The US oil and natural gas industry takes pride in its longstanding security standards and crisis management plans for protecting property, assets, and stakeholders from natural disasters, accidents, or begrudged individuals.
But since the Sept. 11, 2001, terrorist attacks upon the US, the industry has intensely scrutinized all security measures and contingency plans across its vast infrastructure for any previously unforeseen vulnerabilities.
"Obviously, we had to rethink the whole thing based on the unthinkable," said Bobby Gillham, global security manager for Conoco Inc. "We've done new risk assessments using our imaginations about how could we be attacked and what measures can we put in place to protect ourselves against such attacks."
The major oil companies' internal security experts have reviewed procedural plans with top executives who have also hired outside security consultants to conduct evaluations. The American Petroleum Institute is the lead coordinator on an industry initiative on security issues for about 30 petroleum trade associations and government.
Kendra Martin, API chief information officer and head of the API security team, said the industry quickly is developing ways to share best practices about how to deter and detect terrorism.
"At a domestic level, terrorism never was the focal point of our regular safety and security operational practices. We had many security measures in place pre-9-11, but the measures were around vandalism and providing safety to the communities in which we operate," Martin said.
Industry considers itself in a new emergency response environment and is relying upon the experiences of international corporations accustomed to coping with terrorism threats or civil unrest in Latin America or the Middle East, she said.
Primarily, API is working closely with the federal government to enhance information sharing and to learn how to better cooperate with authorities with access to higher levels of intelligence, warnings, and protection systems.
"There are still a lot of unknowns out there, and certainly there are potential threats that industry can't effectively protect [itself] from all by itself. For example, the scenario of large airplanes flying into facilities is something for which you must coordinate with government," Martin said.
API previously coordinated between government and industry during the Year 2000 computer transition exercises. "Thank God for Y2K. Otherwise, we couldn't have done this so quickly," she said of industry's collective response to the threat of terrorism.
A new normalcy
Nearly all US energy conferences within the past 6 months have featured a session on security. The most sought-after speakers are representatives of the US Department of Energy's Office of Energy Assurance (OEA) and the Federal Bureau of Investigation.
"The challenge is setting a sustainable level of awareness, alertness, and professionalism. That is no easy task. It takes senior management involvement and a lot of general discussion," said James McDonnell, OEA director.
Established in December 2001, the OEA is DOE's liaison with the Office of Homeland Security. McDonnell is a former US career naval officer who specialized in counterterrorism programs focused on weapons of mass destruction.
"It's important to get the state homeland folks, the federal homeland folks, and industry folks to the point where sharing information is just normal and second-natureellipse It's not unlike the communication that military installations overseas have always had with embassies, intelligence communities, and host governments…We now need that same communication domestically," McDonnell said.
US security requires an approach involving a coordinated federal, state, and industry team, he said, adding that oil and gas companies are aggressively expanding their planning models.
"As opposed to thinking about keeping vandals and thieves out, now [senior management must consider that] there may be a larger strategy for targeting a facility," McDonnell said. "Industry was planning for accidents and natural disasters. Now we have to think of deliberate acts with the intent of disrupting the economy or the public safety."
API agrees with McDonnell that the US economy hinges upon a secure, operating energy infrastructure.
"There is no one company or no one facility that is going to be the target. If you are a target, it's because you are part of an overall industry infrastructure," Martin said. "The threat of terrorism is a whole new layer, but it's a layer on top of a very good industry foundation of secure operations."
One positive development that has emerged from the companies' security reviews is a renewed commitment to become reacquainted with the local first responders and the local FBI agents, she said.
Information sharing
Although the events of Sept. 11 have accelerated the pace of energy security evaluations, industry and the federal government already were working together to defend the US energy infrastructure.
On June 6, 2001, the National Petroleum Council released its recommendations from a 2-year study entitled "Security Oil and Natural Gas Infrastructures in the New Economy" (OGJ, June 18, 2001, p. 20).
The study reviewed potential vulnerabilities of the oil and gas industry. Although that report focused on cyberterrorism, it also addressed the physical security of pipelines, refineries, and other critical supply systems.
A former FBI agent, Gillham worked with various organizations of energy security professionals to advise NPC and DOE on that study. He also is a board member of an Information Sharing & Analysis Center (ISAC) for the oil and natural gas industries.
