NATIONAL PETROLEUM COUNCILchnm.gmu.edu/cipdigitalarchive/files/219_NPC... · Petroleum Council’s...

SECURINGOIL AND NATURAL GASINFRASTRUCTURESIN THE NEW ECONOMY

NATIONAL

PETROLEUM

COUNCIL

JUNE 2001


NATIONAL

PETROLEUM

COUNCIL

JUNE 2001


SECURINGOIL AND NATURAL GASINFRASTRUCTURESIN THE NEW ECONOMYA report by theNational Petroleum Council

Committee on Critical Infrastructure ProtectionDavid J. Lesar, Chair

June 2001

NATIONAL PETROLEUM COUNCIL

Archie W. Dunham, ChairWilliam A. Wise, Vice Chair

Marshall W. Nichols, Executive Director

U.S. DEPARTMENT OF ENERGY

Spencer Abraham, Secretary

The National Petroleum Council is a federaladvisory committee to the Secretary of Energy.

The sole purpose of the National Petroleum Council is to advise, inform, and make recommendations

to the Secretary of Energy on any matter requested by the Secretary

relating to oil and natural gas or to the oil and gas industries.

All Rights ReservedLibrary of Congress Catalog Card Number: 2001091810

© National Petroleum Council 2001Printed in the United States of America

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 1: The New Business Environment . . . . . . . . . . . . . . . . . . . . . . 11

U.S. Business Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

The Oil and Natural Gas Industries . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Findings and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 2: Vulnerabilities, Consequences, & Threats . . . . . . . . . . . . . . 17

Vulnerabilities, Consequences, and Threats . . . . . . . . . . . . . . . . . . . . 18

Information Technology and Telecommunications . . . . . . . . . . . . . . 21

Globalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Business Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Interdependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Political and Regulatory Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Physical and Human Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Natural Disasters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


Chapter 3: Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Risk Management as a Tool to Enhance Critical Infrastructure Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

The Oil and Natural Gas Industries’ Perspective. . . . . . . . . . . . . . . . 40

Financing Losses through Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . 46

The Y2K Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47


Table of Contents

Chapter 4: Response and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Current State of Industry Response and Recovery Planning . . . . . . 49

Best Practices to Enhance Response and Recovery . . . . . . . . . . . . . . 54


Chapter 5: Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Information Sharing Status of Other Critical Infrastructures . . . . . . 61

Information Sharing Requirements for the Oil and Natural Gas Industries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Issues and Challenges for Information Sharing . . . . . . . . . . . . . . . . . 63

Information Sharing Recommendations . . . . . . . . . . . . . . . . . . . . . . . 65

Sector Coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Sector Coordination Recommendations . . . . . . . . . . . . . . . . . . . . . . . 66

Finding and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 6: Legal and Regulatory Issues Related to Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Legal Obstacles to Information Disclosure and Sharing . . . . . . . . . . 69

Examples of Information Sharing Partnerships . . . . . . . . . . . . . . . . . 75

Legislative Initiatives to Encourage Information Sharing . . . . . . . . . 76


Chapter 7: Research and Development Needs . . . . . . . . . . . . . . . . . . . . 79

Proposed Research and Development Needs. . . . . . . . . . . . . . . . . . . 79


Appendices

Appendix A: Request Letters from Secretary of Energy and Description of the National Petroleum Council . . . . . . . . . . . . A-1

Appendix B: Study Group Rosters. . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Acronyms and Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AC-1

INTRODUCTION

Based on the finding of a growing potential vul-nerability, the President of the United States

issued, in May 1998, a directive outlining theAdministration’s policy on critical infrastructureprotection. An accompanying White Paper to thedirective states:

Critical infrastructures are those physicaland cyber-based systems essential to theminimum operations of the economy andgovernment. They include, but are notlimited to, telecommunications, energy,banking and finance, transportation, watersystems and emergency services, both gov-ernmental and private. Many of the nation’scritical infrastructures have historically beenphysically and logically separate systemsthat had little interdependence. As a result ofadvances in information technology and thenecessity of improved efficiency, however,these infrastructures have becomeincreasingly automated and interlinked.These same advances have created new vul-nerabilities to equipment failures, humanerror, weather and other natural causes, andphysical and cyber attacks. Addressing thesevulnerabilities will necessarily requireflexible, evolutionary approaches that spanboth the public and private sectors, andprotect both domestic and internationalsecurity.

Study Request

In response to the President’s policy directive,the Secretary of Energy requested the NationalPetroleum Council’s (NPC’s) advice “on cooper-ative approaches to protecting the critical infra-

structure of the United States oil and gasindustry.”

In his April 7, 1999 letter, the Secretary specif-ically asked the Council to:

• Review the potential vulnerabilities of the oiland gas industries to attack, both physical andcyber

• Provide advice on policies and practices thatindustry and government, separately and inpartnership, should adopt to protect or recoverfrom such attacks.

(See Appendix A for the full text of the Secretary’srequest letter and a description of the NationalPetroleum Council.)

Study Organization

The NPC established the Committee on CriticalInfrastructure Protection to respond to theSecretary’s request. The Committee was chairedby Richard B. Cheney, Chairman of the Board andChief Executive Officer, Halliburton Company,until August 16, 2000. He was replaced by David J. Lesar, Chairman of the Board, President,and Chief Executive Officer, HalliburtonCompany. Eugene E. Habiger, then Director of theOffice of Security and Emergency Operations,U.S. Department of Energy, served as theCommittee’s Government Cochair. A Coordinat-ing Subcommittee was formed to assist theCommittee in conducting the study andpreparing a draft report for the NPC’s consid-eration. This Subcommittee was chaired byCharles E. Dominy, Vice President, GovernmentAffairs, Halliburton Company. Paula L. Scalingi,Director of the Office of Critical Infrastructure

Executive Summary

National Petroleum Council 1

Executive Summary

Protection, U.S. Department of Energy, served asthe Subcommittee’s Government Cochair. (SeeAppendix B for rosters of the Committee andCoordinating Subcommittee.)

Background

Over the past decade, the world has beenchanged by the information technology andtelecommunications (cyber) revolution. As aresult of these changes, global institutions havebecome more effective and productive.

Because of the pervasive use of cyber systems,they have become an interwoven part of thecritical infrastructures. The United States, as doesthe rest of the world, faces an increasing numberof threats to its infrastructures that are essential intimes of peace and war. The threats faced are notonly the traditional ones of natural disasters,human error, and attacks on physical assets, butnow include threats to the cyber systems uponwhich today’s economy is so dependent.

In the past, the oil and natural gas industrieshave effectively protected physical facilities. Theprotection of cyber systems has not kept pacewith companies’ ever-increasing dependence onthem. The oil and natural gas industries haveundertaken this study to better understandpotential vulnerabilities and study methods formitigating them.

Among the initiatives undertaken by the federal government related to infrastructure pro-tection, two form the basis of the request for thisstudy: the President’s Commission on CriticalInfrastructure Protection and Presidential Deci-sion Directive 63. Undoubtedly, there will bemore efforts in this area as the use of cyber-basedsystems expands globally.

The President’s Commission

In July 1996, the President of the United Statesestablished the President’s Commission onCritical Infrastructure Protection. The Commis-

sion’s purpose was to assess the vulnerabilities ofexisting infrastructures and to recommend a com-prehensive national policy and implementationstrategy for protecting our nation’s critical infra-structures. In its October 1997 report, CriticalFoundations: Protecting America’s Infrastructures,the Commission identified eight critical infra-structures that are considered to be so vital thattheir incapacity or destruction would have adebilitating effect on our defense and economicsecurity. These infrastructures are informationand communications (telecommunications),banking and finance, water supply, electricpower, oil and natural gas, transportation, gov-ernment services, and emergency services(including medical, police, fire, and rescue).

Since many of these critical infrastructures areowned and operated by the private sector, as isthe case for the oil and natural gas infrastructure,it is essential that the government and privatesector work together. This theme of partnershipin addressing critical infrastructure protectionneeds was embraced by the Commission andemphasized in its final report, Critical Foundations.

Presidential Decision Directive 63

In May 1998, President Clinton issuedPresidential Decision Directive 63, ProtectingAmerica’s Critical Infrastructures, which built onthe recommendations of the President’s Commis-sion that called for a national effort to ensure thesecurity of the nation’s critical infrastructures.The goal of the decision directive was that criticalinfrastructure protection programs would reach“initial” operating capability in the year 2000, andfull capability no later than 2003.

The directive provided a framework forworking with the identified critical infrastructuresectors to develop individual plans and meet thedirective’s goals. Each sector would be led bytheir governmental regulatory department oragency. The “lead agency” would appoint a“sector coordinator” to work with each of theirsectors.

Executive Summary

2 National Petroleum Council

The energy sector’s lead agency is theDepartment of Energy. The Department ofEnergy asked the North American ElectricReliability Council to be the electric power sectorcoordinator. As an interim measure, the NationalPetroleum Council was asked to be the sectorcoordinator for the oil and natural gas industries.At the request of the Department of Transporta-tion, oil and gas pipelines were added to the areabeing addressed by the National PetroleumCouncil. As outlined in this study, others in the oiland gas industries will assume the role of sectorcoordinator when this study is forwarded to theSecretary of Energy.

Status of Federal Critical InfrastructureProtection Activities

In February 2001, President Bush submitted toCongress a report on the status of federal criticalinfrastructure protection activities.1 The reportalso reviewed government and industry progresstoward the objectives outlined in PresidentialDecision Directive 63.

Study Report

This NPC report suggests actions for iden-tifying and reducing infrastructure vulnera-bilities within the oil and natural gas industrysector. It raises the level of awareness and under-standing of these new critical infrastructure pro-tection challenges within our industry andgovernment. It presents the business case formoving forward in this new business envi-ronment, adopting critical infrastructure pro-tection thinking as part of the foundation ofacting in the best interests of a company. It iden-tifies the issues and the steps forward that the oiland natural gas industries and the governmentwill need to implement, in partnership, to ensurethe integrity and continuity of the industries’infrastructure.

This report’s recommendations are intended tobe dynamic, reflecting the fact that the industry is

in the midst of significant change. Even theunderstanding of critical infrastructure pro-tection is still evolving. While the Secretary’sletter specifically mentioned attacks, the scope ofthe study has expanded beyond that to includemany potential disruptions and vulnerabilities.Energy infrastructures are inextricably linkedwith other critical infrastructures, and, as a result,a holistic perspective on critical infrastructureprotection is essential.

The National Petroleum Council recognizesthat some of the issues addressed in this reportmust be explored in greater depth and that someof the recommendations may warrant follow-oninvestigation. It is the intent of the NPC that thisreport will provide a basis for constructive debateand serve as a foundation for the next steps indeveloping a viable blueprint for the energyindustry and the nation.

FINDINGS

New Business Environment and Critical Supporting Infrastructures

Society has moved from a model of gradualchange to one of exponential change because ofdevelopment and reliance on cyber and otherelectronic systems. Such change is pervasive,throughout every aspect of business, gov-ernment, and personal lives. Advances areexpected to continue at an exponential rate,affording no return to the traditional model.Significant advances in information technology(IT) and telecommunications are enabling thechange to a new, interconnected, global economy.With these advances, the nature of security issuesis expanding to include threats and vulnera-bilities associated with cyber and other electronicsystems. The new economy is supported by andincreasingly dependent on several critical infrastructures as identified by the President’sCommission on Critical Infrastructure Pro-tection:

• Oil and natural gas

• Electric power

Executive Summary


1 http://www.ciao.gov/CIAO_Document_Library/CIP_2001_CongRept.pdf.

http://www.ciao.gov/CIAO_Document_Library/CIP_2001_CongRept.pdf

• Information and communications(telecommunications)

• Transportation

• Banking and finance

• Water supply

• Government services

• Emergency services (including medical, police,fire, and rescue).

Oil and Natural Gas Industries in the New Economy

The oil and natural gas industries providealmost 62% of the energy used in the UnitedStates. These energy sources are vital and directlyunderpin much of the U.S. economy. The oil andnatural gas industries are experiencing the sameexponential changes as the rest of the economy.While this sector’s physical footprint appears thesame—wells, gathering systems, processingfacilities, transmission systems, and distributionsystems—the approach to operating theindustries, both from a physical and businessperspective, has changed. Many of the changesare directly linked to the burgeoning use of elec-tronic communications and have resulted inmodifications such as the use of advanced elec-tronic control systems and business arrange-ments based on electronic transactions. Forexample, systems that control operatingprocesses within refineries, along pipelines, andin producing fields were previously closed andproprietary. These control processes are nowmoving toward open architecture and commer-cially available software. Also, much of the rawmaterial and product that is purchased and soldis accomplished using electronic-based futuresmarkets. Because of the alterations in equipmentconfiguration and corporate re-engineering,many of the changes are essentially irreversible.

Today, organizational changes such as mergers,alliances, and joint ventures have resulted inorganizations that no longer resemble the energycompanies of the past. These changes have

resulted in the transformation of service com-panies, and blurred the lines between traditionaloil, natural gas, power, and pipeline companies.

New Electronic and Interconnected Economy

Information is becoming universally andinstantaneously available. This is leading to astrong global business network available to allregardless of size, financial strength, or purpose.The growth in the availability and dependence onelectronic systems, due to the expectation ofsynergy, has created a marked increase in theinterdependence of entities. Information is moretransparent, difficult to protect, and easily transferred. These electronic systems are inter-connected globally, making traditional physicalboundaries less important.

The critical infrastructures outlined byPresidential Decision Directive 63, includingthose of the oil and natural gas industries, have acommon dependency on IT and telecommuni-cation systems. Additionally, electric power andwater supply systems use supervisory controland data acquisition (SCADA) operating systemssimilar to those used by the oil and natural gasindustries. As time passes, an increasing amountof information is available in an electronic format.Consequently, information is subject to eitheraccidental or deliberate corruption, theft, ordenial of access. Organizations have to deal withthe challenge of information assurance as a con-dition of doing business in today’s world.

Vulnerabilities, Consequences, and Threats

The introduction of cyber technologies hasincreased risks in the oil and natural gasindustries. The traditional security approach hasbeen to physically protect personnel andproperty from human error or natural disasters.Emergency plans to deal with such events remainin place. However, processes are inadequate todeal with the changes that are accompanying theincreased dependence on cyber and other elec-

Executive Summary


tronic systems. This critical reliance is a recentphenomenon resulting in new threats and a highlevel of vulnerability because the developmentand adoption of processes to ensure security in this area has not kept pace. The new weaponis electronic bits, versus bombs in the oldparadigm.

In this new paradigm, individuals and groups,from hackers to organized terrorists, have theability to simultaneously attack multiple sites.Because the success of such attacks are often dis-seminated to a wide audience, they often becomethe blueprint for additional attacks. Beyond cyberattacks, human error and normal system failurescontinue, which because of the growing level ofinterconnectivity of systems, have the capabilityof doing far more damage than in the past. Theconsequences of these attacks and failures aremore difficult to predict, and potentially moreextensive.

The reliance on cyber technologies creates theopportunity for interrupted communications,false or misleading transactions, fraud, or breachof contracts, and can result in potential loss ofservice, loss of stakeholder confidence, or thefailure of the business itself. The due diligencestandards in this new environment remain illdefined and transitory. Also, when infrastructuredisruptions occur, conflicts of interest candevelop between the various entities involved,that inhibit response, restoration of service, andfuture infrastructure protection.

Risk Management and Vulnerability Mitigation

In addressing risk management and vulnera-bility mitigation, the study concluded that com-panies in the oil and natural gas industries willbenefit from conducting periodic vulnerabilityassessments of their own systems and operations,both physical and electronic. In many situations,the global nature of doing business today hasresulted in an intertwining of cyber systemsbetween organizations. Therefore, assessments of

partners’ vulnerabilities, with joint vulnerabilitymitigation efforts, may be important to protectbusiness relationships. The vulnerability of inter-dependencies with other infrastructures shouldalso be an inherent part of these assessments.

Response and Recovery

Most companies understand and are able tohandle their own physical infrastructure dis-ruptions. Cyber response and recovery capa-bilities and processes are not as mature as thosedeveloped to handle physical incidents.Increased use of automation, increased intercon-nectedness, just-in-time business models, andinterdependencies can potentially result inregional, national, or international incidents andimpacts. The increasing use of information andcommunications technology and the potential forthese broader consequences are generating newchallenges for response and recovery planning.

These increasingly complex response andrecovery environments dictate that plans be peri-odically tested to ensure they will manage emer-gencies and reduce risk for all stakeholders. Thisnew business environment dictates that com-panies include key stakeholders, such as businesspartners, suppliers, customers, and represen-tatives from local and state governments inresponse and recovery tests and exercises.

When infrastructure disruptions occur, theroles and responsibilities of local, state, andfederal governments often conflict. These con-flicts of interest regarding jurisdiction impedetimely restoration of service and can also inhibittimely development of infrastructure protectionprocesses. Timely and actionable information isimportant for effective response to threats or incidents, as well as for successful recoveryactions. Companies can benefit by having aneffective internal information-sharing mech-anism to receive, analyze, and disseminateincident information to enhance response andrecovery.

Executive Summary


Information Sharing and Sector Coordination

In the oil and natural gas industries, onlylimited capabilities exist for sharing informationon physical and cyber incidents, threatassessments, and vulnerabilities. Receipt of real-time information is critical in protecting the oiland natural gas infrastructures, and rapidreporting of incidents is vital. A broader base ofparticipation in information sharing enhances thetimely flow of information. Sharing of infor-mation, however, raises uncertainty concerningliability, privacy, and antitrust issues. Centralizedcollection of specific vulnerability data couldcreate a source of information that could be usedfor nefarious purposes. Under current law, thereis uncertainty about the government’s ability tokeep information from public release. Such arelease could result in loss of investor con-fidence, shareholder value, and business repu-tation.

This study concludes that information sharingrelated to threats and responses to threats wouldbe beneficial to the oil and natural gas sector. Ofthe three general models for implementing aninformation sharing mechanism (reliance onindustry staff, use of an industry-directed serviceprovider, or a hybrid government/industry man-agement), the industry-directed service providermodel is the most efficient and appropriate forthe oil and natural gas sector.

A permanent sector coordinator should be des-ignated to lead the critical infrastructure infor-mation sharing effort and to be the focal contactpoint for other oil and natural gas industriescritical infrastructure issues.

Legal and Regulatory Uncertainties in the New Economy

There are many legal uncertainties regardingthe electronic aspects of the new economy. Whilelaws and legal procedures are emerging, theyhave yet to be tested by the judicial process in anysignificant way. International law, where it exists,

often varies from U.S. law and is either more orless stringent, or conflicting. Risks associatedwith cyber and other electronic systems ofteninvolve intangible, highly uncertain potentiallosses.

Corporate structures are changing, with mergers,joint ventures, alliances, and increased dependenceon outsourcing. Consequently, the oil and naturalgas industries have become more reliant oncontract law. A variety of efficiency moves are nowcommonplace and often involve non-U.S. entitiesmaking national differences in legal approach anadded complexity. There has been a shift of theenergy enterprise among providers, marketers, andsystems. These accelerated changes in ownershipalong with changes in industry roles and responsi-bilities are occurring throughout the industry.Business restructuring is moving from the tradi-tional “wires” and “pipes” business to non-traditional investments (e-business activities). Allof these changes impact the robustness of the oiland natural gas infrastructure.

Research and Development

When considering critical infrastructure pro-tection research and development (R&D) in areassuch as information technology, the oil andnatural gas industries do not have uniqueexpertise, and primarily rely on commercialproviders to conduct the necessary R&D. Thegovernment conducts a broad range of R&Dactivities in this area, the results of which couldbe used to meet infrastructure protection, miti-gation, and response and recovery needs by theoil and natural gas industries. This includes R&Don information assurance and other nationalsecurity areas. The government should assurethrough consultation with industry that R&Dpursued reflects industry and government needs,and is not redundant with private-sector efforts.There needs to be an effective method for pro-viding greater technology transfer to industry,particularly from its national defense and otherclassified research programs.

Executive Summary


The Successful Y2K Model

The Y2K experience provides a good “goforward” model for government and industry. Itemphasized the risks faced by the governmentand private sectors due to the interconnectivityand interdependency of their respective criticalinfrastructures. Y2K also demonstrated that sig-nificant challenges to national interests could beaddressed through information exchange, theremoval of legal barriers, and elimination of thefear of federal, state, and local government inter-vention.

RECOMMENDATIONS

Based on the findings of this study, the NationalPetroleum Council recommends that industry andgovernment take the following specific actions tobetter protect the critical infrastructures of the oiland natural gas industries. The business case fortaking proactive measures is persuasive andinstructive. The energy industry cannot do thisalone. The challenges of the new economy and theincreasing interdependencies among and withinour infrastructures necessitate that industry mustwork with other sectors, and with federal, state,and local governments.

Vulnerability Assessments, Information AssuranceProcess, and Planning Recommendations

• Vulnerability/Risk Management Assess-ments. Each company should regularlyconduct vulnerability assessments of its ownsystems and operations and take action asappropriate. In addition, each company shouldconduct assessments of its partners’ vulnera-bilities. Risk management processes should bereviewed to ensure that both electronic andphysical security is included.

• Information Assurance Process. Industry andgovernment should advocate the development,adoption, and implementation of global ITmanagement processes to reduce vulnera-

bilities of the cyber and other electronicsystems on which the oil and natural gasindustries are dependent. A good example ofsuch a process is the International StandardsOrganization (ISO) 17799, “The Standard forInformation Security Management.”

• Response and Recovery Planning. The oil andnatural gas industries should enhance theirresponse and recovery plans as they relate toinformation technology system disruptions,while continuing their traditional role of main-taining and implementing plans for dis-ruptions to physical facilities. Individualcompanies should consider engaging in regional response and recovery planning andexercises to deal with disruptions to physicaland cyber infrastructures resulting fromnatural disaster, system failure, human error, orsabotage. Additionally, industry must take intoaccount the challenges of the new businessenvironment, including infrastructure interde-pendencies, and enhance response plans toensure they are adequate and coordinated withother infrastructures, regional, state and localemergency response programs.

Information Sharing and Sector CoordinationRecommendations

• Information-Sharing Mechanism. The oil andnatural gas industries should establish a secureinformation-sharing mechanism to collect,assess, and share with its members informationon physical and electronic threats, certain vul-nerabilities, incidents, and solutions/bestpractices. This mechanism also would gatherand receive information from government,technology providers, and other informationsharing mechanisms. The specific type ofmechanism recommended is commonly calledan information sharing and analysis center(ISAC). Of the three general models for ISACs,the industry-directed service provider model isthe most efficient and appropriate for the oiland natural gas sector. Under this model, the

Executive Summary


oil and natural gas industries’ ISAC wouldlikely be a non-profit, cooperative organization.

