Norway’s biggest company, the Stavanger-based oil and energy firm Statoil, has concluded that its safety routines were lacking in at least two alarming incidents this past autumn. It also has decided to bring responsibility for security-related computer systems back home to Norway, reversing a controversial outsourcing to India.
Experts believe it may be the beginning of a new trend in which companies that outsourced responsibility for various data operations have decided to bring them back under control of the home office. Professional organizations representing workers in Norway were celebrating on Thursday, after being told that information technology (IT) work will be put back in the hands of Statoil’s own employees.
“This is a step in the right direction,” Jorunn Birkeland of the employees’ organization NITO told Norwegian Broadcasting (NRK). “We are glad that management (at Statoil) listened to the employees.”
NRK reported on Wednesday that Statoil had decided that IT workers in India, to whom much of Statoil’s systems maintenance had been outsourced, would lose access to Statoil’s oil platforms and facilities on land. The move came after a keyboard error made by a worker in India ended up halting oil production at Statoil’s sprawling facility at Mongstad. It in turn followed no less than 29 other incidents in which outsourced IT workers had unwittingly gained access behind Statoil’s so-called “firewalls” to Statoil oil platforms while doing otherwise routine maintenance.
An investigation showed serious breaches of security. “We’re not exactly dealing with production of chocolate here,” a Statoil employees’ representive dealing with safety issues told NRK. “If mistakes are made, it can lead to extremely dangerous situations.”
Or simply expensive disruptions, such as when the keyboard error ended up with 22 unauthorized log-ins as the Indian workers scrambled to exit a server that controlled oil production at a Statoil facility. Production ended up being shut down.
NRK reported how Statoil itself concluded that it was part of “a series of problems after outsourcing.” In addition to the risk of production delays, pollution and financial losses, the biggest fear was a lack of control over who had access to key facilities. From now on, Statoil’s own employees will carry out maintenance of firewalls and not workers on the other side of the world, in this case at HCL of India. NRK reported that HCL officials had declined comment on the incident involving Statoil.
Statoil’s information director Bård Glad Pedersen said Statoil was evaluating other measures as well, “to improve IT security.” He contended that “we have had good systems for IT security, but must have as our starting point that it can always be better.” He said that’s why Statoil established a commission to go through IT security and identify measure than “an strengthen security further.”
Per Morten Hoff, former leader of IKT Norge, called it an “admission that Statoil didn’t have sufficient control of its IT security.” He said it was “proper and correct” that Statoil was doing something about it.
In a year-end review of several other safety issues this year, Statoil also took responsibility for a gas leak at its Sture terminal that left six people injured. Statoil also concluded an investigation of smoke and a fire on its Statfjord A platform in October. It was tied to a lack of understanding of risk, among other factors.
“We are not satisfied after several serious incidents this autumn,” Jannicke Nilsen, Statoil’s new chief operating officer, told news bureau NTB. “It’s important for us to thoroughy go through all of them, to ensure that we learn from them.”
Statoil has been under criticism that its major cost-cutting and staff reduction in the past two years, since oil prices fell, have put safety at risk. Statoil has denied that but aknowledged the need for improvement. State authorities have also ordered investigations and put Statoil under pressure to address safety issues.