In May 1998, Presidential Decision Directive 63 authorized the formation of the National Infrastructure Protection Center (NIPC). It's a multiagency center most closely associated with the FBI.
NIPC's core mission is to detect, assess, warn of, prevent, investigate, and respond to attacks against the US's critical infrastructure. NIPC works with the private sector as well as with federal, state, local, and international government agency partners.
It also works with ISACs and industry associations throughout the country. For the energy ISAC, Gillham helps coordinate between the oil and gas industry, DOE, and various law enforcement agencies (OGJ, Oct. 1, 2001, p. 22).
Initially, a group of 11 oil and gas companies created a limited liability company to operate their ISAC. The membership list is now kept anonymous to help obtain industrywide cooperation. Membership fees are the organization's only funding, and a 1-year membership in the ISAC costs $7,500.
The ISAC provides companies with various information on threats and vulnerabilities, early notification of physical and cybernetic threats-possible responses to those threats such as patches, alert con ditions, and best practices-and provides a forum for members to communicate.
"Physical threats continue to be a concern to our sector because of the vast size of the oil and natural gas systems and their importance to our nation's economy. The infrastructure includes thousands of systems, hundreds of thousands of miles of pipelines, etc. It's a challenge to protect these vital energy assets," Gillham said.
He acknowledged that some energy infrastructure vulnerabilities exist, although he declined to outline specific examples.
"We are simply trying to touch all the basesellipsetrying to ensure that those key assets to the industry receive the first attention. I know the DOE has recently been out conducting its own surveys of a number of key energy sites. The FBI is very involved in identifying key national assets to the energy infrastructure," Gillham said.
Prior to the Sept. 11 attacks, Gillham already was among numerous upstream security professionals with national security clearances that enabled him to attend annual briefings with the DOE and the national laboratories regarding terrorist threats.
"The federal agencies are expanding that program now to include additional people with security clearances. That is a very helpful processellipseto give us access to timely information that we can share the unclassified parts immediately through the energy ISAC, which is able to page people and ring cell phones in the middle of the night, saying there is a threat you need to deal with."
"It's a never-ending thingellipseYou don't get complacent and satisfied that we have looked at everything. We're going to do this over and over again because we want to get better at it," Gillham said.
Trade associations
Various industry associations have appointed security task forces and are in the process of encouraging member companies to prepare contingency plans in case of terrorist attacks.
The Interstate Oil and Gas Compact Commission (IOGCC) has released a publication entitled "Securing American Energy During Insecure Times," which includes recommendations on the role of states in maintaining, protecting, and encouraging domestic oil and gas production during a crisis.
The Interstate Natural Gas Association of America said pipeline companies nationwide are working with law enforcement authorities to ensure the continued safe operation of their systems.
INGAA Pres. Jerald Halvorsen said INGAA's board of directors' task force on security has met with officials from DOE, the Department of Transportation, and the Federal Energy Regulatory Commission regarding its action plan.
The plan updates the INGAA security contact information for each pipeline operator. In addition, INGAA surveyed member companies regarding security best practices and then distributed the survey results to all its members.
INGAA also completed a security practices report for critical natural gas transmission facilities that provides a standardized process to categorize critical facilities and assess security practices.
"Consequences considered are those significantly impacting public safety and public service of natural gas supply," said an INGAA letter to federal officials. INGAA members are coordinating with the American Gas Association and the American Public Gas Association on common risk assessment efforts.
"INGAA views this process as one that will be subject to constant refinement and improvements over time," the INGAA letter said. Halvorsen said federal officials "are pleased with our progress and are excited that we are taking the initiative that we are."
Meanwhile, refineries and petrochemical plants have tightened up access to facilities since Sept. 11, said Robert Slaughter, president of the National Petrochemical & Refiners Association (OGJ, Mar. 18, 2002, p. 44).
"Every refinery is different. The geology is different, the layout is different, so the steps that are being taken differ, but all of our companies are involved in this process of updating their security procedures," Slaughter said.
NPRA, API, the American Chemistry Council (ACC), and the Synthetic Organic Chemical Manufacturers Association cosponsored a members-only security conference in Houston early this year. Members shared best practices with one another and heard speakers from the FBI and DOE.