• ISAC Membership. Under the current law andlegal environment, the ISAC would only shareinformation within the oil and natural gasindustries. Therefore, membership would beinitially restricted to private-sector companiesoperating in the oil and natural gas industries.Consideration should be given to allowingindustry associations to join in order to dis-seminate information to smaller oil and naturalgas companies. Private companies who sharesimilar technologies, such as the electric andwater supply industries, may be encouraged tojoin at a later time. Eventually this may beextended to other entities, as interrelationshipsbecome apparent.

• Implementation. The oil and natural gasindustries will take the lead in establishing aboard, which will investigate, develop, andimplement an ISAC for the sector.

• Sector Coordination. While no organizationrepresents all segments of the oil and naturalgas industries, it is recommended that theSecretary of Energy formally acknowledgethe designee of the governing body of the oiland natural gas industries ISAC as the sectorcoordinator.

Government Action Recommendations

• Legislative Actions. The federal governmentshould enact legislation to facilitate infor-mation sharing with and among sector com-ponents. Communications with governmentinvolving critical infrastructure protectioninformation should be exempted from the pro-visions of the Freedom of Information Act.Also, legislation should be enacted to provideliability and antitrust relief for critical infra-structure protection information sharingsimilar to the law covering Y2K activities.While the need for individual privacy is rec-ognized, the need must be balanced against the

critical nature of protecting infrastructures asregulations are formulated and laws areenacted.

• Access to Law Enforcement and IntelligenceInformation. The industry would benefit fromreal-time, relevant vulnerability and threatinformation that is only available to govern-ment under current conditions. Governmentand industry should work together to developprocesses that ensure the sharing of relevantinformation.

• International Initiatives. The federal gov-ernment should use all means available toencourage countries to enact globally con-sistent laws addressing the interconnected,electronic commercial marketplace. The gov-ernment could use the same approach toencourage the development and adoption ofglobal technical standards and uniformbusiness practices to reduce the vulnerabilitiesof cyber and other electronic systems. The gov-ernment should undertake collaborative effortswith other nations to enhance global infra-structure assurance.

• Holistic Approach to Energy Critical Infra-structure. All components of U.S. energysectors should be viewed as a single energyinfrastructure in the implementation of criticalinfrastructure protection. U.S. energy com-ponents (i.e., oil, natural gas, electric power,other energy sources, and their transportationmodes) are converging with each other in themarketplace.

• Response and Recovery Activities. Federal,state, and local governments should ensurecoordination of response and recovery activitiesfor significant disruptions that require actionsbeyond the capabilities or purview of indi-vidual companies in the oil and natural gassector. Preplanning should be undertaken tominimize jurisdictional conflicts among gov-ernment entities during the response to andrecovery from a major emergency.

Executive Summary


• Research and Development Activities.Government-funded research and devel-opment should address national security andother key critical infrastructure protection,mitigation, response, and recovery needsthat transcend individual companies in theoil and natural gas sector, with other areasbeing the focus of R&D by commercial tech-nology providers. The federal governmentshould work with industry to focus and pri-oritize its funding of critical infrastructureprotection research and development.Government should also provide for therapid transfer to the private sector of gov-ernment-funded R&D applicable to critical

infrastructure protection, especially in theinformation technology and telecommuni-cations areas.

• Continued Support for Critical InfrastructureProtection Initiatives. The government shouldcontinue its critical infrastructure protectioninitiatives, working closely with the oil andnatural gas industries and other critical infra-structures to protect the country’s nationalsecurity, economic health, and social wellbeing. The government should be organized toeffectively interact with industry on a broadrange of mutual critical infrastructure pro-tection issues.

Executive Summary


Most of the understanding of the oil andnatural gas business is founded on what can

be viewed as the “old business environment.”This environment evolved over a century duringwhich there were many significant social,economic, and technological changes that shapedthe world in which the oil and natural gasbusiness existed. Over the past decade, therehave been many changes in U.S. businessstructure that have caused significant shifts in theway in which business is done. These changeshave been so great that a “new business envi-ronment” has emerged.

The oil and natural gas industries find them-selves in a world that is more complex due tounprecedented social and technological change intimeframes that were unimaginable a decade ago.In order to compete in the new business envi-ronment, it has been necessary for the oil andnatural gas industries to place a critical relianceon electronic infrastructure. The industries havelong been able to adequately protect theirphysical infrastructures. However, the additionof the electronic infrastructure to the mix hasresulted in new concerns regarding physicalinfrastructure protection as well as for protectionof the electronic infrastructure itself. Electronictools have been developed at a rapid rate andhave been quickly incorporated by the oil andnatural gas industries in their electronic infra-structure. The pace at which these changes havetaken place has been so fast that adequatemeasures for critical infrastructure protectionhave lagged behind. A holistic approach tosecurity that includes cooperation between theprivate and public sectors is necessary if exposureto unacceptable risk is to be avoided in the newbusiness environment.

U.S. BUSINESS STRUCTURE

Today the business community in the UnitedStates is composed of a mix of differingstructures. At one extreme there are the “oldbusiness” models where capital investment andslow change is a major component. At the otherend is the “new business” model where rapiddeployment of information and globalization arethe primary operating factors. Typically the oiland natural gas companies were representative ofthe “old business” model, while the “newbusiness” model was perceived as the companiesin the e-business driven digital economy. While itwas convenient to think in this stratified manner,there are few organizations that are either one orthe other. In most cases, organizations that existtoday are rapidly employing the informationtechniques that typify the “new business” modelcompanies.

Today the U.S. business system has enteredwhat can be thought of as the new business envi-ronment.

• Today’s business environment is markedly dif-ferent from experiences of the past because ofthe rapidity at which change takes place.

• A distinguishing feature is the increase in theformation of new business organizationsranging from mergers to joint ventures and,often, new entrants into businesses throughacquisition of facilities.

• Organizations have expanded in geographicalscope, often moving from local or regional tonational or global in nature.

• Operations have increasingly become auto-mated, not only on at specific sites, but at

The New Business Environment Chapter 1


CHAPTER 1

The New Business Environment

remote locations, allowing operations for awidely dispersed organization to be controlledfrom one location.

• Advances in information technology andtelecommunications have permeated allaspects of the new business environmentresulting in creative business models, i.e.,business to business, business to consumers,and electronics commodity trading.

These factors when combined with rapidity ofcommunication and transparency of marketplacefundamentals have led to reducing the workforcesize, changing the skill characteristics required inthe workforce, just-in-time focus in operations,and a significant increase in the interdependenceof organizations.

While business has been a major recipient ofchange, the customer and governments have notbeen left out. The customer expects to be theultimate recipient of the benefits of the new modeof doing business. Conversely, the customer doesnot expect to be inconvenienced by the dis-ruptions that might occur as a result of the newbusiness environment. Governments havebecome confused by jurisdictional conflicts inthat what was once clearly local may now benational or international. The instant availabilityof information has encouraged experiments withprice decontrol in businesses that were onceheavily regulated. All of these changes leave gov-ernment entities, customers, and companiesconfused as to what their roles are in the newbusiness environment.

THE OIL AND NATURAL GAS INDUSTRIES

While all of the foregoing are important andeach of the individual areas could be the subjectof an in-depth study, this National PetroleumCouncil study effort is targeted at the security ofinfrastructure in the oil and natural gas sector. Forthe past decade, the social and economic foun-dations upon which understanding and system

development in the oil and natural gas industriesare predicated have been assaulted by anemerging technology: electronic information inte-gration and exchange.

This technology is changing the way in whichoil and natural gas companies do business.Primarily the change relates to instant availabilityof information, transparency of data, and thespeed at which communications take place. Manyof the changes that have taken place in the pastwere driven by major events or inventions, mostof which took many years to permeate thebusiness fabric of the nation and the world.Information technology and the communicationrevolution it creates have taken the world ofbusiness by storm in a very global way. Nationalboundaries, which used to provide some stabilityfor business activities, no longer are a limitation.Information, which used to be relatively easy toprotect physically, is potentially vulnerable to anindividual who has access to a computer and away into the global information network.

These issues have rapidly become factorsreshaping the business landscape, arriving atsuch a rapid pace that the business community’straditional method of accepting change has beenoverwhelmed. The slower traditional evolu-tionary pace that has provided security measuresto deal with change in the past is today unable toeffectively cope. Widespread, creative under-standing and action are needed in the oil andnatural gas business sector to provide for a secureinfrastructure environment, allowing for stableand relatively consistent approaches to theconduct of business in the future.

The factors that are driving the oil and naturalgas new business environment are technology,globalization, organization, and legal and regu-latory issues.

Technology

Yesterday most technology was focused on theoperational functions of finding, producing, trans-

Chapter 1 The New Business Environment


porting, refining/manufacturing, and selling oiland natural gas and their products. Today’s tech-nology, as epitomized by rapid electronic datacollection, electronic data transfer, and Internetcommunication, has been transformational. It hasmade the “impossible” possible, it impacts everyaspect of the oil and natural gas business, and ithas added a whole new set of players. Many com-panies have transformed their business focusfrom one of ownership of physical assets to one ofintellectual and information value added.Ubiquitous networks and systems that seam-lessly cross functional, organizational, and geo-graphical boundaries enable this new model.Automation has driven down costs and reducedhuman intervention in many traditionalprocesses. The drive for global systems in the pro-curement or supply chain management segmentof the business has lowered the barriers for par-ticipation by suppliers, agents, distributors, andeven consumers, and has brought togetheralliances of financial services, traders, oil andnatural gas producers, and governments.

Consequently, we simply can’t turn back theclock. The people, skills, and physical structuresof the old business environment no longer existand cannot be reconstructed under today’s con-ditions. Today the exposure to cyber incidents isgreater and the consequences are potentially moredevastating than when physical infrastructurewas the only concern. Interdependencies havebeen created that heighten the risk of intrusionand increase exposure. Essentially, anyone with alaptop, modem, and phone line or wireless elec-tronic interface has the potential to cause billionsof dollars worth of damage. Incident response ismore complex and broader reaching than everbefore and the time to recover is longer.

Globalization

Yesterday we had regional and local markets.Communication was relatively slow, access toinformation was limited, and markets were slowto change. Today markets are global in nature as

countries are being forced by pressure fromworldwide competition to open their markets.With almost instantaneous access to information,markets are also more transparent and efficient,and, therefore, highly competitive.

As a consequence, companies continuouslyface cost-reduction pressure in the new mar-ketplace. In order to participate in today’s mar-ketplace, many oil and natural gas companiesmust move from a local to a global perspective,which often requires formation of globalized,strategic partnerships to have sufficient reach. Allof these factors require full reliance on an elec-tronic infrastructure.

Global competitiveness has resulted in foreignownership of former U.S. oil and natural gasinfrastructures by non-U.S. companies and gov-ernments, creating additional vulnerabilities tothe U.S. economy.

Organization

Yesterday the oil and natural gas industrieswere relatively stable, composed of large multi-national companies and smaller niche playerssuch as independents. The workforce was longserving, loyal, highly experienced “old hands”who perceived that they had a “social” contractfor employment resulting in a family model.Today mega-mergers, alliances, and jointventures have resulted in organizations that nolonger resemble those of the past. These changes,encouraged by electronic information technology,have given rise to the virtual organization,resulted in significant manpower downsizing,proliferated the number of global organizations,resulted in the transformation of service com-panies, and blurred the lines between traditionaloil, natural gas, and power companies. As aresult, the work environment has become lessstable, pressures build to do more with less,knowledge and experience have been “out-sourced,” and the “social” employment contracthas been broken.



Consequently, the workforce is less loyal to aspecific organization than it was in the past.Which, along with the loss of institutionalknowledge, has created the potential for lessexperienced or disgruntled employees, eitherunintentionally or intentionally, to disrupt criticalinfrastructure. Interdependencies and electronicinformation flow create the potential for thesedisruptions to be significant, and have lessenedthe capability for dealing with crises in a timelyfashion. Dependencies and interdependenciesthat did not previously exist have been created,adding complexity and additional exposures toinfrastructure.

Legal and Regulatory Issues

Yesterday the law was able to focus on discreetelements of the oil and natural gas business, theplayers were well defined, and a century of expe-rience had clearly set the rules. Today the law isfar behind the changes wrought by the newbusiness environment. Additionally, the adventof organizations like the European Union (EU)and the North American Free Trade Alliance(NAFTA) have brought together regulatory andlegal oversight on a broader, more complex basis.Environmental regulation is now a global issue.Participation by foreign governments in own-ership of former U.S. corporations, such asPDVSA ownership of CITGO or Saudi Aramco’sparticipation in Motiva, raise such issues as sov-ereignty, taxing regimes, and contract law. Newareas of legal and regulatory concerns are createdalmost daily, i.e., the author of the “ILoveYou”virus could not be prosecuted under Philippinelaw. Although this is not totally unprecedented, itis the speed at which these changes occur that isthe ultimate concern.

As a consequence, the tendency of regulatorsand lawmakers may be to “slow up” the process.The result is likely to be the creation of laws andregulations that cause conflict at local, state,national, and international levels simply due tothe newness and complexity of the situation. The

lack of certainty and increased ambiguity mayresult in more exposure of electronic systems toexploitation by either unintentional or willfulintrusion.

FINDINGS AND CONCLUSIONS

• Society has moved from a model of gradualchange to one in which change takes place at arate that was unimaginable in the past.

• Markets and organizations serving thesemarkets are increasingly becoming more globalin nature and complex in structure, all possiblebecause of the intense use of electronic com-munications and information technology.

• To remain competitive, industry participantsare becoming more dependent on electronicsystems. Therefore, the rapidity with whichchange occurs is expected to continue and islikely to increase in the future.

• Changes are occurring in the oil and naturalgas industries because of the ever-increasinguse of electronic communications and infor-mation technology exacerbated by global-ization.

• As a result of the move to more complexstructures and lower levels of staffing, work-forces have become less loyal to a specificorganization and less steeped in institutionalknowledge. This combined with the high levelof interconnection in the marketplace providesfor the opportunity of major disruptions whenan employee, either unintentionally or inten-tionally, interrupts the flow of electronic infor-mation.

• As the new business environment intensifies,the return to older more traditional methods ofconducting business becomes more difficult, ifnot impossible. Therefore, there is no “turningback.”

Chapter 1 The New Business Environment


• The legal aspects of doing business in the newbusiness environment are shifting from thepremise that there were discrete elements of theoil and natural gas industries around whichbodies of law were focused to a condition

where there is a high degree of interconnectionbetween business segments, companies, andnations. Because of the rapidity of this shift instructure, the law has been slow to adapt and isfar behind today’s needs.



The oil and natural gas industries arecontinuously changing. These large well-

developed infrastructures were physicallyseparate businesses, composed of the following:

• Physical Infrastructure. The oil and naturalgas infrastructures relied on their physicalcomponents and individual isolated systems.

• Human Capital. The oil and natural gas infra-structures relied on a loyal dedicated staff tooperate, maintain, and restore service.Computers have been used by these infra-structures for a long time, but the heart of thephysical operation of these infrastructures wasmanual.

• Stable Business Environment. The oil andnatural gas infrastructures operated in a rela-tively stable business environment. Theindustry participants, regulations, and tech-nology all remained fairly consistent.

Figure 2-1 portrays a historical integrated oiland natural gas model. These infrastructuresobtain raw feedstocks throughout the world,move them through “manufacturing” to createproducts, and then move them to market. Figure2-1 also notes that these industries rely on otherinfrastructures.

As discussed in Chapter 1, the rapid prolif-eration and integration of information technology

Vulnerabilities, Consequences, & Threats Chapter 2


CHAPTER 2

Vulnerabilities, Consequences, & Threats

Integrated Oil and Natural Gas Model

Exploration Producing Connectors Manufacturing Connectors Retail

Facilities Facilities Pipelines Refineries Pipelines StationsOffices Platforms Ships Gas Plants Trains OutletsData Fields Ports Co-Generation Ships Credit Card

Offices Trucks Lube Plants Ports DataData Trading Storage Terminals

Telecomm Data TrucksCity GatesTradingTelecomm

Power � Water � Gas � Telecommunications � Banking � Security � Transaction systems

Transportation routes � Computer networks � Market � Partners � Shareholders

Suppliers � Customers � Consumers � Contractors � Employees � Governments

Figure 2-1. Flow of Raw Material into Commodities, and Then to Market

and telecommunications have rendered yesterday’ssystems obsolete and created bold new businessmodels. Today’s infrastructures are connected toone another, creating a complex network of inter-dependent systems. Coupled with advances ininformation technology and the transition to anew, cyber-based economic marketplace, theseinterconnected infrastructures now pose newsecurity challenges for both the public and theprivate sectors that could threaten our nationalsecurity.

Today’s view of these infrastructures relies onthe following:

• Information Technology and Telecommuni-cations. The oil and natural gas infrastructuresnow rely on e-commerce, commodity trading,business-to-business systems, electronic bul-letin boards, computer networks, and othercritical business systems to operate andconnect their infrastructures.

• Globalization. The oil infrastructure in particularcannot be examined from a domestic viewpointalone. The oil industry has become multinational,evidenced by foreign supply dependence andownership of former U.S. oil and natural gascompanies by foreign companies.

• Supervisory Control and Data Acquisition(SCADA) Systems. The oil and natural gasinfrastructures rely on and are increasing theiruse of automation technology to operatepipeline systems, refineries and other criticalcomponents.

• Interdependencies. The oil and natural gasinfrastructures depend on other infrastructuressuch as electric power, information technology,telecommunications, banking and finance,transportation, and water to operate. Likewise,these other infrastructures depend on the oiland natural gas infrastructures.

Globalization—including foreign ownership ofU.S. infrastructures, coupled with business

dependence on information technology andtelecommunications, and the dependence onforeign oil and natural gas supply—creates sig-nificant vulnerabilities to the U.S. oil and naturalgas industries and the U.S. economy.

Figure 2-2 portrays the current model of the oiland natural gas industries’ infrastructure. Thisinfrastructure still contains its physical attributes,but oil, natural gas, and electric power arebecoming more integrated as businesses. The oiland natural gas sector is more tightly coupledwith other infrastructures, resulting in interde-pendencies, is heavily impacted by globalization,and relies on information technology andSCADA systems.

VULNERABILITIES, CONSEQUENCES, AND THREATS

The oil and natural gas industries have a suc-cessful record of physical security. In the past,even when faced with extreme events such asnatural disasters, these industries have been ableto minimize outages. Due to downsizing,increased asset utilization, and globalization ofmarkets, a whole new set of vulnerabilities, con-sequences, and threats have been introducedthrough information technology and telecommu-nications dependencies.

In the past, most oil and natural gas vulnera-bilities and threats could be negated by physicalmeans. We used gates, guns, and guards (thefortress mentality) to protect our “criticalassets”—and for the most part it worked.However, today the physical fortress can berapidly by-passed by the “electronic key.” It’s asignificant shift, analogous to the change betweenthe old versus new way of business. For example,yesterday you had a paper check register and youbalanced your account against the bankstatement mailed to you each month. Today youcan keep your entire account electronically: nopaper register, no mailed statement. Manypotential threats could corrupt or even deleteyour account information. These “cyber threats”

Chapter 2 Vulnerabilities, Consequences, & Threats


Vulnerabilities, C

onsequences, & T

hreatsC

hapter 2

National Petroleum

Council

19

Interdependencies

SCADA

Historical Oil and Natural Gas

Infrastructure Physical infrastructure only Stove pipe system Separate from other infrastructures •

••

Globalization

Information Technology

Public

NetworksPrivate

Networks

Transmission

Lines

Telecommunications

Information

Technology

Banking

and Finance

Transportation

Wide Area Networks • Electronic Bulletin BoardsCommodity Training • Business to Business • E-Commerce

Figure 2-2. Profile of Current Oil and Natural Gas Industry

include hardware and software failures, humanerror, acts of disgruntled employees, outsidehackers, and even something such as a mergerwith another bank and the struggle to consolidatesystems. The consequence of these new threats isthe problem of recovering the electronic registerand supporting data. The best of class physicalsecurity cannot protect against these new cyberthreats.

Cyber vulnerabilities have been around forseveral years. However, what has changed is sig-nificant business dependence on informationtechnology and telecommunications as well asthe increased awareness and ease of exploitationof these vulnerabilities. These vulnerabilities arewidely known. Software vendors take productsto market that can be flawed and often do notcontain well-designed security interfaces.Detailed information on vulnerabilities and howto exploit them are distributed via hackerwebsites and chat rooms. The increases in denialof service attacks and computer viruses areexamples of the consequences resulting fromexploitation of these vulnerabilities. On the threatside, the advent of the Internet has provided aglobal platform for hackers, disgruntled workers,cyber terrorists, cyber activists, cyber militia,rogue nation states, and others to exploit cybervulnerabilities.

For purposes of this study, vulnerabilities andconsequences and their respective threats havebeen grouped into seven categories. They providea framework to address the range of challengesthat the sector faces today. The categories are asfollows:

1. Information Technology and Telecommuni-cations. Computers, the Internet, and high-speed telecommunications are critical ingre-dients in today’s business place.

2. Globalization. The rise of the Internet andrecent advances in telecommunications hasboosted the surging train of a developingworldwide economy.

3. Business Restructuring. Changes brought onby globalization, competition, and technologyadvancements are reshaping the business envi-ronment.

4. Interdependencies. The oil and natural gasindustries depend on one another and on othercritical infrastructures such as electric power,information technology and telecommuni-cations, and transportation.

5. Political and Regulatory Issues. The politicaland regulatory environment has tremendousimpact on the oil and natural gas infra-structures.

6. Physical and Human Factors. The oil andnatural gas infrastructures are composed ofextensive physical networks to properlyoperate, as illustrated in Figures 2-1 and 2-2.Daily activities, including human error, havethe potential to cause loss. Some examples ofphysical and human factors are oil, chemical,or biohazard spills; contamination; trans-portation (plane, train, truck, and ship) crashes;labor unrest; and political, social, internationaland domestic terrorism; organized crime; andhostile governments.

7. Natural Disasters. Occurrences in nature alsohave the potential to cause loss. Examplesinclude storms (ice, rain), hurricanes, tor-nadoes, blizzards, floods, earthquakes, vol-canic eruptions, and meteors.

These seven categories were rank-ordered andare presented in order of concern to the oil andnatural gas sector. Information technology andtelecommunications was identified as the highestoverall concern to the sector while natural dis-asters were ranked as the lowest. These rankingswere based on the perception of how well theindustry is currently set up to deal with the vul-nerabilities, consequences, and threats of eachcategory. While natural disasters are a majorconcern to the industry, the industry has well-



established practices to handle these events, thusit was given a lower ranking.

Although each category has its own uniquevulnerabilities and threats, some common themesregarding consequences exist. These themesportray the severity that these categories mayhave on the oil and natural gas infrastructure ifnot properly addressed. Each category, has theability in some form to:

• Reduce the robustness of the oil and naturalgas infrastructures

• Disrupt oil or natural gas service at a local,regional, or national level

• Disrupt national security and the U.S. economy.

