This article is a late-breaking adjunct to the special report that begins on p. 66.
The US oil and gas industry is often at odds with the federal government over the role regulators play in meeting public policy goals. Public lands access, environmental stewardship, and trade issues are a frequent sparring ground.
But in one area, cybernetic security, it appears that government and industry are working in tandem to ensure that the industry's critical infrastructure, whether it is a pipeline, refinery, or service station pump, is protected against computer hackers.
Evidence of this cooperation was reinforced June 6, when the National Petroleum Council released its recommendations from a 2-year study entitled "Securing Oil and Natural Gas Infra struc tures in the New Economy."
"In the past, the oil and natural gas industries have effectively protected physical facilities. The protection of cyber systems has not kept pace with companies' ever-increasing dependence on them," NPC said.
The study reviewed the potential vulnerabilities of the oil and gas industries to attack, both physical and cyber, and provided advice on policies and practices that industry and government, separately and in partnership, should adopt to protect or recover from such attacks.
NPC is a 175-member federally chartered and privately funded advisory committee that represents oil and gas industries to the US Department of Energy .
Specifically, NPC called on Congress to pass legislation that would allow oil and gas companies to share confidential information in the name of cyber security. NPC said that targeted liability and antitrust relief is needed from regulators so that industry can do a better job protecting the nation's refineries, pipelines, and other critical infrastructure.
The NPC study also urged that industry be able to gain access to law enforcement and intelligence information now available only to government employees.
The group also called on industry to establish its own nonprofit, cooperative organization that would act as an information clearinghouse for its members and be operated by a service provider designated by the members.
Study organization
It's a safe assumption that the White House heartily supports the report; Vice-Pres. Dick Cheney oversaw most of the study when he was chairman of Hallibur ton Co. Cheney resigned from the NPC study committee that oversaw the report on Aug. 16, 2000, to campaign for the Republican Party ticket. David Lesar, Cheney's successor at Halliburton, replaced him.
Eugene Habiger, then director of DOE's Office of Security and Emergency Operations, served as the study group's cochair. Twenty-two top decision-makers in industry, government, and academia were represented, including the CEOs of Conoco Inc., Texaco Inc., Enron Corp., ExxonMobil Corp., Royal Dutch/Shell Group, Hunt Oil Co., Duke Energy Corp., Phillips Petroleum Co., and Dynegy Inc.
Other recommendations included in the report call for greater government coordination among federal, state, and local authorities to minimize jurisdictional conflicts if a major emergency occurs. Govern ment-funded research and development should address national security and other key critical infrastructure protection, NPC said, with the understanding that industry should help prioritize where funding should be earmarked.
NPC wrote the study in response to an April 1999 request from then-Sec. of Energy Bill Richardson for the council's advice "on cooperative approaches to protecting the critical infrastructure of the United States oil and gas industry."
Richardson's request was part of a larger interagency effort begun by the administration of President Bill Clinton that has carried through to the administration of President George W. Bush as well.
Then-President Clinton wanted the interagency group, called the Commission on Critical Infrastructure Protection, to gather information on how best to protect oil, gas, and electric systems from harm. Energy was just one of several sectors studied.
Other areas government experts looked out included telecommunications, national defense, banking and finance, transportation, water systems, and emergency services (public and private).
US oil and gas infrastructures are especially difficult to protect from cyber threats because of the sheer range of physical assets that can span thousands of miles.
The statistics listed in the report are daunting: on the oil side, NPC listed 602,000 wells, 30,000 miles of gathering pipelines, 74,000 miles each of crude and product pipelines, and 2,000 petroleum terminals.
For gas, the numbers are similarly massive: 276,000 wells, 45,000 miles of gathering pipeline; 254,000 miles of transmission pipeline, 410 underground storage fields, and 54 LNG facilities (see table).
Some of those assets are more vulnerable to cyber threats than others.
And some physical structures are so important that the country's national security could be seriously at risk if invaded.
Critical assets in clude oil and natural gas transmission pipelines, oil pumping and natural gas compressor stations, and storage and distribution facilities. If damaged, these pieces of the country's infrastructure "could cause major disruptions that would have regional and possibly national or international impacts, and of sufficient duration to cause death and end users major hardship and economic loss (Fig. 2)."
Risk management
Nevertheless, NPC stressed that there is some room for optimism amid the doom and gloom that predominates the report. The reason? The oil and natural gas industries have a successful record of physical security, and they are no stran ger to risk.
US companies have been going increasingly overseas to find and develop oil and gas reserves and face more uncertainty than at home, whether it is from a natural disaster or a man-made scenario.
But a combination of factors, including downsizing, increased asset utilization, and market globalization have left industry exposed to threats from cyber terrorists.
That's because the oil industry, like any other commodity business, has grown increasingly dependent on information technology and telecommunications to get its job done, whether it is inventory control in a refinery or ensuring proper pressure on a pipeline.
Point of no return
"In the past, most oil and gas vulnerabilities and threats could be negated by physical means. We used gates, guns, and guards (the fortress mentality) to protect our 'critical assets'-and for the most part, it worked," the NPC study noted. "However, today the physical fortress can be rapidly bypassed by the 'electronic key.' It's a significant shift, analogous to the change between the old versus new way of doing business."
NPC added that while the oil and gas sector's physical footprint appears the same (wells, gathering systems, processing facilities, transmission and distribution systems), the approach to operating the industries, from a physical and business perspective, has changed.
"For example, systems that control operating processes within refineries, along pipelines, and in producing fields were previously closed and proprietary. These control processes are now moving toward open architecture and commercially available software. Also, much of the raw material and product that is purchased and sold is accomplished using electronic-based futures markets. Because of the alterations in equipment configuration and corporate reengineering, many of the changes are essentially irreversible," NPC said.
The exact nature of "cyber threats" can come from a variety of sources, NPC noted. These include hardware and software failures, human error, acts of disgruntled employees, outside hackers, and consolidating systems from a merger.
Y2K good start
Luckily, industry is not starting at ground zero. The report noted that the recent Year 2000 exercise was a "good first start" upon which industry can build.
"The Y2K experience provides a good 'go-forward' model for government and industry. It emphasized the risks faced by the government and private sectors due to the interconnectivity and interdependency of their respective critical infrastructures," NPC said. "Y2K also demonstrated that significant challenges to national interests could be addressed through information exchange, the removal of legal barriers, and elimination of the fear of federal, state, and local intervention."
NPC recommendations now go to the secretary of energy, who is expected to act on many of the administrative proposals as part of an ongoing interagency cyber security initiative (OGJ, June 4, 2001, p 32).
It's still too soon to tell when or how Congress may choose to move forward on the group's legislative proposals.
But the General Accounting Office, in recent testimony before a Senate committee, said the private sector needs to better define to government officials what kinds of data are needed to combat computer-based attacks, the independent agency said.
Some industry officials fear, however that recent calls by both Republican and Democratic lawmakers to investigate alleged price-fixing by some energy companies may discourage congressional support to loosen antitrust laws, even if it is a narrow exemption.
The NPC study is an important first step to help educate lawmakers and their constituents, industry says.
But the report's recommendations are not set in stone.
Rather, they are "dynamic," reflecting that the industry itself is in the midst of significant change brought on by consolidation and new technological advan ces.
"[NPC] recognizes that some of the issues addressed in this report must be explored in greater depth and that some of the recommendations may warrant follow-on investigation. It is the intent of the NPC that this report will provide a basis for constructive debate and serve as a foundation for the next steps in developing a viable blueprint for the energy industry and the nation," NPC said.