Systemic Management - RasGas - Case Study Example

Background and Context of the Problem Situation RasGas, a joint stock company owned by Qatar Petroleum and Exxon Mobil, is one the world’s largest liquefied natural gas suppliers (LNG). It has a capacity to produce 36 million tonnes of LNG per year and supplies LNG to countries around the world (Doha News Team, 2012). Established as Ras Laffan Liquefied Natural Gas Company Limited in October 1993, in just two decades, RasGas has become a global energy company with a reputation for reliability, deliverability and safety (Sustainability Report, 2013). In 2012, the corporate computer systems and the website of RasGas went offline following a virus attack just days after Aramco – a Saudi oil giant – recovered from a similar attack. This attack impacted administrative services like email and other services (Doha News Team, 2012). The virus attack, however, did not affect production and deliveries. The operational systems at onshore and offshore locations also remained unaffected. As soon as the company spotted “unknown virus” it took desktop computers, email and web servers offline as it cleaned up. At Aramco, 30,000 computers were affected by such an attack (BBC, 2012). Prior to Aramco, a malware called “wiper” had destroyed data and systems files at Iran’s national oil company (Zetter, 2012). Security efforts warn that malicious hackers are targeting the oil and energy industry with this particular virus (BBC, 2012). At Aramco also, the same virus called “Shamoon” and “Disstrack” were used, which do not steal data but destroy and render data irrecoverable, according to researchers at Israeli security firm, Seculert (Zetter, 2012). A group called “Cutting Sword of Justice” apparently claimed the attack, targeted at the Al-Saud ruling family of Saudi Arabia for atrocities that have been taking place in neighboring countries like Syria, Lebanon, Bahrain, Egypt and Yemen. The group invites all anti-tyranny hacker groups against injustice and oppression. Seculert, the security firm states that such targeted attacks are commonly used against companies in the same vertical (Walker, 2012). The cyber attacks came as oil prices rise above $100 a barrel and such attacks have grown in the Middle East, particularly in the last 18 months because of the political unrest in the region (Hall and Blas, 2012). It is believed that such attacks can be created by activist groups. This is confirmed by a report which states that security incidents in the oil and gas sector has increased by 179% in 2013 and the resultant financial losses have soared by 470 percent (IQPC, 2014). Discussion of the problem Situation The case of cyber attack on RasGas’s computer system reveals two significant factors – it is an attack against oppression and injustice as perceived by the people; it is against the entire industry. This can be endorsed by the fact that such attacks took place as oil prices were raised and they were created by activist groups. This implies that these were not attacks against the company as an individual entity. However, this does not absolve the company of its responsibility towards its stakeholders. Any company has to take effective measures to ensure protection against all possible threats and attacks. The communication sent out by RasGas to its suppliers stated, “The company is experiencing technical issues with its office computer system” (Leyden, 2012). Following the attack, RasGas has implemented measures to protect the business from cyber-attacks. These measures include IT risk-management practices that build on the company’s IT resilience projects. RasGas attempts to ensure that controls are proportionate to the risks and thus the company carries out contractor and vendor audits to assess their compliance with the contractual terms and conditions. The IT resilience programme reinforces the governance structure for IT which directs a number of projects to prevent, detect, contain and respond to cyber threats (Sustainability Report, 2013). Reflection on an Appropriate System Despite the measures taken by the company, it can still be vulnerable to such attacks in the future. The steps taken by the company appear to be quick-fix simple solution which rarely work as the business environment is full of complexity, change and diversity (Jackson, 2003, p16). This is not a holistic approach as it focuses on one part of the organization. Optimizing performance of one part may have damaging impact consequences elsewhere. This is known as ‘suboptimization’. To develop a holistic approach, soft systems methodology (SSM) appears to be an appropriate approach. SSM has been used in IS and IT particularly as it help in conceptual cleansing of the terms IS and IT (Checkland, 2000). IS or information system is treated as being centrally concerned with the human act of creating meaning. Checkland highlights that any system can be engineered to achieve the end. Thus managing should be taken as a decision-taking in pursuit of goals or objectives. Soft Systems Methodology SSM is a systems approach for analysis and problem solving in complex situations. SSM has been defined as an approach to problem solving where problems are viewed as part of the whole system and not a reaction to a particular event (Suriya and Mudgal, 2013). SSM uses systems thinking in a cycle of action research where learning and reflection help understand the perceptions that exist in the minds of the different people in the situation (Maqsood, Finegan and Walker, 2003). This is a system that deals with human complexity. According to Checkland, systems analysts need to apply