INFORMATION TECHNOLOGY ANDTELECOMMUNICATIONS

If there is one vulnerability where a cata-strophic event or failure can occur that couldcripple any of the critical infrastructures, infor-mation technology and telecommunications isthat area. In less than one generation, the infor-mation revolution and the introduction of thecomputer has changed how business andeconomies operate. Like other infrastructures, theoil and natural gas industries are becomingtotally dependent on the availability of advancedtelecommunication and information systems toconnect customers, suppliers, and vendors withgoods and services, including Internet-basedlinks and transactions. Today’s new businessenvironment is shaped by the increasing role oftechnology and the resultant speed it generates insociety as a whole. We are rapidly changing froman asset-based to a knowledge-based economy. Itis an economy empowered by electronic tech-nology, where anyone is only seconds away. Thenew business environment differs greatly fromthat of a few years ago and promises to be verydifferent in the future, driven by continuous andrapid advances in information technology and

telecommunications. The electronic revolution isproviding the technologies and tools to completethe reshaping of the new global economy. E-commerce is a vast economic revolution thathelps maintain market efficiency. In 1999, 2% ofnatural gas and 0.2% of electricity trades wereconducted online. The use of this method oftrading is conservatively projected to increase to25% and 11%, respectively, in the next 2 to 3 years(Natural Gas Intelligence, April 17, 2000). Forexample, EnronOnline performed transactionsvalued at $336 billion of gross value in 2000, itsfirst full year of operation.

While the new business environment offersnew opportunities to the oil and natural gas infra-structures, it also presents serious challenges withregard to critical infrastructure protection.Increased adoption of cyber systems, SCADA,enterprise resource process systems, AutomatedMeter Reading, Internet-based transactions, just-in-time logistics, and e-commerce assist theseinfrastructures in operating more efficiently.However, oil and natural gas infrastructures havebecome dependent on these technologies beforeadequate processes have been developed to protectthese systems, and thus, the infrastructures.

Vulnerabilities/Consequences

Information technology systems, while increas-ing efficiency and safety, also present new chal-lenges. Keeping these systems running contin-uously despite potential outages due to hardwarefailures or software difficulties is, by itself, a sig-nificant challenge; however, new challenges arearising from internal, external, and systeminduced threats—making IT systems vulnerableto attacks.

The vulnerabilities are increasing in infor-mation technology. The following are examples:

• We Can’t Go Back. The ability to go back to oldmanual methods is lost as we become reliant onthese new systems. The new systems areautomating work, and the current workforce



has no realistic manual backup process. Asworkers skilled in manual methods exit theworkforce due to downsizing, retirement, andfrequent job-hopping, etc., their knowledge ispermanently lost.

• Leap to New Technologies. Due to competitivepressures, companies increase exposure byleaping into new technologies such as e-commerce and other electronic business toolswithout having appropriate security mech-anisms designed and in place.

• Shared or Joint Use Systems. Many companiesare creating shared or joint use systems for e-commerce. Failure of one of these systems notonly has a negative impact on a member of theshared service, but also can cascade throughoutthe infrastructure, creating a significant vulner-ability.

• Foreign Access. Mergers are creating own-ership by non-U.S. companies. These actionsare providing opportunities for foreign ornationally owned companies to access andadversely impact our infrastructures, creatingadditional electronic vulnerabilities.

• Detachment from Consequences. Systems arevulnerable because it is no longer necessary tobe on the premises to attempt an attack. Withtoday’s advanced IT systems, people have theability to attack from home, a business thatsells computer equipment at the mall, oranywhere. Sometimes it is difficult if notimpossible to determine where the attack orig-inated. Rogue nations, terrorists, or otherenemies are developing cyber warfare capa-bilities to attack infrastructures.

• Security Features and Interfaces. Because ofthe competitive pressures to bring products tomarket, vendors are rushing products tomarket quickly without effective securityfeatures and interfaces. The incompletesecurity features and interfaces create easilyexploited vulnerabilities. Small, intermediate,

or third-world companies who cannot affordinformation technologies security staff areextremely vulnerable. This vulnerability can betransferred between companies when theybecome contractors of, or venture partnerswith, a more mature company through inter-connected systems.

• Defective Software Security Features. Existingproducts continue to be sold and installedwhile containing defects. Thus, new securitypatches arrive on a frequent basis, placing aburden on companies to keep IT systems andsoftware up-to-date. Systems are vulnerable toattack until these known exploits are patched.

• Computer Virus Attack. The competitivenature of business requires involvement inelectronic commerce. Consequently, exposureto computer viruses is an inherent risk.Computer virus prevention programs arereactive. New prevention programs only comeafter the viruses have infected IT envi-ronments.

• Electronic Eavesdropping. With today’swidespread use of electronic devices, such ascell phones, Personal Digital Assistants(PDAs), and other wireless devices, communi-cations can be easily intercepted and possiblyaltered.

• Telecommunications Dependence. Globaltelecommunications networks interconnectnew economy systems. Failure in the telecom-munications infrastructure will create sig-nificant impact on the oil and natural gasindustries electronic infrastructure.

• Potential Vulnerability. Systems are primarilydesigned to rapidly manage and transmit, notprotect, data. Consequently, they are inherentlyvulnerable to manipulation by inside andoutside actors.

• Activism. There are interest groups with dif-fering agendas that can negatively impact



business systems. The Internet provides themwith a mechanism to bind together.

The price volatility and narrow profit marginsthat result from increased global competitionhave reduced the industry’s time horizons forreacting to business and operation decisions frommonths to hours or even minutes. For example, acompany decides to transfer fuel from storage tomeet an unexpected demand from electric powergenerators. This action must be balanced with theoverall system pressure, which requires manyphysical operating control changes throughout asystem. Companies with remotely operatedsystems can adjust the necessary controls andrebalance the system in seconds, whereas com-panies that rely on manually operated controlscannot react to the changing supply needs ofelectric generators or major end-users. Today atypical refinery is almost fully automated; tradersand automated controls run the refinery.Additionally, many facilities have installed“dual-use” power plants to take advantage of theprice difference between oil and natural gas.Originally this was a manual switching processthat took hours. Now it is an electronic processthat takes minutes.

Today’s global communications networks,which are crucial to operating businesses, rely onthe Internet, Intranets, and Extranets tied tolaptops, desktops, servers, firewalls, and routers.They depend on an open telecommunicationsarchitecture of satellites, fiber cables, microwave,phones, pagers, and cellular equipment.Consequently, a disruption to any of thisequipment can threaten the reliability of the infra-structures.

Threats

Threats are real and growing and can causesystem failures and system degradation. Threatscan significantly affect the business or infra-structure, causing business failure, or failure todeliver services. Further inappropriate business

decisions can occur if data have been changed orare not available:

• The FBI reports that cyber criminals allegedlypenetrated almost all of the Fortune 500 cor-porations, costing the American economyapproximately $10 billion a year.

• eBay lost $4 million in revenue during a 22-hour period when its systems crashed due to asoftware problem. The lost revenue cascadedinto a loss of investor confidence of approxi-mately $5 billion in eBay market capital-ization.1

• The global use of malicious code, such ascomputer viruses, to disrupt business oper-ations is increasing. The code is introduced intocompany computer networks by inside andoutside actors.

• The level of hacker sophistication has evolvedfrom the technically curious to maliciousintent. Examples include identity theft, alteringelectronic fund transfers, modifying data usedfor investment/pricing decisions, and alteringcompany web sites.

• Advances in information technology have per-mitted hacker tools to become easily available.The new tools are more sophisticated and easierto use, making them exploitable by a growingnumber of less computer literate individuals.For example, in 1999, a hacker took overcontrol of a Russian gas system by penetratingthe company SCADA system.

• Attacks from cyber systems can emanate fromanywhere. Government sources report theincreasing number of these groups developingcyber attack capability.

• A computer system failure can be closelylinked with a business failure with potentialcascading downstream effects.



1 www.forbes.com/forbes/99/1213/6414322a.htm.

One of the most common forms and avenues ofattack are social engineering techniques to getvital system access information that enables amalicious computer code to be placed in a com-pany’s computing environment or to exploit amisconfigured system. Further attacks are com-mitted by exploiting remote access features andsoftware bugs that have not been patched, and byusing sophisticated programming tools to analyzethe system for vulnerabilities. These attacks aredelivered by exploiting system back doors,trusted links, Internet frontal attacks, and trustedinsiders. These threats are further heightened byoutsourcing and other “work displacement”arrangements that cause internal capabilities toatrophy. All of these threats circumvent the“physical fortress” a company has built.

GLOBALIZATION

The increasing use of the Internet and recentadvances in telecommunications has led to newknowledge-based global economies, resulting ina fundamental shift in the business model. Nosingle economy, including the United States, canbe viewed in isolation. The global economy israpidly bringing economic opportunity through-out the world.

The oil and natural gas industries along withtheir suppliers, customers, vendors, and relatedfinancial communities are all moving at an accel-erated pace towards globalization. This isoccurring through foreign ownership, consoli-dations of multinational corporations, jointventures, strategic alliances, and partnershipswith foreign governments. Even small natural gasdistribution companies that previously operatedin only one state in the United States a few yearsago are undertaking business ventures across theglobe. This has resulted in almost all U.S. energycompanies, common suppliers, and contractorsoperating internationally. Conversely, foreignenergy companies are also reaching beyond theirborders to make financial investments in othercountries, including the United States.

Globalization impacts the mix of owners,operators, suppliers, vendors, and customers ofthe oil and natural gas industries. It blurs thelines of demarcation making it difficult for com-panies to understand the changing market mix.The oil and natural gas industries used to under-stand their competitors, their customers, theirsuppliers, and their markets, and had someinfluence over each. Globalization changed all ofthat. Competitors exit and enter markets muchquicker with no concern as to the impact on infra-structures.


Globalization is now an important factor in thegrowth of national economies. This newly formedmodel brings challenges that impact the oil andnatural gas industries along with the infra-structures they support. Consequently, global-ization adds complexity to companies dealingwith differences in culture, work ethic, businessprotection, legal and regulatory issues, andpolitical systems. Some examples are as follows:

• Global Business Dependencies and Consoli-dations. The oil and natural gas industriescannot be examined from a domestic viewpointalone. The industry has become multinational,evidenced by foreign supply dependence andownership of U.S. industries by foreign com-panies. For example, the financial crisis in Asiaimpacted U.S. oil prices and supply, OPECdecisions affect supply and commodity pricesworldwide, and joint ventures and strategicalliances open the way for foreign interests togain access to domestic information systems.These dependencies make the U.S. economyvulnerable to global influences that individualcompanies and governments cannot control.

The U.S. economic vulnerabilities are impactedby industry consolidations involving foreignownership of former U.S. companies. In someinstances, foreign government-owned oil companies have acquired all or part of U.S.companies. This creates the possibility that



political considerations can affect domesticproduction and supply. Even an independentforeign-owned oil company can be influencedby a change in its government’s relationshipwith the United States.

• Business Inconsistencies. Lack of consistentbusiness and financial rules, legal frameworks,and international recourse create significantvulnerabilities in doing business globally.Thus, a company’s limited control and legalrecourse affect its ability to protect investmentsand manage risk, threatening supply andbusiness continuity.

Businesses are heavily dependent on infor-mation technology and telecommunications.However, many countries do not have suffi-ciently robust infrastructures to support efficientuse of these technologies. This leads to inconsis-tencies in how technology is implemented, andcan lead to loss of proprietary information andintellectual property resulting in the loss of U.S.business competitive advantage, and negativelyimpacting the U.S. economy.

The current lack of international standards makesit difficult to implement critical infrastructureprotection worldwide. The ability and willing-ness of governments to protect and enforcephysical and cyber security also varies greatly.

• Infrastructure Interdependencies. Interde-pendencies are increasing in part from global-ization. For example, a barrel of oil may betraded electronically hundreds of times beforea U.S. company takes physical possession of it.For this to occur, information technology,telecommunications, energy services, bankingand finance, and transportation infra-structures must operate effectively. All aremuch more critical because of increasedbusiness dependency on them to support glob-alization.

• Emerging Privacy Concerns. In order to dobusiness in the global marketplace, it is essential

that oil and natural gas companies have policies,procedures, and processes in place that demon-strate compliance with existing and evolvingprivacy legislation such as the European Com-mission Directive on Data Privacy.

• Cultural Differences. Many governments andeconomies are in varying stages of transition,which can cause instability. Different workethics can affect productivity. It is difficult tovet workers, partners, and contractors in othercountries. Not understanding and mishandlingthese cultural considerations can have devas-tating effects on a company’s bottom line.Examples include the lost foreign investmentin Venezuela when the country nationalizedthe oil and natural gas industry, and gross inef-ficiencies in company operations in Nigeria asa result of social unrest caused by governmentchange and instability.

Threats

The following are examples of threats that couldexploit the vulnerabilities enumerated above.

• Loss of foreign supply of oil and natural gascaused by:

– Political or military actions of other countries

– Terrorists/insurgents use of oil properties topromote their view, disrupt operations andsupplies

– Civil strife

– Embargoes

– Transportation problems.

• Foreign nationalization of a company’s assets.

• Disruption or corruption of business informationtechnology and telecommunications systems.

• Organized crime with undue influence orcontrol over contractors, venture partners, orinfrastructure components.



• Joint venture or strategic alliance partnerswhose companies were unable to be vetted canuse the business relationship for unduefinancial advantage.

• In countries where there is a lack of legalstructure, businesses are more at risk.

BUSINESS RESTRUCTURING

Today markets are global in nature as countriesare forced by pressure from worldwide compe-tition and access to cheap labor, to open theirmarkets. With almost instantaneous access toinformation, markets are global, transparent, and,therefore, highly competitive. As a consequence,continuous cost reduction pressure is one of thenew “antes” companies must make to play in thenew business environment.

Prior to the last couple of decades, the oil andnatural gas sector was relatively stable, composedof large integrated multi-national, and inde-pendent companies. The workforce was long-serving, loyal, highly experienced “old hands”who perceived that they had a “social” contractfor employment resulting in a family model.Today mega-mergers, alliances, and jointventures have resulted in organizations that nolonger resemble those of the past. This restruc-turing has been facilitated by electronic infor-mation technology and the increased speed oftransactions. This has given rise to the virtualorganization, resulted in significant manpowerdownsizing, proliferated the number of globalorganizations, resulted in the transformation ofservice companies, and blurred the lines betweentraditional oil, gas, and power companies.Therefore the work environment has become lessstable, pressures have built to do more with less,knowledge and experience have been “out-sourced,” and the “social” employment contracthas been broken.

Companies are continually focused on costreduction. This has led to business re-engineering,

outsourcing, and downsizing, and an increasinglydiverse, multi-national workforce consisting ofemployees, contractors, consultants, vendors, andsuppliers. This results in reliance on contract andservice level agreements to have work performed.


Restructuring has produced new businessmodels for the oil and natural gas industries thathave created significant vulnerabilities.

Changing Employee Social Contract

One of the major ways that companies reducecost is by reducing the number of employees.Thus, reducing the number of employees throughlayoffs, early retirements, and outsourcing offunctions have reduced these labor costs. This hasresulted in a break in the “social” contract, whichhas reduced employee corporate commitmentand increased the possibility of exploitation ofvulnerabilities for their own gain. Consequently,numerous companies have suffered attacksand/or have lost intellectual property due toformer employees angered at the company. Theworkload on remaining employees has increased,leading to further employee dissatisfaction (“domore with less”).

This same action has caused employees to notexpect to spend a career with one company. Forthe same reason, newer employees do not expectto stay with one company but to move within theindustry or within other industries.

These corporate actions have caused employeesto focus more on their own welfare rather than onthe welfare of the corporation, creating real vul-nerabilities. Numerous instances have surfacedwhere employees have taken intellectual propertywith them as they migrated to other companies.Additionally, disgruntled employees have sab-otaged company operations. The trend of con-tinued cost cutting and outsourcing will continueto drive employees to think of their welfare beforethe welfare of the company.



Outsourcing

Cost reduction and a focus on core compe-tencies has driven corporations to outsourcemany functions, some of which are critical to theoperation of the company. There are many vul-nerabilities due to outsourcing of these criticalfunctions which include:

• Employees separated due to outsourcing areoften hired by contractor companies to do thesame job for the same company, resulting inconflicting loyalties. Employees of outsourcedfunctions do not have the same level of cor-porate commitment, as a full-time employeewould possess.

• Outsourcing companies may have less secureprocedures and policies. This exposes the clientto additional vulnerabilities. They may not vetemployees to the same standard that a com-pany does, or on a recurring basis.

• Outsourced employees are rotated between dif-ferent companies served by the contractor firm.It is difficult to stay current with backgroundchecks, photo IDs, keycards, passwords, andother security procedures. It is also difficult tokeep training current. By the time a contractorlearns a role, that contract employee is rotatedto a new assignment. This can also lead to pro-prietary information being taken by a contractemployee to a competitor.

• Critical functions, including information tech-nology and telecommunications, have beenoutsourced, which potentially creates majorvulnerabilities. Contract employees of out-sourcing companies have inside knowledge ofsystem architecture, security features ofnetworks, systems, and desktops, and theirvulnerabilities. This sensitive information canbe used against a company whether the con-tractor employee is employed by the contractoror a subcontractor. With all company oper-ations supported by an outsourced informationtechnology vendor, the failure of that vendor

could result in catastrophic consequences withlimited means for restitution.

Joint Ventures and Strategic Alliances

Joint ventures and strategic alliances bringwith them significant potential vulnerabilities:

• Intellectual property that is not part of the ventureor alliance is difficult to protect as companiesshare information through shared systems.

• Individuals of different companies participatingin a venture or alliance form close relationships.These do not always end when the venture oralliance ends, placing intellectual property atrisk through personal contact.

Just-In-Time Logistics

Technology changes have allowed near-real-time information transfer and transactions, per-mitting companies to significantly reduce theirbench stock. This concept has promoted allianceswith vendors to furnish stock as required on anear-real-time basis. The lack of ability to performin a timely manner to meet a company’s needscan have severe consequences. Companies relyon both their vendors and their supporting trans-portation infrastructure to provide timelyequipment and services. By providing vendoraccess to their information systems, companiesbecome dependent on this vendor for efficientbusiness operations.

Changing Business Model

Historically, the oil and natural gas industrieshave had clearly delineated boundaries, but rapidshifts have made it difficult to categorize theseindustries. Oil and natural gas companies aremerging with other oil and natural gas com-panies, with electric power companies, and withother industries (e.g., telecommunications). Somecompanies are even selling energy assets andgetting out of the energy business altogether.Today’s oil and natural gas companies may ownassets in electric power, water, information



technology, telecommunications, and bankingand finance. The integration of all energy infra-structure components is making it more difficultto address critical infrastructure protection on anindustry-by-industry basis. Some recent eventsillustrate these points:

• A major energy provider is selling off its energy assets to obtain higher profits in thetelecommunications industry.

• Oil and natural gas companies are investingmillions in e-commerce activities, whichcompete with physical capital investments.

• It is easier to enter the energy market.Companies that once were not involved in theindustry now eagerly enter into the business.Even Amway—a marketing company—sellsenergy services.

• Foreign ownership of U.S. energy systems isincreasing.

Threats

The primary threat from business restructuringis the workforce, whether employee, contractor,consultant, vendor, or supplier. Their potentiallack of loyalty to a company along with theirinside knowledge gives them the capability andopportunity to exploit the vulnerabilitiesdescribed above.

INTERDEPENDENCIES

The global Y2K threat pointed out how interde-pendent companies have become. Interdepen-dencies are dependencies on other infrastructures.Figures 2-3 and 2-4 illustrate some of thesedependencies. For example, both infrastructuresrequire information technology and SCADAsystems to automate operations. The integrationof information technology and telecommuni-cations into business is creating a critical interde-pendence between infrastructures, i.e., banking



Transport to Operations

Center

Repair Crew to Sites

UPS

PumpingStations

ComponentShipping

SCADAOperation andRepair Crew

Communication

ControlSystems

Fuel Transfer

ComponentShipping

FuelTransport

FuelTransport

Electric

RailNatural

Gas

RoadTelecom

Oil

WellInjection

Water

Injection for Crude Production

CoolingReagent During Refining

Emission Reduction

Information Technology

BusinessSystems

E-commerce

Banking &Finance

CommodityTrading

Figure 2-3. Examples of Oil Interdependencies

and finance, power, water, oil and natural gas,transportation, information technology, andtelecommunications. Over time, these infra-structures have become critically interlinked. Thisreliance will continue to grow because of global-ization and business restructuring.


As indicated above, the interdependence of allinfrastructures in today’s new business envi-ronment creates critical vulnerabilities. For example,most new natural gas appliances use electronicignition and will not operate without electricity.

Electric Power

Today, the majority of businesses aredependent on information technology andtelecommunications infrastructures. Therefore, ifthe power infrastructure is unable to deliver,these critical infrastructures fail and globalbusiness falters. The electric power infrastructure

increasingly relies on natural gas for electricpower generation. New generation capacity fromnatural gas is projected to be over 90% (EIA).

Transportation

Given business dependence on just-in-timelogistics, a failure in the transportation infra-structure can significantly disrupt business.

• Pipelines move large quantities of rawfeedstock and finished products throughoutthe oil and natural gas infrastructure. It cantake days to move petroleum and natural gasfrom production/processing locations to end-use markets. Delays or problems in pipelineoperations can lead to shortages and pricespikes.

• Besides pipelines, petroleum products rely onbarges, rail and trucks to move products toend-use markets. Delays or problems can havesimilar impacts as pipeline disruptions.



InformationTechnology

Transport to Operations

Center

Repair Crew to Sites

UPS

CompressorStations

Fuel forGenerators

Fuel Resupply

Fuel forMaintenance

SCADAOperation andRepair Crew

Communication

ControlSystems

Storage andPeaking

ComponentShipping Electric

ComponentShipping

Rail

Oil

RoadTelecom

NaturalGas

Water

Emission Reduction

Injection for NG Production

Cooling

E-commerceBusiness Systems

Banking &Finance

CommodityTrading

Figure 2-4. Examples of Natural Gas Interdependencies

• Transportation is needed to dispatch repaircrews.

• Because of dependence on foreign oil andproduct supply, a breakdown in the trans-portation infrastructure negatively affects theU.S. economy and infrastructures.

Common Utility Corridor

A common utility corridor that containsoverhead electric power transmission lines,buried gas pipelines, and telecommunicationscables, dramatizes interdependencies. Co-locating infrastructures makes them more sus-ceptible to a single incident such as explosion,fire, flood, and seismic events, as well assabotage.

National Defense

The Department of Defense, other executiveagencies, and defense contractors are dependenton the oil and natural gas sector providing appro-priate products to meet national defenserequirements.