Slaughter said NPRA is in the process of planning another such conference later this year, although no date has been set yet.
NPRA also is a partner association of the ACC's Responsible Care Program, the industry's initiative for improving environmental performance. The ACC is in the process of mandating enhanced security activities for its Responsible Care members, including some of the nation's largest petrochemical plants.
John Connelly, ACC's vice-president for member relations and staff leader of the ACC security team, said the ACC board is expected to approve the new code in June. The Responsible Care program already had security components in six existing codes involving management practices, but the new code will focus exclusively on security.
"In broad terms, it is: prioritize, assess, fill in the gaps, and then verify," Connelly said of the proposed new code, which has specific components dealing with site security, transportation security, and cybersecurity.
Facilities would be prioritized for security risk based upon certain characteristics such as location and the type of chemical produced at that site, Connelly said.
"If a facility were in New York City or in Houston, it would be more attractive as a target because of its proximity to a major population center or a national landmark. If it were in the middle of Nevada, it would be less attractive as a target," Connelly said.
The proposed new code calls for independent third parties to be called upon to verify that any necessary security improvements have been implemented, he said, adding that it's unclear yet who the third parties may be.
Automated control systems
The ACC's cybersecurity concerns involve supervisory control and data acquisition (SCADA) operating systems. These automated control systems are used in oil field production, pipelines, gas gathering systems, refineries and the electric power industry.
Richard Ward of Cambridge Energy Research Associates, Cambridge, Mass., said oil and gas companies are asking themselves: "What will be the impact if somebody were able to send a signal to a valve and tell it to open or close inappropriately?"
Many of the SCADA systems are accessed remotely, meaning that in some cases, the information is carried via the internet.
"We still consider that a very strong vulnerability within the industry because we are all so dependent on automated operational processes," Gillham said.
The NPC study identified telecommunications and information technology as a serious vulnerability in the energy infrastructure.
"We know there are governments hostile to the US that have worked on cyberwarfare, and we have reason to suspect that terrorist organizations would see that as a way to disrupt our economy. So companies are really paying attention and enlarging not only their physical security stance but the same thing with cyberthreats and protection," Gillham said.
The energy ISAC is creating strategic alliances with all the large information technology and telecommunications companies. The strategic alliances also include the producers of hardware and software for the SCADA systems, he said.
"That is an area of concern that we are working hard to ensureellipseis a robust and sound system capable of withstanding attack," Gillham said.
Instead of the internet, secured networks are one option to transmit SCADA information, said Gino Picasso, president and CEO of Iridium Satellite LLC of Arlington, Va.
A venture capital firm that purchased the bankrupt Iridium satellite communications system developed by Motorola Inc., Iridium provides global satellite voice and data solutions.
A short-burst messaging system being developed by Iridium allows for information such as that from SCADA systems to be sent via satellite without ever touching the ground or any other public-switch network, Picasso said.
A wholesaler, Iridium said it is in discussion with its service partners that have potential oil and gas customers interested in short-burst messaging.
The major oil and gas companies already are Iridium customers for voice communications in remote areas, both in and outside the US, Picasso said.
Cybersecurity
Ward said the oil and natural gas industry traditionally is not an aggressive adopter of mainstream cybersecurity devices.
"They were not being negligent, but there wasn't a good financial driver or even a security driver for it. But now, post-Sept. 11, what we are finding is that everybody has pulled together into security auditing," Ward said.
When vulnerabilities are found, the companies then focus on how to fix those weaknesses.
"But the question is: What is the right level of spending? Spending on security essentially is a tax on the business. There is almost no return on a dollar spent on securityellipseIt has no positive impact on revenues," Ward said.
While companies are not being stingy about spending to enhance security, Ward said that senior executives want to do the right thing but they don't want to throw money in abandon for high technology-particularly in the case of the bigger majors having tens of thousands of employees worldwide.
"You can go in and install things like biometric sensors. (Biometrics is the technical analysis of biological data for verifying a person's identity.) You can also very easily go through and make everybody change their password every 30 daysellipse.Yes, it's a hassle, but it's the right thing to do," Ward said.
He predicted the extent to which oil and gas companies adopt more cybersecurity measures hinges upon the success rates in 6 months with mandatory password changes and upon whether industry is still as concerned about security as it is today.