their skills to problems of complexity that are not well defined. SSM helps in understanding the fuzzy world of complex organizations. It is basically a design of a conceptual system which is explicitly derived from an understanding of the problem itself; it is then used to test against the real world (Beard, 2013). The seven-stage process of SSM has been summarized below: Source: Maqsood, Finegan and Walker, 2003 Checkland (2000) further emphasizes that the focus should not be on improvement or repair of a system but every situation in which some action research is undertaken is a human situation where people are attempting to take a purposeful action that was meaningful to them. Even when one works towards modeling purposeful activity, it is likely that many interpretations of ‘purpose’ are available. Thus the most relevant need to be explored given the huge number of human activity systems models that could be built. The word ‘system’ is not applied to the world but to the process that helps deal with the world, contends Checkland. It is thus important to identify the problem situation and not the problem – what caused or causes such attacks. The problem situation should include a rich picture comprising of hard information and soft information. In the case of RasGas focus should be on soft information including people’s perceptions and relationships. Hard approaches can at best bring out the blue prints for design but a soft approach deals with human activity system models that are necessary to achieve a purposeful meaning from a particular point of view. Changes should be systematically desirable and culturally feasible (Jackson, 2003). Here it is not just important to understand how the engineers and technicians concerned could save the system from cyber attacks. It is equally important to evaluate the minds of the people who carry out these attacks. Besides, several contractors and sub-contractors are involved in the process, which requires careful handling. This can be achieved through ‘systems thinking’. SSM can facilitate effective change and improve work place practice (Maqsood, Finegan and Walker, 2003). The soft systems approach enables exploitation of individual and socially constructed group knowledge and experience. A lot of emphasis is laid on people in soft systems methodology. At RasGas vendors and contractors are involved in developing the IT architecture and hence this methodology would help develop a rich picture which would portray all the key people involved in the IT process. Besides, one of the perceptions could be to focus on improving relations with the people in the Middle east as they feel oppressed and aggrieved, thereby resorting to such attacks. According to Checkland (2000) one of the possible relevant systems to improve the Concorde project for British Airways could have been to include ‘a system to manage relations with the British Government’. The learning and reflection here is that because of various interpretations and the world-view, there would be several models that could be formulated to achieve the purpose. Jackson (2003) also endorses that a range of systems should be defined which should be relevant to improving the problem situation, each expressing a particular world view (or Weltanschauung). The notional systems are the root definitions and can be developed in to conceptual models. Application of SSM The SSM with a soft approach is expected to help RasGas achieve the purpose. The methodology would first include identification of the problem situation. Situation considered problematic: Cyber attacks Problem Situation: Cyber attacks at the industry level – cyber attacks by people who feel oppressed – cyber attacks concentrated in the Middle East The action research would be based on the above problem situation. Therefore, merely re-engineering the computer and information system processes would not suffice. Root Definitions of relevant purposeful activity systems: Root definition has to pay attention to CATWOE. Customers: customers remain unaffected by the attacks because production and deliveries have not been affected. However, customers include the community. Actors: actors include the different stakeholders such as the vendors, contractors, employees. All of these are affected in some way or the other. The vendors and contractors involved in the IT architecture come under the purview of audit before further contracts can be signed. The terms of contracts may have to be revised. The employees come under pressure as many would try to evade responsibility for what has happened and many might try to evade taking up responsibility for devising new systems for the future. People constantly seek to renegotiate their roles, norms and values, and tend to display irrationality when faced with official goals (Jackson, 2003). Values and interests seldom coincide and hence the organization depends on its existence on temporary ‘accommodation’ between individuals and subgroups. Bell and Morse (2013) contend that stakeholders have a fundamental right to be included in the process of change. However, even though their ‘participation’ is desirable, it does not appear practical to involve all the stakeholders. In fact, involving them in such change and improvement could pose a threat to the security of the system. Transformation Process: this would have to consider not merely technological changes but also the human factor. Therefore, knowledge, skills and experience are essential to bring changes in the system. World View: the world view differs on how to improve the situation. For some it might just be more security measures to