Threats

Interdependency threats are a new andevolving component of critical infrastructure pro-tection and one of the most difficult tounderstand. These interdependencies in the newbusiness environment can be described asfollows:

• Cascading. A failure in one infrastructure leadsto a failure in another infrastructure. (Forexample, an electric power failure can shutdown an oil pumping station.)

• Escalating. The outage duration time from aninfrastructure outage is increased from anoutage in another infrastructure. (For example,a problem in the transportation infrastructurecould increase the time of an oil or natural gascrew to respond to an outage, increasing therestoration time.)

• Common Mode. An incident has the potentialto impact multiple infrastructures. (Forexample, natural gas, electric, oil, and telecom-munications components all may exist in ashared right-of-way.)

• Marketplace. E-commerce links multipleinfrastructures through the dynamic market-place it creates. (For example, denial of serviceattacks can impact multiple infrastructures.)

• Compounding. The compounding of infra-structure failures by unforeseen events likenatural disasters. (For example, a criticalpipeline rupture coupled with a seismic eventand unseasonably warm weather leads tofailure of the electric generation system.)

POLITICAL AND REGULATORY ISSUES

Political and regulatory uncertainty makes itdifficult for U.S. oil and natural gas industries tomake long-term strategic decisions. Investmentsin infrastructure, i.e., pipelines, refineries, andwells, are all based on an individual companyinvestment strategy. Regulatory changes canmake it difficult to fully estimate the return onthese investments and assess potential liabilitiescausing some companies not to make criticalinvestments to improve their infrastructures.Thus there is a conflict between the nationaldesire to have a robust, resilient infrastructure,that can withstand attack or be rapidly recon-stituted, and individual company’s investmentstrategies. This significantly impacts critical infra-structure protection.

Often the government reacts to social andpolitical pressure based on single incidents,which can lead to legislative and regulatorychanges that have a significant impact on the oiland natural gas industries. To facilitate criticalinfrastructure protection at the national level,industry and government must find solutionsthat are acceptable to all stakeholders.




Implementation of regulations and policies canhave unintended negative consequences on infra-structure protection.

The following are examples of regulatory andpolitical issues that have hindered the oil andnatural gas infrastructures:

• The Olympic Pipeline is an example of theimpact of regulatory and political forces.Olympic Pipeline Company operates a 400-milepipeline system in the states of Washington andOregon and delivers approximately 300,000barrels per day of refined petroleum productsfrom four refineries.

On June 10, 1999, a segment of 16" pipeline inthe city of Bellingham, Washington ruptured,spilling an estimated 3,600 to 6,600 barrels ofgasoline and resulting in 3 deaths. It took 18months before the Department of Transporta-tion allowed operations to continue. Thistragedy has led to an outcry in the state ofWashington and in Washington, DC for stricterfederal pipeline regulations. In 2000, severalpipeline safety bills were introduced in the U.S.Senate and House of Representatives. The billscalled for periodic integrity testing of pipelines,higher penalties for safety violations, increasedtraining for pipeline operators, and greater par-ticipation by states and communities inpipeline oversight. The Senate Bill, with minoramendments, was passed in February 2001 (thePipeline Safety Improvement Act of 2001).

• The creation of the northeast heating oil reservewas a reaction by government to the higherprices of heating oil supplies in the northeastthat occurred during the winter of 1999-2000.The reserve was created during the later part of2000 when heating oil prices were high becauseof low commercial inventories and coldweather. The filling of the reserve during thisperiod further contributed to the tight heatingoil situation.

• Transmission pipeline companies in the oil andnatural gas sector face considerable oppositionto new pipeline construction. The expressedconcerns relate to safety, environmental, con-gestion, land use, and loss of property value.Critics point to the relatively few pipelineaccidents that have occurred as reason enoughto not allow or severely restrict new pipelines.

– Many strong “not in my backyard” groupshave been formed to fight new pipelines. TheNational Pipeline Reform coalition formed in1998 has supported several of these oppo-sition groups.

– The difficulties encountered in building newpipelines limit competition and result inmany existing pipelines operating at or nearcapacity. Any disruption in operations canaffect regional supplies and result in pricespikes.

• The Clean Air Act Amendments of 1990mandated that risk management plans (RMP)be written for various industrial facilities,including oil refineries and natural gas pro-cessing facilities. These plans require certainfacilities to prepare “worst case scenarios” thatincluded very sensitive offsite consequenceanalysis (OCA) information. Because Congressfailed to provide any specific mandate on thedissemination of RMP information in the CleanAir Act, and because there was no generally applicable law that would prevent theEnvironmental Protection Agency (EPA) fromdoing so, the EPA was considering posting theRMP information on the Internet, making itpublicly available. Widespread opposition tothe EPA’s plan was raised by law enforcementand intelligence agencies concerned thatmaking such information so widely availableraised the dual threat of the information beingused for terrorist acts and economic espionage.In the face of this opposition, the EPA recon-sidered and decided not to place the most sen-sitive portions (the OCA information) on theInternet.



Threat

The past has shown that legislative and regu-latory solutions have had unintended negativeconsequences. Because information technology isa new and major part of oil and natural gasindustry operations, new laws, regulations, andpolicies could have greater unintended negativeconsequences than in the traditional settings.Government and industry must work together tounderstand the effects of such legislation and reg-ulation to prevent similar negative effects.

PHYSICAL AND HUMAN FACTORS

The oil and natural gas infrastructures are verycapital intensive with significant physical assets.For example, a single drilling platform may cost$50 million or more, whereas deep-waterplatforms cost 10 times that amount. Tankers cancost millions of dollars, with LNG tankers beingthe most expensive vessels outside of militaryvessels. Transmission pipelines can cost up to $1 million per mile to construct and that does not

include the compressor or pumping stations,which can exceed $40 million and are required atapproximately 50-mile intervals. Petroleumrefineries, gas processing centers, tank farms, gasstorage fields, odorant facilities, and distributionsystems are also costly investments. Some ofthese facilities, such as petroleum refineries, arenot even being built anymore because of environ-mental constraints, capital requirements, andpoor economic returns.

The U.S. oil and natural gas infrastructures arevast and numerous. Table 2-1 identifies some ofthe major U.S. infrastructure components. Theyare comprised of extensive and sophisticatedequipment that in turn comprises the backbone ofthese infrastructures. Thousands of independentoperators are the driving force that connects theseinfrastructures together.


The physical vulnerabilities of these infra-structures vary between components. For



Table 2-1Physical U.S. Oil and Natural Gas Infrastructure Components

Fuel Cycle Oil Infrastructure Natural GasComponents Infrastructure Components

Production 602,200 wells 276,200 wells

Gathering 74,000 miles of crude pipeline 45,000 miles of gathering pipeline30,000 miles of gathering pipeline74,000 miles of product pipeline

Processing 161 petroleum refineries 726 gas processing plants

Transmission 74,000 miles of crude pipelines 254,000 miles of transmission74,000 miles of product pipelines pipeline

Storage 2,000 petroleum terminals 410 underground storage fields54 complete LNG facilities

Distribution 616.5 billion ton miles of pipelines 981,000 miles of pipeline295.6 billion ton miles water carriers27.7 billion ton miles motor carriers16.7 billion ton miles railroads

example, the production side is more diversewith hundreds of thousands of wells thatproduce oil and natural gas. As a result, the lossof a specific well would be considered a low vul-nerability. Table 2-2 defines low, medium, andhigh vulnerability rankings adapted from theCritical Infrastructure Assurance Office defi-nitions.

Figures 2-5 and 2-6 are vulnerability rankingsfor the oil and natural gas infrastructures. Thereare several components that are ranked high. Thismeans that a potential component loss couldcause a major disruption of service.

These high-ranking components include oiland natural gas transmission pipelines, oilpumping stations and natural gas compressor



Table 2-2Vulnerability Rankings

Low – Key assets that if damaged could causedisruptions with local impacts of shortduration.

Medium – Key assets that if damaged couldcause disruptions that would have regionalimpacts. These disruptions would last longenough to cause end users hardship, economicloss, and possible loss of human life.

High – Key assets that if damaged could causemajor disruptions that would have regionaland possibly national or international impacts,and of sufficient duration to cause death andend users major hardship and economic loss.

Other

LiquefiedPetroleum

Gases

PipelineBarge Rail

Truck

Refined ProductsSupplied

DistillateFuel Oil

Motor GasolineHigh

ResidualFuel Oil

Meter/Valve

Jet Fuel

Crude OilExports

Crude OilImports

Refinery

Unfinished Oils andBlending

Components Imports

RefinedProducts

Import Export

Natural Gas Liquids

PumpingStations

StrategicPetroleumReserve

DomesticCrude Oil

Low

High

High

Low

Low

HighHigh High

HighLowMedium

Low

HighHigh

High

High

High

Figure 2-5. Physical Vulnerabilities of the Oil Infrastructure

stations (used to flow commodity throughpipelines), storage, and distribution. Disruptionsof these components could result in infrastructureoutages.

• Damage to Underground Pipelines. Under-ground pipelines are vulnerable to accidentaldamage. Construction equipment is the mostcommon cause even though pipelines are easyto identify from their open right-of-ways andpipeline markers. Additionally, these openright-of-ways and pipeline markers make tar-geting these critical assets relatively easy toentities with hostile intentions.

• Increased Utilization. Information technologyhas allowed physical assets to be utilized at sig-nificantly higher levels. As physical asset uti-lization increases, the consequences of the lossof a single asset increases the impact of an

outage. The stress of higher utilization can leadto infrastructure failure.

• Transportation Failure. The blockage of ashipping channel in 2000 led to a withdrawal ofoil from the Strategic Petroleum Reservebecause two major refineries were going to useup their on-site inventories before the shippingchannel was back in service.

• Delayed Restoration. Due to just-in-timelogistics, some companies are reducing theirinventory of spare parts, which could increaseoutage duration times.

• Automated Remote Facilities. The industryhas become dependent on remote automatedproduction or transportation facilities. Reactiontime to reach and repair these remote facilitiescould be extensive.



Commercial

Industrial

Electric

Utility

Delivery

Points

CityGate

InterconnectionPoints

ReceiptPoints

Natural Gas

Storage Facilities

CompressorStation Meters/

Valves

Low

Low

Medium

High

High

High

High

High

High

High

ResidentialHigh

High

High

High

High

High

Natural Gas

Pipelines

Domestic

Production

Canada

Processed

Figure 2-6. Physical Vulnerabilities of the Natural Gas Infrastructure

Threats

The range of threats covers a wide spectrum,from an outage at an infrastructure component,caused by inadvertent human error that causesminimal infrastructure disruption, to an event orsocietal change that threatens an entire infra-structure. The oil and natural gas infrastructuresare comprised of an extensive range of physicalassets, many which span thousands of miles, andmay be difficult to protect.

Some examples of threats are oil, chemical, orbiohazard spills; pipeline breaks; accidentalthird-party damage; natural disasters; contami-nation; transportation (plane, train, truck, andship) crashes; labor unrest; disgruntled workers;violent political activists; international anddomestic terrorism; organized crime; and hostilemilitary action.

NATURAL DISASTERS

The oil and natural gas industries respondquickly and well to natural disaster threats. Theirresponse to natural disasters such as the LomaPrieta and Northridge earthquakes, Midwestfloods, and hurricanes such as Hurricane Andrewis outstanding. The industry, often supported bygovernment, quickly rallies together by pro-viding emergency equipment and personnel onan informal basis.


Occurrences in nature have the potential tocause substantial loss. Storms (ice, rain), hur-ricanes, tornadoes, blizzards, floods, earth-quakes, volcanic eruptions, and meteors areoccurrences that can exploit vulnerabilities ofphysical systems. These actions can have majorconsequences with destruction of physicalfacilities, failure of systems, and loss of life.Within the United States, industry and gov-ernment are well prepared to deal promptly andeffectively with these vulnerabilities.

However, as the U.S. oil and natural gasindustries have more and more critical assetsabroad, the vulnerability may increase due toimmature infrastructures in other countrieswhere those assets are located. Therefore, theability to respond quickly and thoroughly to suchnatural disasters can be impaired.

Additionally, industry downsizing, increasedinterdependencies on other infrastructures, highasset utilization, industry restructuring, andinconsistent business continuity planning make itmore difficult in the future to maintain thisexcellent track record. The network of peoplewho had the relationships that enabled theindustries to support each other is rapidly dimin-ishing, as are the working relationships betweencompanies to permit such actions. Even inter-nally, company downsizing and dependence oninformation technology is causing a reduction ofskilled labor increasing the difficulty to mitigateimpacts from natural disasters.

Threats

Threatening acts of nature include hurricanes,cyclones, typhoons, earthquakes, volcaniceruptions, floods, tornadoes, and meteor impacts.


• Information technology and telecommuni-cations are the areas where a catastrophic eventor failure could cripple any or all of the criticalinfrastructures.

• A failure in the telecommunications infra-structure will create significant impacts to theoil and natural gas industries because of localand wide-area networks interconnecting neweconomy systems.

• The ability to go back to old methods can belost, as oil and natural gas companies becomereliant on these information technology andtelecommunication systems. Because of the



change in organization, the workforce is nolonger as experienced or as skilled as before,and it often lacks the ability to operate systemswithout cyber tools, thereby limiting the capa-bility to return to older manual methods.

• Failure of joint or shared use systems for e-commerce not only has a negative impact ona member of the shared service, but also cancascade throughout the infrastructure creatinga significant vulnerability.

• Information technology and telecommuni-cations systems are vulnerable to externally ini-tiated events because it is no longer necessaryto be on the premises to launch an attack, or tocreate an interruption.

• Rogue nations, terrorists, or other enemies aredeveloping capabilities to attack cyber infra-structures.

• Competitive pressures can often lead to the useof immature technologies and can introducesignificant vulnerabilities to enterprises andthe infrastructure.

• The oil and natural gas industries are facedwith a continuous stream of patches and fixes tocorrect product security defects of informationtechnology and telecommunications systemsthat businesses are highly dependent upon.

• U.S. energy components (i.e., oil, natural gas,electric power, other energy sources, and theirtransportation modes) are converging witheach other in the marketplace. The NationalPetroleum Council recommends that in theimplementation of Presidential DecisionDirective 63, all components of U.S. energysectors be recognized as a single energy infra-structure.

• Globalization is a key to the growth of nationaleconomies, but adds complexity to companiesdealing with differences in culture, work ethics,

business protection, legal and regulatoryissues, and political systems.

• U.S. economic vulnerabilities are impacted byindustry consolidations involving foreign own-ership of former U.S. companies.

• Companies are continually focused onincreased efficiencies and cost reductions. Thisleads to business re-engineering, outsourcing,and downsizing. The result is a blend ofemployees, contractors, consultants, vendors,and suppliers, some of which are located inforeign countries, with less corporate com-mitment.

• The integration of information technology andtelecommunications into business is creating acritical interdependence between infra-structures, i.e., banking and finance, power,water, oil and natural gas, transportation, infor-mation technology, and telecommunications.

• Interdependency of infrastructures is a new andevolving component of critical infrastructureprotection and one of the most difficult tounderstand creating threats to businesses.

• The lack of consistent business and financialrules, legal frameworks, and internationalrecourse, create significant vulnerabilities indoing business globally.

• To facilitate critical infrastructure protectionindustry and government must work togetherto find solutions.

• The oil and natural gas industries respondquickly and well to threats created by naturaldisasters and other physical events. Histor-ically, although individual companies have notexperienced widespread emergencies theyhave done a good job in responding to prob-lems, and in restoring service to customers.

• The oil and natural gas infrastructures are com-prised of an extensive range of physical assets,



many which span thousands of miles, and maybe difficult to protect.

• The converging of energy infrastructure components is making it more difficult toaddress critical infrastructure protection on anindustry-by-industry basis.

• The oil and natural gas industries are statuto-rily required to disclose potentially sensitiveinformation to government. Congress and thegovernment agencies must ensure that appro-priate mechanisms are in place to prevent suchinformation from being released to unau-thorized entities.



R isk is a component in all human endeavorsand is a word that means different things to

different people. For most people, risk is the“possibility of suffering harm or loss.”1 In riskmanagement, risk is defined as “a combination ofthe probability of an adverse event and the natureand severity of the event.”2 Therefore, to measurerisk it is necessary to consider both the prob-ability that an adverse event will occur and theconsequences of that event.

Important components of risk managementinclude asset valuation, vulnerability and threatcharacterization, risk assessment, and the eval-uation of risk abatement options. Risk man-agement uses all these components to evaluaterisk and combine them with other relevant factors(e.g., costs, legal mandates, etc.) to select anappropriate risk abatement3 strategy.

The vulnerabilities and threats that the oil andnatural gas industries face are increasing andmore complex. Outsourcing, e-business, anony-mous transaction-based operations, and adoptionof non-traditional business relationships furthercomplicate risk management, placing businessesat more risk.

Many companies in the oil and natural gasindustries use aspects of risk management todayin addressing risks of capital investment, interestrates, new ventures, and price volatility. The

types of vulnerabilities and threats, and thenature of risks faced in this information age,which is the driver for the new global economy,are accelerating rapidly. Therefore, the key tomanaging risk is to develop new preventionstrategies and establish processes to managenegative consequences.

RISK MANAGEMENT AS A TOOL TO ENHANCECRITICAL INFRASTRUCTURE PROTECTION

A factor impacting risk abatement for criticalinfrastructure systems is the traditional tendencyof many industries to manage physical securityand safety risks in a focused and serious mannerwhen the risk is recognized in advance or fol-lowing a significant event. The recent trend in theenergy sector is to address security issues in amore proactive manner. Security takes onincreasing importance as the cost of cyber eventsincrease. A study of risk management activities inprivate-sector companies indicates that theintensity of security risk management varies.4 Acost-effective strategy is a sustained level ofsecurity that is adequate to recover from pastsecurity breaches and establish measures toprevent future adverse events.

The oil and natural gas industries have done apositive job in addressing traditional operationalrisks. Today the introduction of information

Risk Management Chapter 3


CHAPTER 3

Risk Management

1 American Heritage® Dictionary of the EnglishLanguage: Fourth Edition, 2000.

2 Presidential/Congressional Commission on RiskAssessment and Risk Management, 1997.

3 Abatement is all activity or techniques that aredeployed to eliminate, reduce, or transfer the conse-quences of financial loss, damage, or destruction ofassets (a program of activities).

4 Science Applications International Corporation.Organizations and Business Case Model forInformation Security. Prepared for the Office of theManager, National Communications System(OMNCS) Customer Service and InformationAssurance Division, Information Assurance Branch(N53). August 26, 1997.

technologies has increased risks. For instance, thecost to recover from the “ILoveYou” virus isestimated to exceed $1 billion. Respondents to aComputer Security Institute survey reported acombined loss in excess of $377 million during2000, an increase of $112 million over 1999.5

It is apparent that electronic infrastructure lossessuch as these are escalating with time. The benefitsof a preventive strategy include fewer incidentsand reduced costs per incident. Such a strategy canmore than offset increased sustained costs ofsecurity programs. When added to the increasedvalue associated with a culture of disciplinedsecure operations, such a strategy is a major con-tributor to a sound risk management program.

Many industries already have formalizedprograms to assist in mitigating risks. Under-standing key components of risk managementstrategies and programs of other industriesprovides insight and a starting point fordeveloping strategies to assess and reduce risksin the new economy. The chemical processindustry, the commercial nuclear power industry,and the National Aeronautics and SpaceAdministration (NASA) have always had riskassessment programs. Each industry, due tocritical events, has reevaluated their risk man-agement programs. The oil and natural gasindustries have risk management processes inplace for traditional operations and the intro-duction of and reliance on electronic infra-structure suggests that risk management pro-cesses need to be reevaluated and extended.

THE OIL AND NATURAL GAS INDUSTRIES�PERSPECTIVE

Historically, oil and natural gas industrymanagers have dealt with a wide range of physicalrisks, currency risks, interest rate risks, product

liabilities, increased competition, loss of publicconfidence, and loss of investor confidence. In thenew economy, cyber risks add to the complexity ofrisk management. The complexity for a companyto understand their risks arise in part from theincreasing dependencies and the interconnect-edness congruent to the new business envi-ronment. Companies inherit vulnerabilities andthreats of their partners and suppliers, resulting ina blurring of risk boundaries. Wall Street analystsand bond raters are including information systemsvaluation in corporate ratings.

Most industry managers view risk largely interms of the likelihood and/or the extent offinancial loss. Although industry managerscannot reduce all financial risks to zero, theystrive to reduce risks to an acceptable level.

Industry managers generally focus on and havemore experience dealing with legal, financial, andtechnical/operational risks, than with risksinvolving the accidental loss or sabotage of theinterconnected electronic networks on whichthey, their customers, and their suppliers depend.This is the case primarily because operationallosses, as well as the cost of their abatement, canbe measured in dollar values. Cyber risks to cor-porate infrastructures are much harder to estimatebecause they involve intangible, highly uncertainpotential losses. Despite this difficulty, processessimilar to those used to manage operational riskscan be used to manage cyber and other criticalinfrastructure risks.

A basic risk management process that could beused by the oil and natural gas industry involvessix steps (see Figure 3-1). These steps involvecharacterizing assets, describing vulnerabilitiesand threats, performing risk assessments,developing risk abatement options, selecting riskabatement activities, and implementing theseactivities. The six steps are then repeated after anappropriate period of time (e.g., yearly, everyother year) or as warranted by changes in the riskenvironment (e.g., development of new tech-nologies, emergence of new threats).

Chapter 3 Risk Management


5 Computer Security Institute, March 2001 ComputerCrime and Security Survey. For a free copy of thisreport, go to http//www.gocsi.com/fbi_survey.htm.

http://www.gocsi.com/fbi_survey.htm

Although most risk management programsfollow the same basic steps, the level of effort andthe complexity of different programs can varyfrom industry to industry. In simple programs,one or two key people might complete most stepsin the process in a few days. In programs that callfor in-depth analyses, a team of analysts mightwork for months to complete the same steps. Formost uses, cost and schedule constraints are amajor factor in determining the level of effort andsophistication of a risk management program.Often, a simple program is sufficient for pro-viding meaningful risk management guidance todecision makers.

Identifying and Characterizing Key Assets (Valuing Assets and Estimating Losses)

The first step in the risk management process isto identify and put a value on each of the key

assets of the organization. These key assets can bepeople, facilities, services, processes, programs,etc. Next, the “impact of loss” for each of theseassets is estimated. This is a measure of the loss tothe company if the asset is damaged or destroyed.A simple rating system based on user-definedcriteria can be used to measure the value of theasset (e.g., very low, low, moderate, high,extremely high) and the impact of its loss. In amore complex risk management system, thevalue of an asset and impact of loss can be cal-culated in monetary units. These values may bebased on such parameters as the original cost tocreate the asset, the cost to obtain a temporaryreplacement for the asset, the permanentreplacement cost for the asset, costs associatedwith the loss of revenue, an assigned cost for theloss of human life or degradation of environ-mental resources, costs to public/stakeholderrelations, legal and liability costs, and the costs ofincreased regulatory oversight.