Security technology options
Emerging technology is helping oil and gas companies protect both their physical assets and their informational assets with logical security.
"One of the ramifications of Sept. 11 has been something that was long overdue. It was the clarion call for everyone to evaluate their security practices," said Kurt Stoll, product engineer with Schlumberger Network Solutions.
"There certainly is a lot more emphasis on having things implemented quicker. Companies' budgets are now more specific about providing a security solution specifically addressed to logical access concerns. There has been a lot of focus on large, Windows-based environments. Companies are trying to fill [security] gaps," he said.
Stoll helped develop DeXa.Badge, a personalized, corporate ID card that makes use of "smart card" technology. Most of the major oil and gas companies are already clients or are currently evaluating the firm's technology, he said.
Like the familiar electronic access cards that many people use to gain entrance into parking garages and office buildings, DeXa.Badge includes that but also provides a higher degree of sophistication, including access to corporate servers, encrypting and decrypting email, and enabling digital signatures.
"Up to now, people have relied on user names and passwords, which everybody knows are not very secure-especially if you are using sticky notes to paste them to your terminal," Stoll said.
DeXa.Badge can also keep track of various corporate passwords for an employee regardless of where they may travel. The "smart" login works with the smart card chip to allow secure portability and management of multiple user names and passwords.
Employees plug the card into a reader linked to their computers in order to access corporate servers and computer networks. When the employee logs out of the system or removes the smart card, access is closed and the corporate data is safe.
"A smart card provides at least two-factor authentication, which is why it's so much better than just a password-because first, you have to have it in your possession to use it, and second, you have to know what the PIN number is for that smart card to order to unlock the card to present your secure digital credentials," Stoll said. "The goal of smart cards is to replace weaker forms of password-based access."
Stoll's group is constantly looking to advance security, adding that the next level of authentication, three-factor authentication, would involve biometrics such as a thumbprint scan or an iris scan. Schlumberger is currently involved in a joint effort with Precise Biometrics of Lund, Sweden, to further this technology.
The majors already have asked his group to keep them advised on the prog ress of biometrics technology, he said, adding that he expects the technology to become more affordable and attractive to all industries within 12-18 months.
"Another area that we know is going to grow will be PDAs (personal digital assistants) and wireless," Stoll said, adding that the smart card already has been demonstrated at a trade show using a PDA for wireless use. "Enterprises want increased mobility, but they also want increased security. We are working on solutions that allow them to [have] that."
Security consultants
Oil and gas companies are hiring outside firms to conduct risk assessments and to evaluate security of particular facilities including offshore platforms, pipelines, and refineries.
Jerry Hoffman, president and CEO of ArmorGroup North America, recently addressed the Energy Security Council's annual conference in The Woodlands, Tex.
"One of the things I presented was a little different way of expanding the border of security beyond bricks, mortar, and fences. In other words, you almost get an early warning system out there," Hoffman said.
Before Sept. 11, his firm was hired only once annually to assess a platform's security. Now, the company has done 7-8 already this year, Hoffman said, adding that this effort involves multinational clients.
"The investigative end of our business has increasedellipseWe're now getting involved in due diligence of vendors," providing various services to oil and gas companies, he said.
ArmorGroup North America also has been asked to assess pipelines. "We walk pipelines, we drive pipelines, we overfly pipelines. We work with engineers and pose a scenario that if certain things are done at 'x' location, then what is the contingency plan?"
Hoffman said he helps ensure that a client's crisis management plan is "not just a document on the shelf but a realistic living document."
In the case of both pipelines and refineries, Hoffman's group has given clients an emergency scenario and then worked through the contingency plan with the clients. "That can be a very intense 48-72-hr test," he said.
"What there is right now is a realization that the companies have taken it out of the abstract, and they've put it on the front burner-not necessarily as an eventuality but certainly as a possibility-that could impact earnings per share and shareholders. It goes right down to the bottom line," Hoffman said.
He believes all the assessments and evaluations will result in better security procedures and a higher quality of security staff.
"I would hope that companies are going to continue to have reoccurring assessments and validations that are meaningful for shareholders," he said. "I think we are in a new era of realization that security cannot just be viewed as lower-end on the bottom line. The reality is that we are really in an unknown world right now."