prevent attacks while others might consider taking into account the people involved in managing the cyber system. Yet others might want to look into the psychology of the people that hurl such attacks. Therefore, a system to protect society may also be a valuable consideration. Owners: this refers to the ‘problem owners’ and this in all likelihood would be the technical department including the top management. The ‘problem owners’ selected by the ‘problem solvers’ are the main source of ideas for relevant systems that have to be developed into a model (Checkland, 2000). However, under pressure, an individual may not want to be aware of owning the problem. Environmental Concerns: these include quality, cost, time and community expectations. Conceptual Models of the relevant models (named in the root definition): a system owned by the IT department at RasGas together with experts in the IT sector including those that specialize in security threats have to be involved to prepare a system that would address the concerns of the community as well as the organization. To take into account the concerns of the community, the CSR (corporate social responsibility) personnel may have to be involved. Recommendations for Strategic Change The activities that are independent should be immediately handled. This would include the action to be taken by the CSR department. To pacify the community that feels oppressed, certain actions are deemed necessary because any organization exist in the society, for the society. The CSR department has to organize meetings with others in the sector and joint efforts would need to be made to pacify the community in the interest of all in the oil and energy sector. This may appear impractical but it is considered essential for the efficient working of the system. This is an independent activity and does not hold up the implementation of other actions. Independent activities While this is being formulated and implemented, the technical department has to enter into discussions with others in the oil and energy sector as all in the industry are vulnerable to such attacks. This is also an independent activity and further activity and action would depend on the discussions with others in the sector. The third action would be to evaluate if the existing system is based on the latest advancement in technology. The fourth action would be to enter into discussions with different security companies and their offers should be evaluated. Cost should not be the criterion for decision and the major consideration should be the security of the cyber system. The dependencies have to be indicated. The conceptual models are purposeful holons constructed with the aim of facilitating structured debate about the problem and the problem situation. The resources, efficacy and effectiveness of the actions have to be derived. Since it is a matter of security, too many actors cannot be involved in the change process. Key personnel from the technical team would participate in the process. despite this, it is not known what goes on in other people’s heads and they may be agreeing merely to shirk responsibility. Comparison of models and the real world: this would require the change team to evaluate and explore how such a change system could behave in the future. The repercussions have to be evaluated based on how an actual system has worked in the past in similar circumstances. In the past the community at large has not been taken into consideration in devising security measures but the situation has changed. However, what happens if the community is not given any consideration and only focus is on enhancing security measures? It is quite likely that attacks could recur. Changes systematically desirable and culturally feasible: the changes recommended appear to be systematically desirable but may not be culturally feasible. Action to bring improvement: hand-picked personnel to be involved at each stage of the conceptual model as this would limit the exposure of the action and strategy to a chosen few. Focus on the community as well as on the security system to avoid such failures again. SSM has been critiqued but it is a way of conducting inquiry into human affairs (Checkland, 2000). The very purpose of the development of SSM was to take systems thinking beyond the abstractions of general systems theory (Jackson, 2003). While SSM lays down the stages and steps to be followed, it allows flexibility in the steps to be adopted. Changes can be made depending upon the task at hand. Critique of the Methodology SSM is a cyclic learning process and this builds naturally into the complex social processes. SSM is developed on the premise that differences in perception and world view would exist and these will give rise to issues that have to be managed. People may not agree to certain things or share perceptions but they would accommodate different viewpoints so that the desired change can be implemented. SSM thus enables breaking down of problem situation and activities so that all involved are able to get a clearer view of the situation. However, SSM is unable to guide how complexities such as managing the community are to be handled. For those concerned with hard systems thinking, SSM does not appear feasible because to them SSM offers a limited perspective on why problem situation occurs. SSM does not take seriously the idea that cybernetic laws must be obeyed. Focus is on the problem situation and Checkland believes that soft systems thinking can bring change. However, other may argue that SSM plays down fundamental conflict of interests based on the assumption that conceptual models