Step 1. Identify and Characterize Key Assets

Step 2. Identify and Characterize Vulnerabilities and Threats

Step 3. Perform Risk Assessments

Step 4. Identify and Characterize Potential Risk Abatement Options

Step 5. Perform Analyses to Select Cost-Effective Risk Abatement Activities

Step 6. Implement Risk Management Decisions

Figure 3-1. Example of Risk Management Process

Losses due to cyber viruses and computerhacking are especially difficult to estimate. TheInternational Computer Security Associationestimated North American losses from the“ILoveYou” virus at about $1 billion (June 2000).The results of the annual Global InformationSecurity Survey (July 2000), conducted byInformation Week Research and Pricewater-houseCoopers assisted by Reality Research &Consulting, indicated that in the prior year U.S.companies had losses of $266 billion, 2.7% of U.S.GDP, from computer viruses and hacking. Thissame study indicated worldwide business lossesof $1.6 trillion, including lost productivity andsales opportunities.

The March 2001 report of the ComputerSecurity Institute on their year 2000 ComputerCrime and Security Survey confirms that thethreat from computer crime and other infor-mation security breaches continue unabated andthat the financial toll is mounting. According totheir report, the average financial loss for thethree years 1996–1998 was $120 million. Incontrast, the loss in fiscal year 1999 was $265million and in 2000 the loss escalated to $375million.

The risks associated with the new cyberbusiness environment are difficult to define orpostulate. Subsequently, resultant corporatelosses are challenging to estimate. That is, anevent can now have unanticipated consequencesoutside of the business sector in which it occurs.For example, the “ILoveYou” virus impacted oiland natural gas cyber and physical systems. Inaddition to cyber systems being slowed downfrom the e-mail bombardment, a petroleumrefinery was completely shut down from thevirus. Cascading failures due to interdepen-dencies are currently beyond the control of singlecorporations or even a single economic businesssector. Thus, collaboration among industrysectors is essential if risks are to be managed atacceptable cost.

The importance of an asset determines the levelat which it should be protected from cyber orother security threats. Some assets, such as tradesecrets or control systems (SCADA), may be soimportant to a company that their loss cannot befinancially mitigated, for example, by insurance.These assets must be protected from exposure tocyber loss. Traditionally, preventive securitymeasures have been accomplished through iso-lation. For example, many corporate informationand technology centers maintain proprietary andtime-sensitive information. Such centers requiretwo or more independent authentication securitymeasures to achieve access. In the oil and naturalgas industries, many companies use similar pro-tection strategies for assets considered critical tooperations.

Because some assets, such as administrativeassets or word processing software, are easilyobtained or replaced, the need for protection islimited. Thus, only minimal resources are neededto abate their loss, or the risk of their loss. Mostcorporate assets fall somewhere in between.

Identifying and Characterizing Vulnerabilities and Threats

The second step in the risk managementprocess is to identify and characterize vulnera-bilities and threats. This involves carefully con-sidering a wide range of vulnerabilities andthreats. Vulnerability assessments identify weak-nesses, review the effectiveness of currentsecurity measures to protect assets, and suggestadditional measures to reduce risk. Frequent vul-nerability assessments are essential to ensure thatnew vulnerabilities, particularly those associatedwith cyber systems, are identified and addressedin a timely manner. Use of third parties to period-ically assess vulnerabilities can augment andprovide objectivity to in-house audits. To furtheridentify vulnerabilities, some companies use “redteams” to proactively “assault” their company’sprinciple physical assets, information systems,and networks.



Examples of factors commonly addressed invulnerability assessments are shown below:

• Cyber

– Network Security – Internal and ExternalView

– Data Security

– Systems Administration – User or System,Desktops and Servers

– Data Classification and Disposal

– Detection and Response – Time to React

– Policies and Procedures

– User Awareness and Compliance

– Information System Dependencies & Inter-dependencies

– Vendor, Partner, Supply Chain

• SCADA

• Physical

– Access Controls, Administration of Badges,Key Controls

– Loading Dock/Deliveries

– Mail Service

– Barriers, Sensors, Closed Circuit TV

– Guards

– Social Engineering

– Environmental and Safety

– Incident Response Plans

– Policies and Procedures

– User Awareness and Compliance

• Security Awareness Program

• Internal and External Interdependencies.

To manage risk, it is important to understandthe threat environment in which assets operate.

Threat agents exploit vulnerabilities to cause loss.The changing nature of threats makes threatassessment a dynamic process. The timely col-lection and analysis of threat information is com-plicated by numerous information sources, lackof accessibility (for example, classified gov-ernment intelligence), and the lack of an information-sharing mechanism. Frequent threatassessments and timely sharing of informationenhances industry’s ability to deal with therapidly changing threats. A number of factorsthat should be considered in the evaluation ofthreats include:

• Existence of threat agents with capability toaccess the target

• Capability of the threat agent to cause harm(demonstrated or assessed)

• Intent to cause harm (demonstrated, stated, orassessed)

• History of activity by the threat agent has beenobserved

• Targeting of a facility in the past, or currentcredible information of activities by potentialthreat agents

• Existing security environment’s impact on thecapability of a threat agent to be successful inexploiting a vulnerability.

Threat levels are determined by the degree towhich combinations of these factors are present.The more factors that are present, the higher thelevel of threat.

Typical threat agents include:

• Disgruntled employees and insiders

• Criminals

• Hackers

• Competitors



• Malicious software

• Natural disasters or human error

• Activists

• Terrorists.

Threat is determined by the presence, capability,and opportunity-to-act of threat agents.

Evaluations of threats and vulnerabilities arecombined to estimate the probability of loss of anasset. Loss histories are also helpful in estimatingprobabilities, but addressing new threats and vul-nerabilities, associated with cyber systems whereno history exists, requires collective expert judg-ment. As a result, it is easier to estimate proba-bilities and consequences of loss for physical assetsthan for cyber assets. The rapid changes in cybertechnology, evolving information systems, and theexpanding application of both cyber technologyand information systems increase vulnerabilities.Moreover, business processes increasingly dependon timely access to information. Increasing inter-dependencies and interconnectivity increase boththe vulnerabilities and the consequences ofpotential corporate loss.

Performing Risk Assessments

The third step in the risk management process isto perform a risk assessment using the informationcollected on assets, vulnerabilities, and threats.The goal of this process is to be able to assess therisks associated with each key asset. This involvesconsidering a wide range of identified vulnera-bilities and integrating probability and impactinformation. For example, the probability com-ponent in a risk estimate must consider the:

• Probability that an attempt will be made toexploit a vulnerability. Just because vulnera-bility exists, does not mean that an attempt willbe made to exploit that vulnerability.

• Probability that once made, an attempt toexploit vulnerability will be successful. Some

attempts to exploit vulnerability fail because ofthe action of existing safeguards, serendipity,or ineptitude.

• Probability that a given level of impact will beexperienced. If vulnerability is successfullyexploited, there are ranges of negative out-comes that can occur. For example, the actionsof a hacker who has penetrated a computersystem can range from relatively benign toextremely destructive.

In some cases, a single vulnerability will drivethe overall risk estimate. In other cases, a series ofdifferent vulnerabilities may contribute substan-tially to the overall risk level. Once a companyhas a clear picture of the risks to its assets, it canbegin to identify problem areas and see whererisk abatement measures may be most effective inreducing risks to acceptable levels.

A number of different risk assessment tools andtechniques can be used to estimate risks. Again,the type of tools depends on the resources andtime available to conduct the risk assessment. Allapproaches require a fair measure of documen-tation. The adequate documentation of input intorisk assessments is required so that the work canbe reviewed, conclusions assessed, and infor-mation stored for future reevaluations.

Identifying and Characterizing Potential Risk Abatement Options

The fourth step in the risk management processis to identify and characterize risk abatementoptions. Industry managers typically consider anumber of abatement options for cost-effectiverisk reduction. Risk abatement activities gen-erally focus on five different areas: the deterrenceof threat agents, protection from threats byreducing or eliminating vulnerabilities, miti-gation activities to reduce the consequences of apotential loss event, effective crisis managementto reduce the severity of an event while it is goingon, and restoration to rapidly recover from anevent (see Figure 3-2).



Risk abatement approaches include the fol-lowing examples: Assets can be armored toprotect against loss, or resilience can be built in.In the oil and natural gas industries, pipelines arenot armored. Rather, pipeline control systems aredesigned for early detection of failure. Controlcenters, on the other hand, often have multiplelayers of security protection, but limited backupshould control systems be breached.

Some infrastructure threat agents are deterredby effective law enforcement or internationallegal actions. Protection of assets and crisis management is enhanced through adoption ofpolicies and procedures, technologies, and insti-tutional supports that reduce corporate andbusiness sector vulnerabilities. Adoption ofabatement technologies and institutional cooper-ation can facilitate rapid restoration of service.Insurance mitigates financial losses.

Protection measures, such as the isolation ofassets reduce the likelihood of a loss event, but donot change the level of impact, should the asset belost anyway. Some have both a protection andmitigation component. For example, anti-virussoftware reduces both the likelihood of loss aswell as the impact. Mitigation measures, such as

insurance, apply only after initiation of loss.Mitigation reduces the consequences of an eventand/or provides financial compensation or otherredress for the loss. Thus, the use of riskabatement measures to protect assets, or theirfinancial value, is an effective management tool,before, during, and after a loss.

In identifying and characterizing risk abate-ment options, it is important to be thorough andidentify options that have different levels of effectiveness and cost. While low cost options aredesirable, risk abatement options come with arange of initial and annual operational costs.Effectiveness also varies, so that while someoptions might almost totally eliminate a vulnera-bility, others may only reduce risk by loweringthe probability that a vulnerability can be ex-ploited (e.g., by requiring a more sophisticatedattack to breach a vulnerability) or by reducingpotential damages. By providing a range of riskabatement options, decision makers can choosethe one that has an appropriate impact and anacceptable cost-to-benefit ratio.

In evaluating risk abatement options, it isimportant to assess not only new approaches, butto also evaluate existing risk abatement activities.



Threat

Vulnerability

Risk

Deterrent

Protection

Loss

EventMitigation

Crisis Management

Restoration

Risk abatement includes:

❒ Deterrence

❒ Protection

❒ Mitigation

❒ Crisis Management

Risk abatement is achieved through:

❒ Policies and Procedures

❒ Technology

❒ Insurance

Figure 3-2. Risk Abatement Measures in the Loss Process

In some cases, there may be cost-effective alter-natives to existing risk abatement strategies. Inother cases, existing risk abatement activities maynot be needed if the vulnerabilities they addressno longer present the same degree risk that theydid in the past.

The cost of various risk abatement measurescan be reduced through cooperative industryefforts. Development of standards is one effectiveway of both reducing the cost of risk abatementas well as ensuring that business partners requirecomparable levels of risk management. Examplesof standards that focus on information technol-ogy security are the current ISO/IEC 15408-1standard (International Standards Organization/International Electrotechnical Commission) andISO 17799 standard. Security topics are addressedby a number of existing industry standards, butnot to the degree necessitated by the neweconomy. Considerable effort will be necessary toformulate a cohesive set of standards that appro-priately augments corporate and industrypractices to enhance infrastructure protection inthe new economy.

Performing Analyses to SelectCost-Effective Risk Abatement Activities

The fifth step in the risk management process isto select risk abatement activities for implemen-tation. In business, the resources that may beapplied to risk abatement are limited. Otherbusiness needs compete for the same funding.After carefully reviewing the risk environment,decision makers must determine an acceptablelevel of risk for the company. Decision makersthen need to review the available risk abatementoptions and determine which suite of optionsshould be implemented.

In some cases, the appropriate risk man-agement decision may be to continue existing riskabatement programs. In other cases, it may benecessary to modify existing risk abatementprograms or implement new risk abatement

options. The goal is to select the most cost-effective suite of risk abatement options that willreduce risk to an acceptable level. The more riskabatement options the decision makers have tochoose from, the more flexibility they will have inputting together a successful risk managementprogram.

Implementing the Risk Management Decisions

The sixth and final step in the risk managementprocess is to implement risk managementdecisions. This is the essential step in the process.There is little benefit derived from a risk man-agement program unless it is executed in aneffective and efficient manner. This typicallyinvolves:

• Preparing plans and procedures for imple-menting risk abatement activities

• Assigning and training staff to perform riskabatement activities

• Monitoring risk abatement work to make surethe planned program is being carried out andrisk reductions are actually occurring

• Maintaining an active surveillance of thethreat, vulnerability, and risk abatement envi-ronment to identify changes that may beoccurring that could warrant modification ofrisk management activities.

FINANCING LOSSES THROUGH INSURANCE

All oil and natural gas companies carry someform of property and liability insurance, whetherself-insurance, mutual insurance, or insurancepurchased from the various global insurancemarkets. Property insurance compensates acompany financially for the loss of its owninsured assets. Liability insurance compensates acompany when it becomes legally obligated topay for damages caused to the assets of others.



All insurance relies on the ability to establish amonetary value for the loss that places an insuredin a position commensurate with that precedingthe occurrence of the loss or insured event. Forproprietary, confidential business information orintellectual property, monetary value is oftenestablished based on investment costs. Forexample, unless intellectual property is underlicense agreement or contract for sale at an estab-lished price, establishing a market value, theproperty is not insurable for what it might beworth in the future. That is, companies cannotinsure against speculative lost opportunities.Thus, intellectual property or other business sen-sitive or proprietary information lost as a result ofcyber incident may not be insurable underexisting insurance industry principles.

Insurance against business-interruption mayreimburse a company for damages resulting froma cyber incident if a monetary loss can be estab-lished. Because business opportunity costs aredifficult to evaluate, however, loss of ability to dobusiness, with no collateral property damage, isusually not insurable, although the value of lostwork time may be.

Little case law currently exists that addressescivil wrongs (torts and breach of contract)resulting from a company’s infrastructurecollapse due to cyber events or other disruptions.However, as documented in this report, the factthat cyber incidents will occur is predictable.And, to a certain extent, they can be mitigated.Thus, in the future it is expected that companieswhich fail to exercise due diligence in protectingthemselves and their cyber partners againstattacks could be found legally negligent.

The impact of a corporate infrastructure failuredue to a cyber event may also cause breach ofcontracts for oil and natural gas companies thatpromise delivery of specified quantities ofproducts on specified schedules. Under these cir-cumstances, liquidated damages or other com-pensations may be extraordinarily high, and maynot be insurable.

Insurance companies are beginning to offerspecialized policies applicable to cyber risks.Companies purchasing such insurance typicallyare subject to a risk assessment by the insurer andare required to implement specific networksecurity measures. Because of limited legal casehis-tory and inadequate loss experience,however, premiums for such policies are gen-erally expensive and the available coverage islimited. Maturation of insurance offerings to“acceptable” levels requires completion of all thefundamental risk assessment elements discussedhere. Furthermore, it requires that risks,including vulnerabilities, threats, and loss conse-quences, and abatement measures are well docu-mented and understood.

Corporate insurance to protect against cyberlosses may be valuable to corporate stockholders.But the transfer of risk that insurance providesdoes not help the global economy. The financialstrength of certain major oil companies, on theirown, may exceed the insurance capacities in theglobal insurance markets. As such, corporateinsurance protection will have minimal impact toglobal consumers of the oil and natural gasindustries.

Although consumers may have no legalrecourse against the oil and natural gas industriesif products and services are not available, theglobal economy can be brought quickly to a haltif the distribution infrastructure collapses.

THE Y2K EXPERIENCE

In a real sense, Y2K presaged future risks asso-ciated with the new economy, and Y2K prepa-rations demonstrated the first major multi-industry, multi-national response to cyber-relatedrisk. In effect, Y2K provided a worldwide cyberexample, and a success story, of the value of aglobal community response to a common threat.

Companies associated with the oil and naturalgas industries organized teams to address Y2K



risks. In addition, the federal government bothchallenged industry to validate that Y2K riskswere low and monitored validation progress.Congress provided special assistance through thepassage of the Year 2000 Information andReadiness Disclosure Act of 1998 and the Y2KAct. Specifically, these acts limited risk andauthorized exemption from antitrust statutes toenable industries to share information andaddress common vulnerabilities. Recently, legis-lation has been introduced to provide some of the same protections to coordinated industryaction intended to reduce risks associated with e-commerce.

The following Y2K lessons are applicable in thenew economy:

• Federal legislation can facilitate industry-widecollaboration to address threats and vulnera-bilities.

• Systemic cyber vulnerabilities can be sharedwithout compromising business integrity orcompetition.

• Collaboration on infrastructure vulnerabilities,especially cyber vulnerabilities, can reduceboth cost and risk.

• Interdependencies that require coordinatedattention can be successfully addressed.


• The key to managing risk for the oil andnatural gas industries is to develop preventionstrategies and to manage consequences ofincidents when they occur. However, newstrategies and best practices are needed toprotect against information loss or thebreakdown of critical infrastructures in the neweconomy.

• Risk boundaries are being blurred by theexpanded use of network-based communi-cations and computing, and by adoption of

business models that use information tech-nology to streamline organizations and theiroperations.

• Costs of cyber risks to corporate infrastructuresare difficult to estimate because they involveintangible, highly uncertain potential losses.

• Risk management will be enhanced by theadoption of consistent industry standards forcyber security management.

• Companies in the oil and natural gas industriesbenefit from conducting periodic vulnerabilityassessments of their own systems and oper-ations, both physical and cyber.

• Companies need to perform assessments of, orbe made aware of, their partners’ vulnera-bilities. Additionally, companies need tounderstand and assess the vulnerability to theirsystems from unknown third parties.

• In the highly interconnected business cyberworld that exists today there are many risksthat cannot be defined or postulated.Consequently, a risk management systemneeds to be developed to address theseunknowns.

• Companies cannot insure against speculativelost opportunities. Thus intellectual propertyor other business-sensitive or proprietary infor-mation lost as a result of a cyber incident maynot be insurable under existing insuranceindustry principles.

• As a tool for managing risk, informationsharing is a vital element of enhanced preven-tion and control for the oil and natural gasindustries.

• Collaboration, enabled through federal legis-lation for Y2K, allowed cost-effective reductionof risk through cooperative programs andinformation sharing across industry. Compa-rable federal legislation would enable similarcost-effective risk management programsaddressing critical infrastructure protection.



Response and recovery planning, in con-junction with timely information on threats

and vulnerabilities, plays a major role in miti-gating business risks.1 Such contingencyplanning provides companies with the necessaryreview of potential unexpected business conse-quences, and the opportunity to preplan and testresponses to them. Year 2000 preparationsbrought into sharp focus the need for contin-gency planning beyond the traditional scope ofemergency response and recovery. In today’s newbusiness environment, response and recoveryplanning must address the following:

• Industry reliance on information technologyand telecommunications

• Business restructuring

• Interdependencies

• Legislative and regulatory uncertainty

• Natural and man-made incidents.

The oil and natural gas industries have experi-enced many physical failures. Perhaps the worstwas an explosion in Texas City, Texas, on April 16,1947. A ship exploded at a dock, causing fires anddetonations in the surrounding refineries andchemical plants. At least 581 persons were killedand approximately 3,500 were injured. As a resultof such incidents and other process failures, busi-nesses have developed contingency plans forresponding to and recovering from these physicalincidents and their causes.

CURRENT STATE OF INDUSTRY RESPONSE AND RECOVERY PLANNING

Physical Infrastructure

Historically, most companies understand andare able to handle their own physical infra-structure problems. Prudent business practicesrequire industry to quickly respond to physicalincidents caused by natural events such as earth-quakes and hurricanes, and man-made eventssuch as vandalism, criminal activity, terrorism,accidents, etc. Typically these incidents result inlocal consequences. Today increased use ofautomation, increased interconnectedness, just-in-time business models, and interdependenciescan potentially result in regional, national, orinternational incidents and impacts. Thesebroader consequences pose additional challengesto effective response and recovery planning,incident response, and consequence man-agement.

Government regulations in the area of safetyoften dictate how businesses prepare and executetheir response and recovery plans. For example,the Department of Transportation Office ofPipeline Safety requires that pipeline companieshave formal emergency response plans, andannual drills to test those plans. Another exampleis the National Response System, which providesa mechanism for emergency response to dis-charges of oil into navigable waters of the UnitedStates and releases of chemicals into the envi-ronment.2

Response and Recovery Chapter 4


CHAPTER 4

Response and Recovery

1 Response is the immediate emergency, law enforce-ment, defense, or other crisis management responseto an incident to protect life, health, safety, andproperty. Recovery is the action taken after the initialresponse to rebuild homes, replace property, resumeemployment, restore businesses, and reconstitute life.

2 The National Response System is described in theNational Oil and Hazardous Substances PollutionContingency Plan (NCP), found in Title 40 of theCode of Federal Regulations, Part 300.

As part of that system a National ResponseTeam was created. The National Response Team’smembership consists of 16 federal agencies withresponsibilities, interests, and expertise in variousaspects of emergency response to pollution inci-dents. The Environmental Protection Agency(EPA) serves as chair and the Coast Guard servesas vice-chair of the National Response Team.Company contingency plans to deal with pol-lution incidents are required to include theinvolvement of either the Coast Guard or EPA.

For the traditional types of natural disasters,the Stafford Act dictates how the FederalEmergency Management Agency (FEMA)responds, and funds local recovery operations.The act also provides criteria through whichstates may request and acquire federal fundingfor their recovery operations.

At the international level, maritime law pro-vides rules for insurance, shipping, and salvageof cargo on the high seas. Countries have alsoadopted oil spill response and chemical processsafety regulations to protect their environments.Insurance is being used globally to mitigate con-sequences and fund response and recovery oper-ations that might become necessary.

International agreements and national pro-grams can serve to protect against serious supplyinterruptions. An example of an internationalagreement was the formation of the InternationalEnergy Agency in the wake of the 1973-74 oilcrisis. The U.S. Strategic Petroleum Reserve wascreated to provide an inventory buffer against aninterruption in petroleum supplies.

Mutual aid programs are methods thatindustry and local governments use in prepa-ration for response and recovery to large inci-dents. These have been and will continue to berather well established practices and networks formutual benefit. For example, companies locatedalong the Houston Ship Channel have mutual aidagreements for fire fighting equipment and per-sonnel. Most terminal and refining companies

enter into similar types of agreements. Inaddition, most communities surrounding largeairports or other large public facilities havemutual aid pacts with the owner/operator tofacilitate response to large-scale fires, medicalemergencies, or crashes.

