; Cork,
Ireland; Lagos, Nigeria; Dubai, UAE; and Jakarta,
Indonesia. Once the service desks are fully operational late in 2002, following a phased-in
approach, Schlumberger teams and Conoco
employees can discuss problems in English,
Spanish, Arabic, German, Swedish, Bahasa
Indonesia and Thai; specific languages are contracted for each location.
Certified Security
The Schlumberger Service Management Center
(SMC)—an International Standards Organization
(ISO) certified operation—supports the service
desk and the self-support portal by providing
global, centralized incident reporting, tracking
and resolution services. The SMC combines physical, application and operating-system security
monitoring in a facility with uninterrupted power
and fire protection. Entering the SMC facility
requires a special security clearance; entering the
more sensitive production-computing facilities
requires the most restrictive security clearance.
Summer 2002
An identification, authentication and authorization system coupled with facility management is
the foundation of escalating levels of secured
access to these protected locations. Everyone
entering and working in the SMC is monitored by
on-site staff and cameras at all times.
Throughout each day, SMC staff monitors
system performance, data availability, data
integrity and viable connectivity, scrutinizing all
levels of applications, operating systems and
hardware with state-of-the-art monitoring systems set with prescribed alarms. Because human
intervention is imperative, the SMC team uses
defined response procedures based on alarm levels. Servers are polled at time intervals agreed
upon with the customer. If there is a problem, a
visual alarm is triggered on a large bank of
screens. The on-duty team determines if the
problem relates to a network, an operating system, hardware or an application. Corrective procedures include restarting services, file and
operating-system maintenance, redirecting services or other systems-administration tasks
agreed upon contractually.
In addition to connectivity, a default list of
conditions, processes and applications are monitored, and if any are outside agreed limits, they
will be highlighted on systems-management
screens and brought to the team’s attention.
Another key element in the security scenario
is firewall monitoring. Firewall traffic is logged
according to a specific agreement; these logs are
kept in a secure server and archived. Once a
week, firewall summary reports are sent to the
customer by file or over a secure Web connection. These reports include connection statistics
for the 40 most frequent source and destination
addresses listed by attempted, denied and
accepted connections.
The team monitors and compiles reports
for customer network segments, traffic, connections and routers (previous page). Management
and resolution of faults—such as a router failure, a circuit failure, an application failure, a
disk-full event, or a performance problem—also
are included.
Once a fault or problem is detected, SMC
staff creates a service ticket and notifies the customer. As with the Global Service Desk, incidents
are classified according to the perceived impact
on operations. The ticket also includes date and
time, a description of the request, diagnostic test
results and resolution information.
For Conoco and all other Schlumberger customers, the SMC is the ever-present cyber traffic
officer, ensuring that information flows securely
and without interruption around the globe. As
that information begins to flow through a common operating environment, Conoco business
units can deploy internal and external solutions
quickly and efficiently anytime, anywhere.
Well-Connected Companies
The DeXa Suite of Services offers companies a
new potential for improving their operations. For
example, a drilling contractor can connect multiple rigs in a customized worldwide network for
real-time communication, data sharing and decision-making. This is particularly attractive for offshore and remote locations, and critical,
high-cost wells. Instantaneous access to crucial
data and centralized groups of technical
experts—whether by secure wireless mobile
communications or Internet connections—can
speed responses to potential safety problems,
such as a well-control incident, or help to optimize drilling performance based on data from
other wells being drilled in other areas.
Connecting jackups, semisubmersibles and
drillships with their respective oil or gas company clients offers secure transmission of confidential information. Connection to suppliers of
rig materials can improve the speed and costeffectiveness of supply-chain decisions and
simplify procurement practices.
Customized smart-card badges can allow
secure entry from shore to rig, for example prior
to boarding helicopters or boats. An individual’s
safety and operational training history can be
coded on the badge so that no one boards a rig
without the proper certifications. Secure access
to restricted areas on the rig can be ensured with
smart cards coded for a specific set of card
readers. Secure Internet access and Web transactions by rig personnel can be both enabled
and monitored.
Information is the lifeblood of the oil and gas
industry. State-of-the-art information technology
services allow operating companies to focus
on their core business of finding and producing hydrocarbons.
—MAA, BG
29