Energy firms move to thwart cyberattacks

Energy industry giants are preparing to make a major push into the information-sharing arena, hoping that a sophisticated alert system will protect the nation’s critical fuel infrastructure from physical assaults and cyberattacks.

Following a model used in the financial services and high-tech industries, oil and gas companies have formed the Energy Information Sharing and Analysis Center (ISAC). The centre began operating in November among founding members, including Conoco Inc., Duke Energy Corp., ChevronTexaco Corp. and BP PLC. The group intends to push the centre as an industry-standard defence mechanism.

“Maintaining the integrity of those [IT] systems has become an increasing concern in our industry,” said Bobby Gillam, manager for global security at Houston-based Conoco. “We have to make sure that our critical infrastructure is protected from both cyber and physical threats.”

Daily Threats

Sarah Jensen, manager of enterprise IT security at Charlotte, N.C.-based Duke Energy, said that each day, her division tackles threats caused by faulty technology or inadvertently exposed applications, creating the need for round-the-clock vigilance.

“I’d like to grow the ISAC so it makes my job easier,” Jensen said. “My goal is to create one-stop shopping. Right now, I’ve got my staff checking all these different agency and vendors’ sites looking for information.”

Predictive Systems Inc. in New York has been tapped to run the ISAC on a Unix server farm in Reston, Va.

Anish Bhimani, chief technology officer at Predictive Systems, said that previous ISACs the company has run on behalf of the financial services industry and foreign countries have allowed users to post anonymous information and receive classified alerts.

Alerts can be labelled “normal,” “urgent” or “crisis-level.” Bhimani said a tip received two weeks ago gave ISAC members a head start on tackling flawed Simple Network Management Protocol (SNMP) installations. Last week, Computerworld (US) reported on a warning that hundreds of hardware and software products with built-in support for SNMP are vulnerable to attack.

“Every hour counts in these situations,” said Bhimani.

While ISACs do a good job of disseminating alerts from government agencies, energy firms will need to rethink how their IT infrastructures push information out to the rest of the industry, said Gillam.

Mark Evans, CIO at San Antonio-based oil refiner Tesoro Petroleum Inc., noted that it’s difficult to draw information from the Supervisory Control and Data Acquisition systems that run the operations of most oil and gas companies.

“For a long time, we’ve been unable to share that information within our own company,” Evans said. “That’s really the first step.”

Gillam said companies will likely be reluctant to share incident information with federal authorities unless the government can ensure the privacy of that information.

Bhimani said real-time IT capabilities – as well as confidence that shared information can be kept confidential – will be critical.

“Right now, we get a lot of, ‘Here’s what happened, and here’s what we did about it’ submissions, as opposed to, ‘Something just happened everybody duck’ warnings,” he said. “To get to that next step, it’s going to require some physical and cultural changes in the industry.”

Founding members of ISAC also plan to establish an IT best-practices list so that users will be able to turn the information into action.