Other examples are Intermat, Inc, and theEdison Electric Institute (EEI), which provide theirmembers with a mechanism to obtain skilledworkers and materials to augment their own capa-bilities during an emergency. Intermat provides aMutual Emergency Materials Support (MEMS)system. EEI’s process provides a framework forrequesting assistance, governing principles andinsurance aspects, as well as forms (checklists,letters, contracts, invoices, definitions, etc.) to facil-itate the communications between the requestorand the company providing the mutual support.

There are less formal agreements between oiland natural gas companies for “borrowing” sup-plies when an emergency arises. These agreementsare generally verbal and based on a “hand shake”in field environments. The types of suppliesinvolved cover anything from pipe to compressorparts. These informal agreements are generallybased on personal contacts in field offices. Aspeople leave the workforce and new personnel orautomated systems take over, these informalagreements are less likely to occur. Pre-plannedmutual aid agreements are more efficient anddependable.

Gaps in Physical Infrastructure Response and Recovery

From the perspective of the oil and natural gasindustries, individual companies have not experi-enced widespread emergencies such as theoutages historically experienced by electric util-ities. Individual companies have done a good jobin responding to problems, and in restoringservice to customers.

The concerns of public and environmentalgroups as they relate to an incident, create public

Chapter 4 Response and Recovery


relations issues and often cause the governmentto react in unanticipated ways. The number oflocal, state, and federal government agencies thatrespond to incidents can create confusion for theowner/operator in providing an incidentcommand and control process as part of theirresponse and recovery plan. This confusion maydelay the restoration of service. Governmentresponse to public reaction to incidents can resultin unfavorable outcomes for industry and otherstakeholders. An example is the incident experi-enced on the Olympic Pipeline, described inChapter 2, where government oversight resultedin it taking 20 months from the time of theincident to re-establishment of partial service.

While some companies have long experiencein dealing with regional, national, and interna-tional physical infrastructure incidents, the glob-alization of entire industries has resulted in newplayers who may not be as well prepared. Thereis a strong incentive for these new participants todevelop or enhance response and recovery planssuitable for dealing with widespread incidents.Cooperation between industry and governmentcan expedite the response and recovery fromincidents impacting physical infrastructure dis-ruptions.

Cyber Infrastructure

Wide uses of information and communicationstechnology are generating new challenges forresponse and recovery planning. Contingencyplans need to include the cyber dimension that ispervasive in the new business environment. Thecomplexity and scope of response and recoveryoperations can easily exceed the capabilities thatany one company has for dealing with a crisis(scope of consequences, interdependencies, cas-cading effects, rapid spread, regional, national,and international impacts) in this area.

Companies have become reliant on cybersystems to operate physical infrastructures,provide e-commerce, and perform general

business transactions. Thus, cyber incidents canaffect automated computer controls of physicalinfrastructures, integrated telecommunications,and interdependent distribution systems, whichmay result in physical damage. Moreover,failures of general business, trading, and other e-business systems can lead to significant losses.Based on experiences from the 1989 San Franciscoearthquake, if a company experiences a majorincident and does not recover its critical businessprocesses within five to seven days, or the conse-quences overwhelm its ability to respond, thecompany could be forced out of business. Thespeed at which failures can occur, as demon-strated by the growth in computer viruses andDenial of Service attacks, places new demands onresponse and recovery planning.

The following are some cyber incidents thatcould occur:

• Loss of e-trading systems, which preventsbuyer/seller transactions, and loss of e-com-merce/B2B systems, which affects the ability toprocure materials and services. Both of thesecan disrupt operations.

• Unauthorized modification of companytrading transactions.

• Loss of critical business systems (e.g., customerservice, financial, connectivity) or modificationof critical decision data, which could affect bothphysical operations and business continuity.

• Loss of access to the Internet, telecommunica-tions, or electric power, which can disruptphysical operations.

• Interception and/or modification of SCADAdata, or the loss of a SCADA system, whichaffects the ability to operate a pipeline orfacility (e.g., refinery, compressor station)potentially causing a loss of service.

• Release of sensitive customer information/billing information.



• Unauthorized company information posted onthe Internet, including messages that are falseand defamatory in an attempt to manipulatestock price.

• Hijacking and modification of company websites.

• Interception and inappropriate use of sensitivecompany communications.

Gaps in Cyber Infrastructure Response and Recovery

Cyber response and recovery processes are notas mature as those developed to handle damageto physical assets. Enhancements need to bemade in the areas of cyber response and recoveryplanning in assessing data backup policies andprocedures, automation control systems designredundancy, protection of cyber systems thatoperate critical infrastructures, the reliability ofexternal paths through which critical informationflows, the inconsistency in how nations legallyaddress cyber issues, and the lack of internationalcyber security standards.

Since company policy and procedure form thecornerstone for how a company responds to inci-dents, they must be kept up to date. Policies andprocedures to deal with new economy cyberthreats need to be developed and/or improved.Best practices in this area need to be shared tospeed up the implementation of adequate cyberresponse and recovery processes throughout theindustry.

Companies today are essentially operatingwithin their own spheres with no previousrequirement to cooperate and share information.Some companies have put in place virus-incidentresponse plans to deal with virus attacks. Andsome organizations are now working to developmore sophisticated, overall cyber-incidentresponse plans that incorporate an interdisci-plinary response to intrusions (external andinternal), fraud, viruses, denial of service, web-site hacks, etc. Companies also need to develop

internal information-sharing mechanisms toreceive, analyze, and disseminate incident infor-mation from internal and external sources.

Cyber Incident Response Plans are a way toprovide simple, well-understood systematic pro-cedures for responding to security-related inci-dents. A well thought out, direct approach toguide through many types of incidents is best.Organizing an incident handling team andselecting members is one of the first steps.Potentially the team should include personnelfrom different disciplines such as desktop andserver support, local and wide-area telecommu-nications, public relations, legal, audit, and inves-tigations.

A response plan should include information insix general areas: preparation, detection, con-tainment, eradication, recovery, and follow-up.3Pre-designed reporting forms facilitate rapidcommunications, and an up-to-date contact listcreates links to other personnel from which toobtain help or decisions. If law enforcement isgoing to be involved, then additional steps maybe necessary to preserve evidence in a manneracceptable to the courts.

Special actions must be incorporated into thesegeneral plans to handle situations such as the fol-lowing:

• Malicious Code Attacks – viruses, TrojanHorses, worms, and scripts used by hackers

• Probes and Network Mapping – probes try togain access or information

• Hoaxes – false alarms that tie up incidentresponse resources and spread fear, uncer-tainty, and doubt through the user community

• Espionage – stealing of information to subvertthe interests of the organization.



3 Incident Handling Step by Step, A Survival Guidefor Computer Security Incident Handling, TheSANS Institute, Version 1.5, May 1998.

The computer incident response plan must becoordinated with existing disaster recovery and/or business continuity plans. Damage from cybersecurity incidents may result in the activation ofcontingency plans to recover networks, systems,and data. These actions would occur concurrentlywith the ongoing incident response.

Currently, there are limited best practices thatdeal with cyber security. However, BritishStandard 7799, “The Standard for InformationSecurity Management,” has been adopted by theInternational Standards Organization (ISO) asISO 17799, dealing with information securityadministration.

Cyber attacks can be launched from anywherein the world. If an incident is to be successfullyprosecuted, law enforcement must obtain evi-dence in all of the involved jurisdictions. TheDepartment of Justice is working in several dif-ferent forums, like the G8 and the EuropeanOperating Council, to establish standards forcyber crime laws and to develop contact liststhrough which law enforcement can obtain assis-tance in these other jurisdictions 24 hours a day,seven days a week. However, until most nationsrecognize the benefits of the new business envi-ronment, and pass laws to deal with cyber crime,it will continue to be difficult to respond, inves-tigate, and prosecute. As an example, the authorof the “ILoveYou” virus was set free because nolaws existed in the Philippines at that time tomake the act a crime.

Globalization, Restructuring, Political & Regulatory,and Interdependency Issues

The issues of globalization, corporate restruc-turing, political and regulatory uncertainty, andinterdependency, as discussed previously in thisreport, further exacerbate consistent responseand recovery planning. A recent incident of aninfrastructure failure that had cascading effectswas the explosion 20 miles south of Carlsbad,New Mexico, just before dawn on Saturday,

August 19, 2000. The line was one of threeadjacent pipelines providing natural gas toArizona and California. Electric generation cus-tomers in those states are dependent on naturalgas supplies from these lines. After the rupture,all three natural gas pipelines were shut down,and shipments to customers halted.

The initial response to the explosion was bylocal, state, and company officials. The Office ofPipeline Safety, National Transportation SafetyBoard, and Environmental Protection Agencyresponded based on their jurisdictions. At leastsix different entities were at the site with dif-ferent perspectives, jurisdictions, and agendas.Initial actions at the site revolved around con-tainment of the cause of the explosion to protectthe safety of other citizens and emergencyresponders, and then the ensuing investigationinto why the pipeline ruptured and exploded. Ifterrorism were suspected, then the FederalBureau of Investigation (FBI) would also becomeinvolved.

Due to the potential impact on natural gassupply to the western states, an assessment of theimpact of the pipeline outage was critical.California would be significantly impacted if thepipeline outage cascaded into a shutdown ofnatural gas-fired electric generation plants. TheDepartment of Transportation requested that theDepartment of Energy provide an energy impactassessment.

This example brings into focus the implicationsof infrastructure failures at the regional andnational levels. The following are issues or ques-tions that must be considered:

• An incident can transcend an individualcompany and the industry itself, and it canaffect other infrastructures, widespread geo-graphic areas, and other countries.

• What supporting role should governmentprovide to industry in developing assessments



of possible consequences that transcend anindividual company, or an industry?

• Should plans be developed for simultaneousincidents such as earthquakes, cyber attack,energy supply system failures, etc., and coordi-nated with other infrastructures?

• Who has the authority to resolve jurisdictionaldisputes and cause the rapid restoration ofservice to mitigate the downstream conse-quences?

• What role should local and state governments(or the governments of affected countries) playin regional or national response and recoveryoperations?

• What types of information should be sharedduring incidents to keep everyone informed,and provide after action reports from whichbest practices or lessons learned can bederived?

BEST PRACTICES TO ENHANCE RESPONSE AND RECOVERY

Evaluate Optimal Models

A number of organizations and governmentagencies collect and disseminate information onlessons learned from emergency response andrecovery activities. For example, FEMA, EPA, theDepartment of Transportation’s Office of PipelineSafety, the Coast Guard, the FBI’s NationalInfrastructure Protection Office, and the NuclearRegulatory Commission are federal agencies withrelevant experience. In addition, a number ofsafety and emergency prevention groups serve asinformation clearinghouses. Examples are theHouston Ship Channel Consortium, ChemicalSafety Board (which functions in a mannersimilar to that of the National TransportationSafety Board), and American Institute ofChemical Engineers’ Center for Chemical ProcessSafety. It will be important to characterize thetypes, frequencies, and severities of incidents

comparable to those that could be experienced inthe oil and gas industries; determine the amountof time it took to restore service; identify thefactors (if any) that inhibited quick recovery; andevaluate the associated costs. Thus, additionalresearch needs to be done to evaluate how theseclearinghouse systems work and to determinewhich features could best be applied to responseand recovery planning, testing, and execution forthe oil and natural gas industries.

Year 2000

Contingency planning for Y2K was a highlysuccessful model of response and recoveryplanning and cooperation. At the national level,the government did several things to assistindustry:

• Laws were passed to facilitate informationsharing among companies, and to limit liability.

• Readiness reporting standards were provided.

• A national command center was established bythe government to collect and collate Y2Kinformation and disseminate it to others duringthe time change.

• Space was provided in the command center forkey infrastructure groups to gather andmonitor activities in their areas, which wouldimprove communications and provide forfaster response to problems.

Periodic Tests (Benchmarks, Tabletops,Communications)

Contingency plans exist at different levels.These levels are based on constituencies and theirdifferent roles in response and recovery. Localgovernment, state government, industry associa-tions, the federal government, and internationalentities have different jurisdictions and interests.The impact of consequences on them and theirresponse to those impacts must be anticipatedand planned for. The impacts of the new business



environment drivers, the global news market,and the timing of response versus recovery addincreased complexity. These increasingly complexresponse and recovery environments dictate thatplans be periodically tested to ensure they willmanage the consequences of the emergency andreduce risk for all stakeholders. Companies alsoconduct periodic testing of plans to comply withregulations like the Oil Pollution Act of 1990. Thebenefits of testing include:

• Validation of overall adequacy of the plan

• Validation of plan assumptions

• Validation of ability of staff to execute (skills and experience)

• Identification of unexpected problems

• Identification of new issues

• Identification of plan failures

• Staff training.

Tests should be conducted at appropriatetimes. A mature testing process includes bothscheduled and unannounced tests. Successfulunannounced tests are the best indicators of acompany’s capability. There are different types oftests that can be done to test the adequacy ofplans:

• Benchmarks. A benchmark is a test wherestandard data types are collected over time forcomparison against either an industry standard(benchmark) or against a collection of similarcompanies. This is a good way to see if stan-dards are being met, such as government regu-lations, quality, or safety targets, etc. In a test,benchmarks could be response time, actionstaken, reports filed on time, time to recoverservices, number of personnel who didn’trespond to pages or other notification, etc.

• Tabletop Exercises. A tabletop is a more realis-tic test of a plan where it is impossible to use

the actual physical assets to simulate the emer-gency. Scenarios are developed to create situa-tions that exercise the response and recoveryteam member’s roles, communications,logistics, and command and control. Tabletopsare very useful in getting different stakeholderstogether to test multi-level integrated responseand recovery plans.

• Communications. A communications test maybe as simple as testing a calling tree or employeenotification process to ensure that critical staffcan be reached. Or it could be to see if a requestfor mutual aid could be executed effectively. Itcould be to test a media relation’s plan with sce-narios for them to respond to and conduct simu-lated briefings to the media. Or it could be atechnical test of backup telecommunications.

• Cyber Exercises/Tests. Disaster recovery testsare the traditional type of testing done. Testscan include:

– Telecommunications tests

– Backup and recovery tests for data, systems,and applications

– Hot site (duplicate environment)

– Tabletop exercises to test command andcontrol

– Security tests to identify cyber vulnerabil-ities, or to test incident response plans.

In addition to the benefits listed above, thebenefits of cyber testing permit identification ofmissing general or special purpose computingequipment, wrong network protocols ormissing protocol capabilities, missing circuitsto key network nodes, wrong cables, missingdata or data feeds, missing applications, and soforth. All of these can easily defeat testing in acomplex computing environment of hardware,microcode, software, data, applications, net-works, and people.

• Functional Exercise/Test. When plans are largeand complex, it may be necessary to break them



into manageable pieces for testing. This can beaccomplished by testing specific functions sep-arately (e.g., incident command and control,decision making, communications, etc.).

As response and recovery plans become moresophisticated, the ability to adequately test theseplans is increasingly difficult. A single companymay not be able to test their ability to handle“all”consequences. It may be necessary in thenew business environment for groups of com-panies to perform integrated tests together.

Information Sharing

A formal industry-wide information-sharingmechanism should be adopted to enhance theflow of information during an incident to allstakeholders. The sheer size and complexity ofthe oil and natural gas industries, and the need topartner with other companies, infrastructures,and local, state, and federal governments to dealwith wide ranging consequences require that allparties be kept up to date during the life of anincident. An information-sharing mechanismcould:

• Serve as a formal focal point for our sector tocollect and distribute information during anincident.

• Collect incident and post mortem informationfor analysis.

• Provide information to all stakeholders: federalagencies, state and local governments, and theOn Scene Commander of the incident.

• Facilitate the development and maintenance ofa “Yellow Pages” directory of critical skills,materials, services, and other response andrecovery resources that could be shared bycompanies during an emergency.

• Provide clarifications and supplementaryguidance that companies could use to help

them understand and address response andrecovery planning issues.

• Disseminate information on response andrecovery training, outreach programs, andother topics from government and industryorganizations.

• Provide feedback on response and recoveryplanning best practices and benchmarks frominside and outside the sector to all stakeholders.


• The oil and natural gas industries are wellpositioned to handle physical infrastructuredisruptions.

• The oil and natural gas industries rely on infor-mation technology and telecommunications tooperate physical infrastructures, tradingsystems, and general business processes. Theconsequences of this reliance pose additionalchallenges to effective response and recoveryplanning.

• Cyber response and recovery capabilities andprocesses are not as mature as those developedto handle physical incidents. Companies needto review and update response and recoveryplans to ensure they address the cyberdimension.

• Information in the cyber dimension is a criticalresource and must be recovered. Without theinformation, the infrastructure recovery ismeaningless. Cyber response and recoveryplans should be grounded on effective databackup and recovery policies and procedures.

• Companies need to ensure that periodic exer-cises and tests are conducted to validateresponse and recovery plans for critical infra-structure assets.

• The new business environment dictates thatcompanies include key stakeholders, such as



business partners, suppliers, customers, and rep-resentatives from local and state governments inresponse and recovery tests and exercises.

• Companies need an effective internal infor-mation-sharing mechanism to receive, analyze,and disseminate incident information to andfrom internal and external sources, includinglaw enforcement to enhance response andrecovery.

• Timely and actionable information is the key toan effective response to threats or incidents, aswell as to successful recovery activities.

• Companies need to review their mutual aidagreements to ensure they are still effective inthe new business environment.

• In the new business environment, the potentialfor cyber and physical incidents to cascade intoregional, national, and international impacts isgreater. Industry should work with gov-ernment to develop regional response andrecovery plans, including periodic testing andexercises, to provide mechanisms to deal withthese larger impacts.

• When infrastructure disruptions occur, theroles and responsibilities within local, state,and federal governments often conflict. Theseconflicts of interest regarding jurisdictionimpede timely restoration of service toindustry customers, and can also inhibit futureinfrastructure protection.

• The oil and natural gas industries in part-nership with government needs to continu-ously study other industry and governmentresponse and recovery models to enhance bestpractices for response and recovery planningand incident management.

• To better protect the critical infrastructures ofthe United States, the federal governmentshould:

– Clarify the response and recovery roles of thevarious federal and state agencies, includingthe Federal Emergency Management Agency.

– Work with industry and other governmententities to identify new response andrecovery processes and improve awarenessof each other’s capabilities in the area.

– Assist in understanding interdependencieswith other critical infrastructures.

– Coordinate with all affected parties toprovide accurate and timely informationabout incidents.

– Develop a process that enhances responseand recovery by allowing temporary waiversin the face of constraining regulations toaddress critical infrastructure impacts.

– Review the actions taken to address the Y2Kissue and build on this successful model toaddress concerns raised in the critical infra-structure protection area.



The oil and gas industries have long recognizedthe need for security of physical assets. As a

result of recognizing this need, the industrieshave developed effective systems to protectcritical physical infrastructure. The advent of theinformation technology age with its assorted elec-tronic tools and systems requires an extension ofprotection to critical electronic infrastructure.There is a high level of interconnectivity of elec-tronic systems, both with physical systems andother electronic systems. Along with the speedwith which information is transferred, it isapparent that a system that provides earlywarning of emerging situations that may com-promise electronic infrastructure security isdesirable and may, in fact, be essential. One pos-itive approach to providing early warning is touse an industries-wide information-sharingmechanism.

In order to better facilitate information flow inthe industries, there appears to be the need for acentral focal point. This focal point could beeither an individual or an organization thatwould be charged with coordinating informationflow within the industries and would be desig-nated as sector coordinator.

INFORMATION SHARING

The study of vulnerabilities and threats in the oiland natural gas industries determined that theindustries’ dependence on information technologyand telecommunications, including e-commerceand supervisory control and data acquisition(SCADA) systems, to manage business internallyand externally, are areas where a catastrophicevent or failure could have a significant negative

impact on all or part of the economy. This studydetermined in part:

• Competitive pressures can often lead to the useof immature technologies and can introducesignificant vulnerabilities to enterprises andthe infrastructure.

• The oil and natural gas industries are faced witha continuous stream of patches and fixes tocorrect hardware and software security defects.

• Failure of joint or shared use systems for e-commerce not only has a negative impact ona member of the shared service, but also cancascade throughout the infrastructure creatinga significant vulnerability.

• The ability to go back to old manual methods isextremely difficult, as oil and natural gas com-panies become reliant on these informationtechnology and telecommunication systems.Because of the change in organization, theworkforce is no longer as experienced or asskilled as before and it lacks the ability tooperate systems without cyber tools, therebylimiting the capability to return to oldermanual methods.

• A failure in the telecommunications infra-structure will create significant impacts to theoil and natural gas infrastructures because oflocal and wide-area networks interconnectingnew economy systems.

• Systems are vulnerable to externally initiatedevents because it is no longer necessary to beon the premises to launch an attack, or to createan interruption.

Information Sharing and Sector Coordination Chapter 5


CHAPTER 5

Information Sharing and Sector Coordination

• Rogue nations, terrorists, or other enemies aredeveloping cyber capabilities to attack cyberinfrastructures.

• The integration of information technology andtelecommunications into business is creating acritical interdependence between infrastruc-tures, i.e., banking and finance, power, water,oil and natural gas, transportation, telecommu-nications, and information technology.

Experience has shown that early warning ofincidents or new vulnerabilities affecting infor-mation technology systems is critical to systemprotection. Therefore, creation of, and active par-ticipation in, an oil and natural gas informationsharing and analysis center (ISAC) is paramountto the protection of this infrastructure.

The oil and natural gas industries havedeveloped several forums for informationsharing that provide individual companies withvalue today. Formal mechanisms for coordinationand information dissemination exist throughtrade advocacy groups (regional, national, andinternational), vendor expositions, conferences,workshops, and training programs. However,these information-sharing mechanisms arereactive in nature and do not provide the criticalinsights into real-time information that can provecritical to protecting industry infrastructures.While physical security issues benefit from infor-mation sharing, the speed at which cyber inci-dents spread dictates the need for real-timeinformation sharing.

Within the oil and natural gas industries, com-panies differ greatly in size, from global multi-nationals to sole proprietors. Many companies donot have an adequate IT security staff, andsmaller companies may have none. Many of thesmaller companies are doing contract work forthe multi-nationals and access their informationsystems. Companies throughout the infra-structure are not receiving and acting on vulnera-bility information in a timely manner. Havingaccess to an ISAC at a reasonable cost would

provide all companies in the sector with timelywarnings and solutions that they otherwisewould not get.

The oil and natural gas, water supply, andelectric power sectors are dependent on SCADAsystems, which are used to operate physical infra-structures and refining processes. These systemsincreasingly rely on open architecture and theInternet to perform their critical functions. Theseopen systems may be corrupted by externalsources, which could cause disruption and greatcost to the industry. Therefore, vulnerabilities inthese systems will benefit from informationsharing within the industries and with thevendors of such systems.