would help overcome the problem and the problem situation. SSM has also been criticized for not giving attention to asymmetry of power that exists within organizations. However, SSM is a creative technique in terms of problem solving such as human, culture, ethics and politics (Godwin and Eugene, 2013). In fact, this is a ‘soft’ approach as it deals people. Reflections on the Approach Thus, for the purpose of a model for RasGas, SSM has been considered to be appropriate as it has helped to identify the root definitions and propose course of action. This system is a process of learning and reflection which has helped to evaluate the constraints. An alternative approach that could have been adopted was the Viable System Model (VSM) based on the work of Stanford Beer. This was based on the principle of the nervous system in human body managing the operation of the organs and muscles. In this approach, viable operational units work together for their mutual advantage. However, VSM focuses on control and coordination, while environmental scanning leads to planning and innovation. The minds of different actors, perceptions of different stakeholders have no consideration in this model. It does take into account external opportunities and threats but the human factor is not present. Operations are the primary activity in the VSM but soft issues and different world views are given importance in the SSM. Evaluation of taking SSM approach As far as SSM model is concerned, it has helped to identify different perceptions of the problem and obtain a world view. Since the problem at RasGas is not limited to its internal efficiency and is related to the community as well as to the entire sector, SSM has been a valid approach to managing issues at hand. SSM has contributed to the practical concerns of the people in a problematic situation. It has also helped by way of contributing to the goals of social science by joint collaboration with the community as well as other actors in the sector. As Checkland (1999) states, SSM is most suitable in a situation where the ends, goals and purposes are themselves problematic (cited in Suriya and Mudgal, 2012). At RasGas the problems are indeed fuzzy and multiple objectives exist along with different perceptions of the problem. Therefore, the owners and other actors have to be involved in the methodology to achieve the desirable goals. Incorporating human activity systems has helped in broadening the influence in solving the problem and has helped to better manage the situation. The ‘real world’ has been evaluated and based on the information from the ‘real world’ a conceptual model has been developed and directed in the problem solving process. References BBC. (August 31, 2012), Computer virus hits second energy firm. BBC News. Available from http://www.bbc.com/news/technology-19434920 [Accessed July 18, 2014] Beard, A. (2013), Identifying Cyber Defence Challenges in Acquisition: A Soft-Systems Approach. Prepared for the 30th International Symposium on Military Operational Research (ISMOR). Available from http://www.ismor.com/30ismor_papers/30jul/pdf/30ismor_beard_paper.pdf [Accessed July 21, 2014] Bell, S. and Morse, S. (2013), Rich Pictures: Means to Explore the ‘Sustainable Mind’? Sustainable Development, 21, pp.30-47 Checkland, P. (2000), Soft Systems Methodology: A Thirty Year Retrospective. Systems Research and Behavioral Science, 17, S11–S58 Doha News Team. (August 30, 2012), Virus attack takes down RasGas computer systems. Doha News. Available from http://dohanews.co/virus-attack-takes-down-rasgas-computer-systems/ [Accessed July 18, 2014] Godwin, UG. and Eugene, N. (2013), THE USE OF SOFT SYSTEMS METHODOLOGY (SSM) IN EVALUATING THE TOURISM INDUSTRY IN NIGERIA: PROSPECTS AND CHALLENGES. International Journal of Business and Business Management Review, 1 (3), pp.111-127 Hall, C. and Blas, J. (2012), Qatar group falls victim to virus attack. Financial Times. Available from http://www.ft.com/cms/s/0/17b9b016-f2bf-11e1-8577-00144feabdc0.html#axzz37tHdwEU0 [Accessed July 18, 2014] IQPC. (2014), The Oil and Gas Sector Is Under Cyber-Attack, Available from http://www.cyberoilandgas.com/ [Accessed July 21, 2014] Jackson, M.C. (2003), Systems Thinking: Creative Holism for Managers, Wiley, Chichester. Leyden. J. (August 30, 2012), Mystery virus attack blows Qatari gas giant RasGas offline. The Register. Available from http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/ [Accessed July 18, 2014] Maqsood, T., Finegan, A.D. and Walker, D.H.T. (2003), Five case studies applying Soft Systems Methodology to Knowledge Management. Available from http://www.construction-innovation.info/images/pdfs/Research_library/ResearchLibraryA/Refereed_Conference_papers/Five_Case_Studies.pdf [Accessed July 17, 2014] Suriya, S. and Mudgal, B.V. (2013), Soft systems methodology and integrated flood management: a study of the Adayar watershed, Chennai, India. Water and Environment Journal, 27, pp.462–473 Sustainability Report. (201), Embracing our responsibilities. Available from http://www.rasgas.com/Files/RasGas_Sustainability_Report_2013_(April_2014).pdf [Accessed July 18, 2014] Walker, D. (August 30, 2012), Natural gas giant RasGas targeted in cyber attack. SC Magazine, Available from http://www.scmagazine.com/natural-gas-giant-rasgas-targeted-in-cyber-attack/article/257050/ [Accessed July 18, 2014] Zetter, K. (August 30, 2012), cybersecurity FOLLOW WIRED Twitter Facebook RSS Qatari Gas Company Hit With Virus in Wave of Attacks on Energy Companies. WIRED. Available from http://www.wired.com/2012/08/hack-attack-strikes-rasgas/ [Accessed July 18, 2014] Read More