NPC urges government-industry defense against cyber threats

Maureen Lorenzetti
OGJ Online

WASHINGTON, DC, June 6 -- The National Petroleum Council Wednesday urged the US Congress to allow oil and gas companies to share confidential information to protect against cyber attacks.

NPC said industry needs a legal liability and antitrust waiver so it can better protect the nation's refineries, pipelines, and other critical infrastructure.

The council is a 175-member federal committee that advises the US Energy Secretary on oil and gas issues.

NPC also said industry should be given access to law enforcement and intelligence information regarding cyber threats. It said the oil industry should establish its own information clearinghouse, operated by a service provider designated by the members.

The NPC approved these and other recommendations in a 2-year study, "Securing Oil and Natural Gas Infrastructures in the New Economy." The Bush administration is expected to embrace the report: Vice-Pres. Dick Cheney oversaw most of the study while he was chairman of Halliburton Co.

The study also called for greater government coordination among federal, state, and local authorities to minimize jurisdictional conflicts if a major emergency occurs. Government-funded research and development should address national security and other key critical infrastructure protection, NPC said, with the understanding that industry should help prioritize where funding should be earmarked.

NPC drafted the study in response to an April 1999 request from Energy Sec. Bill Richardson. The Clinton administration's Commission on Critical Infrastructure Protection studied the vulnerabilities of the oil, gas, and electric power industries.

The NPC report said US oil and gas infrastructures are especially difficult to protect from cyber threats because of the vast expanse of the physical assets: 602,000 oil wells, 30,000 miles of gathering pipelines, 74,000 miles each of crude and product pipelines, and 2,000 petroleum terminals. For natural gas, the numbers are similarly massive: 276,000 wells, 45,000 miles of gathering pipelines, 254,000 miles of transmission pipelines, and 410 underground storage fields.

Some of those assets are more vulnerable to cyber threats than others. And some physical structures are critical to the country's national security, NPC said.

Critical assets include oil and gas transmission pipelines, oil pumping stations and gas compressor stations, storage, and distribution. If damaged, these pieces of the country's infrastructure "could cause major disruptions that would have regional and possibly national or international impacts, and of sufficient duration to cause death and end users major hardship and economic loss."

Risk management
Nevertheless, NPC stressed that there is some room for optimism.

It noted that the oil and natural gas industries have a successful record of physical security and companies are accustomed to risk management.

But NPC said a combination of factors including downsizing, increased asset utilization, and market globalization have left the industry more exposed to threats from cyberterrorists -- largely because it has grown increasingly dependent on information technology and telecommunications to perform tasks like refinery inventory or pipeline pressure controls.

NPC said, "In the past, most oil and gas vulnerabilities and threats could be negated by physical means. We used gates, guns, and guards (the fortress mentality) to protect our 'critical assets' -- and for the most part it worked. However, today the physical fortress can be rapidly bypassed by the 'electronic key.' It's a significant shift, analogous to the change between the old versus new way of doing business."

NPC added that while the oil and gas sector's physical footprint appears the same (wells, gathering systems, processing facilities, and transmission and distribution systems), the approach to operating the industries, from a physical and business perspective, has changed.

"For example, systems that control operating processes within refineries, along pipelines, and in producing fields were previously closed and proprietary. These control processes are now moving toward open architecture and commercially available software. Also, much of the raw material and product that is purchased and sold is accomplished using electronic-based futures markets. Because of the alterations in equipment configuration and corporate reengineering, many of the changes are essentially irreversible."

"Cyber threats" can come from a variety of sources, NPC noted. These include hardware and software failures, human error, acts of disgruntled employees, outside hackers, and consolidating systems from a merger.

NPC said the government-industry approach to prevent Year 2000 computer problems was a good model.

"It emphasized the risks faced by the government and private sectors due to the interconnectivity and interdependency of their respective critical infrastructures. Y2K also demonstrated that significant challenges to national interests could be addressed through information exchange, the removal of legal barriers, and elimination of the fear of federal, state, and local intervention."

NPC's recommendations now go to Energy Sec. Spencer Abraham, who is expected to act on many of the administrative proposals as part of an interagency cyber security initiative (OGJ, June 4, 2001, p. 32).

Congressional action on the legislative recommendations is less predicable. But the General Accounting Office, a congressional watchdog agency, recently told a Senate committee the private sector needs to better define to government officials what kind of data is needed to combat computer-based attacks.

Some industry officials fear that recent calls by both Republican and Democratic lawmakers to investigate alleged gasoline price-fixing may discourage efforts to loosen antitrust laws, even if narrowly.

Contact Maureen Lorenzetti at [email protected]