As pointed out in Chapter 4 discussions ofresponse and recovery, information sharingduring incidents is critical to ensure smoothresponse and restoration of critical services. Thesheer size and complexity of the oil and naturalgas industries and the need to partner with otherstakeholders to deal with wide-ranging conse-quences require that all parties be kept up to dateduring the life of an incident.

Companies today receive threat warnings frommultiple sources. Often these warnings are on thebasis of personal subscription, not centrally coor-dinated, or on a timely basis. For example, the“Anna Kournikova” virus resulted in multiplemessages warning companies about this virus,which in actuality slowed down e-mail systemsand caused a larger impact on business opera-tions than the virus itself. If an industry infor-mation-sharing mechanism existed, one warningand the solution could have been transmitted toISAC members ahead of the spread of the virus,minimizing the impact on corporations.

In addition to viruses, denial of service attacks,hackers, internal and external fraud, human error,etc., can seriously disrupt business operations atgreat costs. This study found no other real solu-tions to adequately deal with the myriad cyber

Chapter 5 Information Sharing and Sector Coordination


attacks without such an information-sharingmechanism.

INFORMATION SHARING STATUS OF OTHER CRITICAL INFRASTRUCTURES

In addition to the oil and natural gas industriessector, the federal government has identifiedseven other critical infrastructures. While eachsector has some characteristics that are incommon, each has its own unique set of charac-teristics. Consequently, it is not surprising thatthe various sectors are addressing the issue ofinformation sharing in different ways. Forexample, there are three general models forimplementing an information-sharing mech-anism: reliance on industry staff, use of anindustry-directed service provider, or a hybridgovernment/industry management.

The ISAC approach is being pursued by four ofthe sectors: banking and finance, informationtechnology, electric power, and transportation.One sector is following another information-sharing path: telecommunications. The remainingthree sectors are currently in the early stages ofaddressing their critical infrastructure protectionneeds: water supply, emergency services, andgovernment services.

Banking and Finance Sector

The Financial Services Information Sharing andAnalysis Center (FS/ISAC) became operationalin October 1999. Predictive Systems Inc., anindustry-directed service provider, operates theFS/ISAC. The banking and finance sector estab-lished the FS/ISAC as a limited liability corpo-ration (LLC) which owns the sector’s analysisprocesses and information submitted bymembers. An elected Board of Managers who isresponsible for the operating rules and guidelinesfor the ISAC governs the LLC. The FS/ISACreceives information from the government butdoes not share information back.

There are several desired attributes from thismodel such as: the use of a limited liability cor-poration structure for the ISAC; the availability ofreal-time IT threat and vulnerability information;anonymous posting of incident data; the avail-ability of IT solutions from the ISAC; the sendingof tailored and prioritized alerts; cost-effectiveoperations; and strategic partnerships with ITvendors to broaden data sources.

Information Technology Sector

The Information Technology Association ofAmerica (ITAA) is the sector coordinator for theinformation technology sector. As of early May2001, the ITAA has announced that it is formingan operational ISAC. Its purpose will be to facil-itate the timely sharing of non-proprietary infor-mation concerning threats of cyber attacks(alerts), actual attacks (analysis and trending),and countermeasures to attacks. The ISAC willserve as the sector focal point for coordination,cooperation, and information sharing. ITAA alsohas chosen to use an industry-directed serviceprovider to operate their ISAC.

Today’s businesses are very dependent oninformation technology. Since there continues tobe exploitation of IT vulnerabilities, this ISACcould play a key role in cross-sector informationsharing.

Electric Power Sector

The North American Electric Reliability Council(NERC) is the sector coordinator for the electricpower sector. They are currently implementing anindication and warnings system with the NationalInfrastructure Protection Center (NIPC) to serveas their information-sharing mechanism. NIPCserves as a national critical infrastructure threatassessment, warning, vulnerability, and lawenforcement investigation and response entity.

The electric power sector is providing the fed-eral government with information about malicious



incidents that can then be shared with the electricpower industry. The indication and warningsystem being adopted by the electric powerindustry provides a valuable linkage with the gov-ernment. Certain industry staff have security clear-ances, and are able to receive directly from NIPCclassified threat and vulnerability information thatordinarily could not be shared. They can thenwork with the government to declassify suchinformation and share it in a valuable format toother non-cleared industry staff.

Telecommunications Sector

The National Coordinating Center forTelecommunications–Information Sharing andAnalysis Center (NCC/ISAC) has evolved froman entity that provided indications, analysis, andwarning (IAW) capabilities into one that nowoperates as an information-sharing mechanism.They are developing the NCC/ISAC to facilitatevoluntary collaboration and information sharingamong its members. The scope includes a broadrange of vulnerabilities and threats with potentialto affect the telecommunications sector.Information is shared on a non-attributable basis.The strength of the NCC information-sharingmechanism is its ability to pull major industryplayers into a room to discuss infrastructureactivities impacting their industry.

Because of the dependencies on telecommuni-cations technology, this information-sharingmechanism could play a key role in cross sectorinformation sharing.

INFORMATION SHARING REQUIREMENTSFOR THE OIL AND NATURAL GAS INDUSTRIES

The National Petroleum Council examinedinformation-sharing mechanisms within the oiland natural gas industries, in other critical infra-structures, and from other industries. Specificsuccessful information sharing models such asthe Centers for Disease Control were examined toglean desired ISAC attributes and criteria. The

NPC determined that an oil and natural gassector ISAC should be capable of the following:

• Providing access to the broadest range ofthreat, vulnerability, and incident datainvolving IT hardware and software products,SCADA systems, and physical assets.

• Providing data acquired from the broadestrange of global sources to include technologyvendors, Internet sources, industry partici-pants, other ISACs, local, state, national, andforeign governments, businesses, etc.

• Providing global capabilities to identify,analyze, and disseminate information onthreats and vulnerabilities in real time.

• Analyzing high volumes of data, using a com-bination of automated and human processes.

• Prioritizing cyber incidents and providingmembers with timely and relevant alerts andsolutions.

• Providing members a choice to remainanonymous when reporting incident infor-mation to the ISAC. Membership in the ISACcan also remain anonymous.

• Providing a single repository for access tothreat, vulnerability, and incident identificationand solutions.

• Providing demonstrated experience in oper-ating ISACs.

• Operating in a cost-effective manner, providinggreater value than the cost of joining.

In addition to the requirements listed above, it ispossible that an arrangement can be made withNIPC to share classified threat information withdesignated personnel in the oil and natural gassector. For example, as previously noted, in theelectric power sector certain industry staff havesecurity clearances, and are able to receive directlyfrom NIPC classified threat and vulnerability



information that ordinarily could not be shared.They can then work with the government todeclassify such information and share it in avaluable format to other non-cleared industry staff.

ISSUES AND CHALLENGES FOR INFORMATION SHARING

Information sharing is appropriate for the oiland natural gas industries to leverage theirinternal knowledge base at an individualcompany level, within the industry, with otherindustries, and with government. Informationsharing can assist in better understanding vulner-abilities and threats along with mitigating riskand improving response and recovery planning.However, obstacles related to informationsharing must be addressed in order to maximizethe benefits from information sharing. Theseobstacles relate to issues with sharing within theindustry, industry sharing with government, andgovernment sharing with industry. Each of theseobstacles is discussed below.

Issues and Challenges for Sharing within Industry

As previously discussed, information sharingcurrently exists within the oil and natural gasindustries. Information sharing exists betweencompanies, from trade associations, and researchorganizations. There are challenges, however,that impede some desired information frombeing shared. These challenges must beaddressed so that effective information sharingcan occur. These challenges include:

• Size and Complexity of the Oil and NaturalGas Industries. The oil and natural gas indus-tries are comprised of many segmented anddiverse companies and associations, making itdifficult to categorize and coordinate theseindustries. Some companies choose strategicallyto own and operate assets while others performa market function of buying and/or sellingcommodity products without the ownership ofassets. Still others are developing energy-related financial products that are becoming

increasingly essential to the seamless operationof the infrastructure. It is difficult to reach out toall these diverse industry components.

• Liability Arising from Participation in anISAC.1 There are many potential sources for lia-bility stemming from the formation and oper-ation of an ISAC. However, most of thepotential liability can be minimized through aneffective allocation of the risks through severalcontractual arrangements, such as the ISACmembership agreement, service agreement withISAC provider, and ISAC membership rules.

• Antitrust Laws and Information Sharing.2Information sharing among competitors mustbe consistent with federal and state antitrustlaws. The U.S. Department of Justice (DOJ) hasstated that it would not challenge a proposal bythe Electric Power Research Institute (EPRI) toshare cyber vulnerability and threat infor-mation within the electric power industry. Thisaction supports the belief that DOJ will not actunder the antitrust laws against ISACs that arelegitimately focused on cyber security. The riskof antitrust liability for information sharing canbe minimized by obtaining a business reviewletter from DOJ for the oil and natural gasindustries ISAC.

Issues and Challenges for Industry Sharing with Government

Although much information from industry isshared with government, several obstacles cur-rently impede additional information sharing.These obstacles must be addressed so that effectiveinformation sharing can occur. Critical infra-structure protection has always been treated as aprivate/public partnership. For this partnership to



1 Potential liability concerns arising from participationin an ISAC are more fully discussed in Chapter 6 ofthis report.

2 Potential antitrust concerns arising from participationin an ISAC are more fully discussed in Chapter 6 ofthis report.

be truly effective, the information sharingobstacles need to be resolved. These obstaclesinclude:

• Protection for Companies’ Sensitive Informa-tion. Under the Freedom of Information Act,the government must publicly release certaintypes of information when requested. Withoutthe necessary protection that prohibits releaseof sensitive business information, companiesare reluctant to voluntarily share informationwith government. Statutory changes in the lawneed to be addressed to remove this obstacle.

• Role of State and Local Governments. Stateand local governments play important roles forthe oil and natural gas industries. Local gov-ernments are the first responders to incidentsand assist in response and recovery. State gov-ernments play an important role in safety, envi-ronmental, and emergency preparedness.Many states have freedom of information typelaws. Therefore, industry may be reluctant toshare information that could become public.The relationship between industry and thefederal, state, and local governments must beclearly defined. The government can provideadditional assistance to industry if industryshares their requirements and needs.

• Year 2000 Readiness and Responsibility Act.During the Year 2000 rollover there was muchconcern about the liability of collecting andsharing information. This information wasimportant to all critical infrastructures to assessthe state of the infrastructures and share solu-tions and expertise. The Y2K Readiness andResponsibility Act (the “Y2K Act”) wasdesigned to reduce uncertainty regarding whatlegal standards apply to Year 2000 disputes,and thereby reduce frivolous litigation andencourage remediation. The Y2K Act helped toestablish uniform, national legal standards andliability limitations governing lawsuits arisingfrom actual or potential Year 2000 failures.Something similar is needed before the full ben-

efits of sharing information regarding criticalinfrastructure protection can be realized.

Issues and Challenges for Government Sharing with Industry

The federal government has a key role to playin sharing information with the oil and naturalgas industries. Leveraging information availablein the federal government, whether practicesemployed or intelligence known, can assist companies in better understanding their riskexposure and lead them to better understandwhat appropriate mitigation options to undertake.

Several obstacles currently prevent the gov-ernment from sharing additional informationwith industry. Perhaps the largest difficulty thatthe government faces in this regard is sharingclassified and unclassified intelligence and threatinformation they have collected with industry.The obstacles the government faces with sharinginformation with industry include:

• Impact of Classification on InformationSharing. An important element of the federalgovernment’s case for critical infrastructureprotection is founded on federal intelligenceinformation. However, classified informationretained by the government, and not sharedwith industry, provides limited value to the oiland natural gas industries. The “declassified”form of federal intelligence often provides littlemeaning and value. There are various incidentsand warning information provided to thesector including alerts from the NIPC, the FBI,and the U.S. Department of Transportation.Often these alerts are so “watered down” as tobe non-actionable. Industry personnel whohave obtained government security clearancesdo benefit from participation in government-sponsored seminars on critical infrastructureprotection. However, by virtue of this clearancethey are prohibited from sharing the knowl-edge gained within their company, much lesswith other industry participants.



• Implications for Information Sharing withForeign Affiliates. Foreign-owned and multi-national corporations are another obstacle toovercome. A company’s loyalty usually existsto its shareholders and not the government. Butthis may not be the case for foreign-ownedbusinesses. Some businesses have head-quarters in other countries and hence loyaltiesto these countries. Deciding what types ofinformation and under what circumstances toshare are difficult issues. U.S. firms oftenpartner with non-U.S. firms that may shareaccess with company systems, creatingpotential vulnerabilities to the U.S. infra-structure.

INFORMATION SHARING RECOMMENDATIONS

The National Petroleum Council recommendsthe development and implementation of an oiland natural gas ISAC. Such an ISAC would helpmitigate the sector’s collective risk considering itsdependency on IT, telecommunications, andSCADA systems. Additionally, because of theconvergence of oil, natural gas, and electricpower into an energy industry, these industriescan no longer be examined independently. Mostenergy companies have activities in two or moreof these energy commodities. It is recommendedthat after the oil and natural gas industries ISACis operational, consideration should be given toinclude other entities, as interrelationshipsbecome apparent.

While there are issues and challenges to sometypes of information sharing, they do not pro-hibit the development of the ISAC. Initially, infor-mation will not be shared with government untilcurrent barriers are removed. As more of thesebarriers are removed, the value of the ISAC willincrease even further.

It is recommended that an arrangement be ini-tiated with government to permit certainindustry personnel to obtain national securityclearances in order to access classified threat

information. Access to such classified infor-mation would enhance vulnerability assessmentfor the sector.

In order to facilitate information sharingwithout an encumbrance of the antitrust legis-lation, it is recommended that the ISAC obtain abusiness review letter from DOJ to allow infor-mation sharing regarding cyber security.

The industry-directed service provider modelis recommended as the most efficient and appro-priate for the oil and natural gas sector. The“information sharing requirements” of an ISAC,described earlier in this chapter, should be uti-lized in selecting the best service provider.Information technology and telecommunicationsvulnerabilities should be the immediate focus,but inclusion of physical vulnerabilities andthreat information should be included in the evo-lution of the ISAC. The National PetroleumCouncil found that some energy companies donot receive enough of this crucial information,and some companies may not receive any at all.Additionally some companies may not have aphysical or IT security staff to act on this crucialinformation. A cost-effective ISAC would permitthose companies access to timely vulnerabilityand threat information along with solutions.

In determining the structure and operatingprocedures of an ISAC, the NPC recommendsthat an industry board be established to inves-tigate, develop, and implement an appropriateISAC for the sector. This board would addressissues such as membership, legal structure, costs,selection of a service provider, etc.

SECTOR COORDINATION

Purpose

The National Petroleum Council is a federaladvisory committee that provides advice, infor-mation, and recommendations on mattersrelating to oil and natural gas and their industries



solely at the request of the Secretary of Energy. Assuch, the NPC accepted an interim role as sectorcoordinator to lead the oil and natural gas sectorin responding to Presidential Decision Directive63. In the request letter, the Secretary of Energyasked, “At the conclusion of your work, I wouldlike your advice on the permanent role of theSector Coordinator, and your recommendationon how that person or organization should beidentified.”

Discussion

Information that relates to the roles andresponsibilities of the sector coordinators aredescribed in several documents generated by thegovernment on critical infrastructure protection.They are the Presidential Commission on CriticalInfrastructure Protection,3 and an unclassifiedwhite paper on Presidential Decision Directive63.4 The goals for each sector listed in PresidentialDecision Directive 63 include:

• Assess the vulnerabilities of the sector to cyberor physical attacks.

• Recommend a plan to eliminate significant vul-nerabilities.

• Propose a system for identifying and pre-venting attempted major attacks.

• Develop a plan for alerting, containing andrebuffing an attack in progress and then, incoordination with FEMA as appropriate,rapidly reconstitute minimum essential capa-bilities in the aftermath of an attack.

• Ensure that all plans and actions take into con-sideration the needs, activities, and responsibil-

ities of state and local governments and firstresponders.

• Strongly encourage creating a private-sectorISAC. (Design and functions will be deter-mined by the private sector.)

Three main issues present themselves in pro-viding sector coordination: the ability of the designated group or individual to provide lead-ership and ongoing day-to-day interaction withvarious stakeholders; access to administrativestaff; and funding to support sector activities.

Through interviews with current sector coordi-nators, it was apparent that each sector has takena different approach to achieving critical infra-structure protection goals in response to the pres-idential decision directive and input from theirindustry members. Each sector coordinator isproviding leadership, staffing, and funding indifferent ways. Therefore it is up to the oil andnatural gas industries to decide how best toprovide this critical leadership and coordinationfunction. The roles and responsibilities of thesector coordinator will evolve over time as infra-structure protection goals and industry’sapproach to security mature. The initial com-mitment to initiate and implement the recom-mendations of this report on behalf of theindustries must not be underestimated.

SECTOR COORDINATION RECOMMENDATIONS

Roles and Responsibilities for the Oil and Natural GasSector Coordinator

The National Petroleum Council has identifiedthe following sector coordinator roles andresponsibilities that are appropriate for the oiland natural gas industries:

• Provide oil and natural gas sector leadershipon critical infrastructure protection matters,such as facilitating establishment of a sectorISAC and participating in its management.



3 Critical Foundations, Protecting America’s Infrastruc-tures. The Report of the President’s Commission onCritical Infrastructure Protection. October 13, 1997.

4 White Paper – The Clinton Administration’s Policyon Critical Infrastructure Protection: PresidentialDecision Directive 63. May 22, 1998.

• Be the primary liaison for the sector on criticalinfrastructure protection matters with industry,Department of Energy, other critical infra-structure protection sectors, the executive andlegislative branches of government, media, andstate and local government entities.

• Define the financial structure for operation ofthe office of the sector coordinator.

• Establish working groups from the sector toaddress pertinent critical infrastructure pro-tection issues and industry goals such astraining needs, awareness programs, and iden-tification of sector R&D needs.

• Encourage sector industry components toperform periodic, quantitative risk assessmentsof information and telecommunication systemsand physical security to enhance awareness ofnew vulnerabilities.

Selection of a Sector Coordinator

The National Petroleum Council recommendsthat the sector coordinator be designated by thegoverning body of the oil and natural gas indus-tries ISAC.


Information Sharing

• Experience has shown that early warning ofincidents or new vulnerabilities affecting infor-mation technology systems is critical to systemprotection.

• The oil and natural gas industries have severalforums in which information is shared, butthere is no designated information-sharingmechanism that focuses on cyber aspects ofcritical infrastructure protection.

• Information sharing through an ISAC hasproven to be a valuable approach in mitigationof cyber vulnerabilities and threats.

• The oil and natural gas industries wouldbenefit from the creation of an ISAC. From thethree models in use throughout the criticalinfrastructures, it is recommended that anindustry-directed service provider operate theISAC for the oil and natural gas industries.

• The industry dependence on information tech-nology and telecommunications pose immediatevulnerabilities. Therefore the recommendedinitial focus for the ISAC should be informationtechnology and telecommunications.

• Many companies in the sector do not have anadequate IT security staff to support theirsystems, and smaller companies may havenone. Participation in an ISAC would provide acost-effective method for them to access timelydata regarding cyber security incidents andsolutions.

• Industry access to classified threat informationwould further enhance the protection of the oiland natural gas infrastructures. An arrange-ment should be initiated with government topermit certain industry personnel to obtainnational clearances in order to have access toclassified information.

• There is a convergence within the oil, naturalgas, and electric power industries in the mar-ketplace with companies having activities intwo or more of these commodities. Future con-sideration should be given to offering theopportunity for all companies in the energybusiness to join the oil and natural gas indus-tries ISAC.

• SCADA systems are used in the oil and naturalgas, electric power, and water supply indus-tries. Therefore, future consideration should begiven for private water supply companies tojoin the oil and natural gas industries ISAC.

• It appears that a properly structured industryinformation-sharing mechanism can operatewithin existing law.



• The oil and natural gas industries are sensitive tothe government’s antitrust concerns. A businessreview letter addressing antitrust concerns oninformation sharing should be obtained from theU.S. Department of Justice. The preferred long-term solution would be new legislation.

• To facilitate information sharing by industrywith government, legislative action is neededto provide relief from liability and the Freedomof Information Act.

• The NPC has identified ISAC requirements andselection criteria to facilitate informationsharing within the oil and natural gas indus-tries, which would serve as the basis forselecting a vendor.

• The governing body for the oil and natural gasindustries ISAC should have balanced repre-sentation from all segments of the industries.

Sector Coordination

• Sector coordination is a critical component toimplementing an effective critical infra-structure protection program providing overallleadership and a point of contact to deal withday-to-day infrastructure protection issues.

• Currently no organization represents all seg-ments of the oil and natural gas industries. Thegoverning body of the sector ISAC is the logicalentity to provide a neutral forum for sectorcoordination issues.

• It is recommended that the Secretary of Energyformally acknowledge the designee of the gov-erning body of the oil and natural gas indus-tries ISAC as the sector coordinator, fulfillingthe responsibilities of Presidential DecisionDirective 63.



I t is well accepted that existing legal and regula-tory systems influence decisions to act or to

refrain from action. It is equally clear that certainlaws and regulations enacted for one purpose canhave unintended consequences that are com-pletely unrelated to that purpose. Any nation-wide or international effort to secure critical infra-structure must take into account how existinglaws and regulations may facilitate or impedethose efforts. This chapter addresses the relevantlaws and regulations that affect oil and naturalgas industries critical infrastructure protectioncollaborative efforts (information sharing). Legalmechanisms that exist or could be put in place toencourage private-sector voluntary disclosureand to facilitate governmental sharing of criticalinfrastructure protection information are dis-cussed below. Finally, this chapter discussesexamples of information-sharing systems alreadyin place for dealing with local and globalproblems that could serve as models for the rec-ommendations made in this report.

For purposes of this analysis of existing laws, itis assumed that: (a) voluntary, rather thanmandatory, disclosure of information to facilitateinfrastructure assurance is desired1; (b) consensusexists or can be reached on what should be dis-closed, to whom it should be disclosed, and whendisclosure should occur; (c) commercial andpolitical obstacles to voluntary disclosure (e.g.,

indifference or antipathy toward business rivals)can be overcome; and (d) technology exists or willbe developed that will ensure the security of theinformation that is disclosed.

Because existing laws and regulations couldhinder the voluntary participation of industry, itis crucial to determine what legal and regulatorychanges may be required in order to maximizethe incentives of participants in the industry toshare information—beyond the mutual objectiveof a safer, more secure infrastructure. This chapterdiscusses existing legal and regulatory concernsand recommends some regulatory changes andprocedural adjustments that, although general,would help the private sector with exchanginginformation on common vulnerabilities, threats,solutions, best practices, and security breachesand their resolutions.

LEGAL OBSTACLES TO INFORMATION DISCLOSURE AND SHARING

As mentioned previously in this report, anyprivate-sector participant in a critical infra-structure protection information-sharing schemefaces two distinct types of legal obstacles to information sharing: those that arise when theinformation is to be shared solely within the par-ticipant’s industry, and those that arise wheninformation will additionally be shared with gov-ernment agencies or entities. Generally speaking,the chief concerns raised by companies overinformation sharing within a particular industrycenter around antitrust infringement, the pro-tection of confidential information, and thepotential for liability resulting from a breach ofcontract or a transgression of state tort law.Information sharing with the federal government

Legal and Regulatory Issues Related to Information Sharing Chapter 6


CHAPTER 6

Legal and Regulatory Issues Related to Information Sharing

1 Numerous additional legal issues would be raised ifdisclosures were not voluntary but were required bythe United States government or another authority.These include, but are not limited to, constitutionalissues involving the fourth and fifth amendments.These issues are beyond the scope of this chapter. Todate, no critical infrastructure information-sharingscheme has contemplated such draconian require-ments for its participants.

raises similar concerns, but also adds an inherentinability to control how information provided tothe government is disseminated or used. It is pos-sible to minimize these concerns, however, byaddressing the legal obstacles to informationsharing and devising strategies for overcoming orreducing them. The legal obstacles to private- andpublic-sector information sharing and how tominimize their risks are addressed below.

Legal Issues Related to Information Sharing within the Sector

Any program aimed at promoting cooperationamong industry participants must take intoaccount how certain laws will affect the ability andincentive of each industry to share information. Itis first necessary to determine the legality of a pro-posed information-sharing program within theindustries, and whether prospective memberscould face liability for organizing and operatingsuch a cooperative program.

It is worth noting that these issues are relatedto, but separate from, the obligations imposed onprogram participants as conditions for mem-bership, including for example, whether partici-pants will owe a duty to disclose and share infor-mation, to whom such duty is owed, and the legalconsequences of failing to perform that duty.These issues are important, and should be care-fully addressed in the membership agreement forany information-sharing program. The dis-cussion below, however, addresses more gen-erally how programs involving the disclosure ofinformation among the private sector couldsubject participants to certain risks.

• Industry-Wide Information Sharing andAntitrust Laws. Exchange of information,which is largely operational in nature, hasnever been seriously questioned underantitrust laws. As the scope of information tobe exchanged expands, however, companieswill need to be mindful of the antitrust risks ofexchanging with competitors, information

from which their competitive situations andplans might be ascertained.

Recently, the Electric Power Research Institute(EPRI) requested a business review letter fromthe U.S. Department of Justice (DOJ) withrespect to a proposed information exchangedesigned to enhance critical infrastructuresecurity against cyber-threats.2 In response toEPRI’s request, DOJ indicated that it would nottake any enforcement action against the pro-posed information exchange. DOJ concludedthat “all information exchanged will relatedirectly to physical and cyber-security” andthat “no company specific competitively sen-sitive information i.e. prices, capacity or futureplans, will be exchanged.”

The newly proposed IT/ISAC has recentlysought a business review letter from DOJ.Although an antitrust exemption for criticalinfrastructure protection collaboration and infor-mation sharing would be the most certain wayto avoid antitrust liability, such an exemptionrequires Congressional action, which could bemonths, if not years, away. In the meantime,seeking a business review letter regarding anyproposed information exchange related to cyber-security would be a prudent course for the oiland natural gas industries to follow.

• Information Collection/Sharing and Privacy.The decision by a company to undertake closemonitoring of its computer networks,including the actions of those who access them,could create a potential for liability. If, forexample, a company determined that a visitorto its website was attempting to penetrate itsfirewalls during such visits, it would con-ceivably want to share this information withother companies in its critical infrastructure

Chapter 6 Legal and Regulatory Issues Related to Information Sharing


2 Under DOJ’s Business Review Procedures (28 C.F.R.50.6) a firm describes proposed business activities tothe Antitrust Division and receives a letter statingwhether the Division would challenge the actions asa violation of the federal antitrust laws.

protection program, including any personalinformation that the visitor wittingly or unwit-tingly gave to the company during his visits.The liability for such action arises from the factthat in some jurisdictions the public disclosureof private facts (even if true) about an indi-vidual, where such disclosure is objectionableto a reasonable person, constitutes a commonlaw tort. Multinational companies must also beconcerned about privacy laws in the countrieswithin which they operate. In the UnitedStates, where the disclosure to an ISAC mayrelate to a matter of public interest, as couldarguably be the case with disclosure of infor-mation relating to threats to critical infra-structure, First Amendment and other protec-tions may apply to prevent liability fromattaching to information collection activities.

The reactions of third parties to network moni-toring are not the only ones worthy of consid-eration. Though it need not be a requirementfor membership, a company that joins an information-sharing program may be inspiredto take a more aggressive approach in moni-toring the network activities of its employees.Generally speaking, companies should alwaysinform employees of the company policy formonitoring network activity. Special careshould be taken in the event that a policy willbe changed (especially if monitoring is toincrease) to ensure that proper notification ismade and consent received.

The consequences for failure to notifyemployees about network monitoring can besignificant. A number of state and federal lawshave been interpreted by some to require noticeand/or consent before certain monitoring ofemployee communications may take place.Bills introduced in Congress in July 2000 wouldhave cleared all uncertainty on this issue byrequiring employee notification prior to anytype of electronic monitoring.3 It does not

appear to be Congress’ intention to preventelectronic monitoring outright; however, itwould behoove any company that alreadyundertakes or is considering to undertakeemployee monitoring to have in place a com-prehensive policy for notification and consent,which can often be achieved by means of anemployment contract or amendment thereto.

The European Union (EU) Privacy Directiveoutlines the types of personal information thatqualify for privacy protection, and prohibitsthe transfer of personal data to non-EU coun-tries that do not provide adequate levels ofprivacy protection. The U.S. government hasnegotiated a “safe harbor” arrangement withthe EU, which creates the presumption for par-ticipating U.S. companies that such companiesprovide adequate levels of privacy protection ifthey comply with specific principles regardingthe use, disclosure to third parties, and accessto personal information. Similar regulations inother countries could impact the collection andsharing of personal information by any private-sector participant in a critical infrastructureprotection information-sharing scheme.

• Information Use and Defamation. Theprospect that the member of an information-sharing group might face liability for charges ofdefamation is remote, but it is a possibility thatshould be discussed nonetheless. Defamation,under common law, requires a disclosure to athird party of information that would harm thereputation of an identified person. This ratherbroad definition has been narrowed in recentyears by the Supreme Court, which has soughtto give greater weight to the First Amend-ment’s guarantees of freedom of speech andpress. Charges of defamation could still occur,however, if the member of an information-sharing group disclosed certain harmful infor-mation about a person, a company, or theproduct of a company, and that informationlater turned out to be untrue. Assuming theparty was able to show some injury, the



3 The companion bills were Senator Charles Schumer’sS. 2928, and Representative Charles Canady’s H. 4908.

member (or perhaps the entire group) couldface liability.

To avoid this potential risk, the information-sharing group should ensure that it always hasa good faith basis to issue derogatory reportsabout a particular person, company, orproduct. Information of this kind should onlybe disseminated to protect or warn othermember companies about the potential harmthat could result. There is, in fact, a qualifiedprivilege that allows for the publication ofdefamatory statements when acting to protectthe interests of another or of a group that sharescommon interests. Although this is not anabsolute privilege or defense, it could limit amember company’s liability considerably.

• Disclosure of Privileged or ConfidentialInformation. A somewhat tangential concernraised by the prospect of increased private-sector disclosure of various types of infor-mation is the potential waiver of privilege thatmay occur as a consequence of any such dis-closure. Disclosure of otherwise privilegedinformation developed at the direction of a cor-poration and its attorneys may waive privilegewith respect to the information itself and infor-mation on the same subject matter. Undercurrent law, the disclosure of any privilegedcommunication with respect to a given matterwaives the privilege for all communicationsrelated to the same subject matter. Thus, theremay be a reluctance to voluntarily disclose suchinformation without an agreement among theparties to an information-sharing group, orbetween the group and the federal government,that privilege is not waived through disclosure ofinformation for infrastructure security purposes.

It also bears noting that private-sector partici-pants are unlikely to disclose confidentialinformation, even where important to the pro-tection of the infrastructure, without legalguarantees that the confidential nature of suchinformation will be maintained. Disclosure ofinfrastructure vulnerabilities could create

potential liability for private-sector partici-pants if such vulnerabilities cause harm tothird parties. In addition, disclosure of suchvulnerabilities could impact a private-sectorparticipant’s business reputation or affectinvestor confidence. Concerns in the foregoingareas are heightened for private-sector partici-pants if information concerning infrastructuresecurity is shared with the government sector,and will be discussed in detail below. In caseswhere confidential information is to be sharedonly with members of one’s industry, one wayto protect confidentiality is through the mem-bership agreement provisions that will bind themembers of the information-sharing group andimpose penalties for violation of the agreement.

• Failure to Disclose or Use Information.Prospective participants in an information-sharing program may also be deterred by thepossibility of incurring liability for failing todisclose, or alternately, failing to use infor-mation on critical infrastructure attacks. The theory of liability in the former case is based onthe principle that a member in an information-sharing group has an obligation (and not anoption) to share information about attacks withother members of the group. If this duty is notexplicitly set forth in the membershipagreement, however, then it is unlikely thatsuch a duty would be implied under federal orstate law.

Liability in the latter situation could be trig-gered if a company is aware of a particularthreat but does not take any actions to defendagainst it, and falls victim to attack. Shouldsuch an event occur and be fully discovered bya third party, such as a customer or shareholderof the company, it is foreseeable that a lawsuitand liability could ensue. It may also haveunintended insurance consequences—specifi-cally that insurance coverage could be voidedor otherwise denied on grounds that thecompany “should have known” of threats tocovered assets but failed to disclose them to



insurers and failed to take the necessary pre-cautions recommended by the information-sharing group.

Liability in both situations may be minimized byexplicitly excluding from the membershipagreement the duty to disclose or use infor-mation gained through participation in an information-sharing group. Such an agreementwill establish clearly the duties of each memberrelated to the accurate reporting of information(which may be that there is no duty) and the han-dling of reported information (which could, forexample, mandate the use of certain techno-logical measures for data-handling). It will alsoestablish penalties for the failure to carry outone’s duty. Any company that chooses to signsuch a contract should thus be aware of the legalobligations that it generates.

Legal Issues Related to Industry Sharing Informationwith the Government

Systems of cooperation and coordinationaimed at protecting the nation’s critical infra-structures can be enhanced by the participation ofthe government, both at federal and state levels.The government has access to data and intelli-gence that is unavailable in the private sector andcould be quite valuable in defending against acyber attack. Government involvement, however,where both sides give and acquire informationraises concerns of privacy, liability, and securityamongst potential industry participants. Theseconcerns and the existing legal regime must beconsidered and weighed against the ultimateobjectives of any public-private partnership tosecure and strengthen the nation’s critical infra-structures.

• The Freedom of Information Act (5 U.S.C. §522). The Freedom of Information Act (FOIA)permits “any person” to seek access to any gov-ernment “agency record” that is not subject toone of nine exemptions or three special lawenforcement exclusions. If voluntary disclosure

is desired by the government in a future infra-structure protection initiative, close attentionshould be given to whether these exemptionswould sufficiently protect from public dis-closure the sensitive business information thatmight have to be disclosed to a governmentalagency.

Exemption 4 of FOIA provides protection forcertain business information shared with thefederal government. This exemption protects“trade secrets and commercial or financialinformation obtained from a person [that is]privileged or confidential.” (5 U.S.C.§552(b)(4)). The exemption is meant toencourage persons to voluntarily furnishuseful commercial or financial information tothe government by safeguarding it from thecompetitive disadvantage that could resultfrom disclosure. The two-way sharing of infor-mation under this exemption has not yet beentested by the other ISACs, but it could be aviable solution until a formal legislativeamendment to FOIA passes the Congress.

One strategy that may be effective in reducingor eliminating concerns about the release ofsensitive information under FOIA is to enterinto a Memorandum of Understanding (MOU)or other similar agreement with the federalagency with whom the information sharing istaking place. The agreement could specifywhether information is being submitted underany FOIA exemption and could also governhow the information will be handled and towhom it would be disclosed. MOUs and theirapplicability are discussed further below.

• The Privacy Act (5 U.S.C. § 552a). The PrivacyAct provides that any personal informationconcerning U.S. citizens and permanent-resident aliens that is maintained in a “systemof records” may not be disclosed unless thatdisclosure is permitted under one of severalspecific exceptions. One such exemption allowsthe head of any agency to exempt a “system ofrecords” from disclosure if the principal



function of the system includes theenforcement of criminal laws and the recordsconsist of information compiled for thepurpose of a criminal investigation.

The crucial legal concern with respect to FOIAand the Privacy Act is whether these exemp-tions are broad enough to ensure that sensitivebusiness information and informant identitiesremain confidential vis-a-vis the public andcompetitors while, at the same time, limitedenough to ensure that the appropriate agency oragencies can access information needed to dealwith threats to critical infrastructure security.

• Protection of Trade Secrets. A related concernis the potential loss of protection for tradesecrets (or other proprietary information).Trade secret protections are an advantage tomany companies because they provide for thepossibility of perpetual protection, they can bemaintained without the cost involved inpatenting (nor do they require the disclosure ofinvention details to the public). Moreover, atrade secret need not be a significant orimportant advance but, rather, can be anyinformation, design, device, process, compo-sition, technique, or formula that is not knowngenerally and that affords its owner a compet-itive business advantage. Because a funda-mental requirement associated with trade pro-tection is that the thing protected not be knowngenerally, the risk that voluntary disclosure oftrade secret information to the governmentmay intentionally be given to or inadvertentlyend up in the hands of the general public and,consequently, that trade secret protection willbe lost, is a major disincentive to voluntary dis-closure of this type of information by theprivate sector.

• Sunshine Laws. Any effort to promote infor-mation sharing by state or local governmentsmust take account of the general inconsistencyamong state “Sunshine Laws” requiring thepublic disclosure of certain proceedings bypublic bodies. While states commonly exempt

meetings concerning matters of public securityfrom their Sunshine Laws, there is considerabledisparity among states’ Sunshine Laws andtheir application by the courts. In the area of lawenforcement, states’ efforts to strike a balancebetween personal privacy and public access toinformation have resulted in varying sunshinelaw exemptions that provide only generalguidance for authorities and requesters of infor-mation. In addition, some states have modeledtheir exemptions after the federal FOIA, tovarying degrees, while others have relied ontheir own legislators’ lawmaking ability.

The issues raised above force any industry con-sidering the establishment of an information-sharing program to think seriously about theadvantages and disadvantages of giving the gov-ernment a role in that program. There is no rightanswer in this case, as the decision depends solelyon the industry’s willingness to accept certaintradeoffs, in return for the advantage of havingthe government’s assistance and input. It seemsthat for nearly each partnership that remains pri-vately based, there is a similar public-privatearrangement that functions just as well. The dis-tinguishing feature of these latter arrangements isthat they are based on clear agreements as to therole and function of each player involved. Themost significant of those agreements is an MOUwith the participating government agency oragencies as to the appropriate use and/or dis-closure of the information obtained through par-ticipation. As with the membership agreement, itcan also absolve private-sector participants fromthe duty to report information on attacks to thegovernment. An MOU will not be easy to nego-tiate, but could be key to any arrangement thatenvisions a public-private partnership for criticalinfrastructure protection.

Independent Disclosure of Information to theGovernment

If industry and government cannot come toacceptable terms for information sharing, a



company may still choose to report indepen-dently to the government on some critical infra-structure vulnerabilities. In contrast to the imped-iments to disclosure discussed above, one suchway to ensure the smooth and trusted exchangeof information with the government is through aconfidentiality statement or nondisclosure agree-ment. These agreements are already being usedwidely in the private sector and by governmentalagencies. For example, the U.S. Department ofEnergy (DOE) has created a Sample Non-disclosure and Confidentiality Agreement. It isintended to serve as a template for addressingterms and conditions that might be involved inestablishing a multi-party non-disclosure andconfidentiality agreement pursuant to efforts ofthe DOE’s Infrastructure Assurance OutreachProgram and to prevent inappropriate disclosureof proprietary or sensitive business information.It is possible that the use of similar agreementsmay be an important part of information sharingas part of infrastructure assurance.

The use of confidentiality/non-disclosureguarantees in the context of infrastructureassurance would create a number of potentialcomplications that would have to be resolvedbefore industry participants would be com-fortable relying upon them. This includeswhether information disclosed to the governmentcould be further disclosed, and whether the dis-closing company would be liable for any furtherdisclosures, either intentional or inadvertent.

These issues would need to be addressed priorto the implementation of a model for infra-structure assurance that incorporates the use ofsuch agreements.

EXAMPLES OF INFORMATION SHARING PARTNERSHIPS

The discussion above is not meant to generatedoubts as to the feasibility of information-sharingarrangements, for such arrangements do existand have been quite successful. The following areexamples of both public and public-private infor-

mation sharing partnerships. It is hoped thatthese examples will be helpful as the energyindustry works with the government and withcompanies within its own industry to design asystem for critical infrastructure assurance.

Private-Sector Models

Industry participants have already demon-strated that they can work together to share infor-mation in appropriate areas. Two examples areespecially illustrative.

• Financial Services Information Sharing andAnalysis Center (FS/ISAC). The financialservices sector established an ISAC in October1999 as a limited liability corporation. FS/ISACmembers have access to information andanalysis relating to information provided byother members, the federal government, lawenforcement agencies, and informationsecurity associations. Membership is open toU.S. chartered companies in the banking, secu-rities, and insurance industries; however, thefederal government is not allowed to access theFS/ISAC database. The FS/ISAC gained recog-nition when it successfully distributedwarnings about the February 2000 denial ofservice attacks and the Love Bug virus.

• Information Technology Information Sharingand Analysis Center (IT/ISAC). The ISAC forthe information technology sector was publiclyproposed in January 2001. The IT/ISAC is anot-for-profit corporation and facilitates thereporting and exchange of information con-cerning electronic incidents, threats, attacks,vulnerabilities, solutions and countermeasures,best security practices and other protectivemeasures. Although the IT/ISAC is currentlyonly composed of its 19 founding technologycompany members, membership is open, andmany major U.S. based technology andtelecommunications firms are expected to join.While the federal government was instru-mental in assisting in the formation of the



IT/ISAC, it will not play an immediate role inthe organization.

Public-Private Sector Models

The following collaborative efforts betweenpublic- and private-sector entities can serve asmodels for similar efforts between the petroleumindustry and government with respect to thesecurity of the industry’s critical infrastructure.

• Sharing of Information Consistent with theNuclear Regulatory Commission Regulations.The Nuclear Regulatory Commission permitsnuclear power plants to share information withthe Commission and with each other aboutpotential safety risks, including possibly dan-gerous employees. Importantly, the companiesthat share information are protected from pos-sible liabilities arising out of this informationsharing (e.g., the risk of a defamation claim by aformer employee).

• International Energy Agency. The Inter-national Energy Agency is an organization of25 member countries created to address oilsupply emergencies. The members shareenergy information and coordinate theirenergy policies. U.S. petroleum companies par-ticipate in information exchanges under a spe-cific exemption from the U.S. antitrust laws.Periodically, Congress reconsiders thisexemption.

• National Security Telecommunications AdvisoryCommittee and National CommunicationsSystem. This is a collaboration between theprivate National Security TelecommunicationsAdvisory Committee (comprised of the lead-ing U.S. telecommunications companies) andthe government’s National CommunicationsSystem (a confederation of 23 federal gov-ernment entities). The two groups, chargedjointly with ensuring the robustness of thenational telecommunications grid, have beenworking together since 1984 and share infor-mation about threats, vulnerabilities, opera-

tions, and incidents, which improves theoverall security of the telecommunicationsinfrastructure.

• Centers for Disease Control. The federalCenters for Disease Control (CDC) hasdeveloped, over time, a system for acquiringmedical data relating to areas of public interestfor purposes of analysis. Toward this end, theCDC cooperates with state agencies and otherresponsible individuals, obtaining informationas anonymous data in an effort to protect theprivacy of individual patients. The CDC’sefforts to eliminate identifiable personal infor-mation from its databases are crucial to facili-tating information exchange and promotingtrust in the system. The petroleum industryshould require similar assurances if it is to beasked or required to provide proprietary infor-mation to the government in an effort tocombat terrorist threats to the industry.

LEGISLATIVE INITIATIVES TO ENCOURAGE INFORMATION SHARING

Several bills introduced in the last session ofCongress would have helped to remove or reducesome of industry’s concerns about sharing criticalinfrastructure information with the government,notably by creating a new exemption from theFreedom of Information Act for informationshared for network defense purposes. One suchbill was the proposed Cyber Security InformationAct (H.R. 4246, 106th Congress, April 12, 2000).This proposed legislation encouraged secure dis-closure and protected information exchanges inconnection with infrastructure assurance. The billwas designed to exempt cyber security data fromthe Freedom of Information Act, prevent its dis-closure to third parties, and exempt its use “byany Federal or State entity, agency, or authority orby any third party, directly or indirectly, in anycivil action arising under any Federal or Statelaw.” The bill also contained an antitrustexemption for exchanges of information to facil-itate or “to help correct or avoid the effects of a



cyber security problem.” However, the bill contained an exception to the above-notedexemption when applied to conduct that involvesor results “in an agreement to boycott any person,to allocate a market, or to fix prices or output.”Whether this exception to the exemption wouldchill certain legitimate disclosures is an issue thatwas not considered. The bill would have per-mitted the President to establish working groupsof federal employees to engage outside organiza-tions to share information and facilitate the pur-poses of the proposed legislation.

If the proposed Cyber Security Information Acthad been enacted, it would have served as amodel to shield other beneficial exchanges ofinformation that supports infrastructureassurance from potential legal consequences.Similar legislation is expected to be reintroducedin the 107th Congress. These initiatives should beclosely monitored by industry participantsseeking to establish public-private partnershipsfor critical infrastructure protection.


• Obtaining a business review letter from theDepartment of Justice can minimize the risk ofantitrust liability for information sharing.

• An ISAC should be structured to ensure thatthere is no violation of privacy rights.

• Companies should have a good faith basis todisseminate unfavorable information whennecessary about a particular product or personthat poses a threat to the security of theindustry’s critical infrastructures.

• In the formation and operation of an ISAC,most of the potential liability can be minimizedthrough an effective allocation of the risksthrough several contractual arrangements,such as the ISAC membership agreement,service agreement with ISAC provider, andISAC membership rules.

• Sharing information with the government maylead to unwanted disclosure of the informationto third parties pursuant to the Freedom ofInformation Act. However, with a properlystructured formal memorandum of under-standing or other similar agreement it is possible to share information with the gov-ernment.

• Other information-sharing mechanisms, suchas the FS/ISAC, are in operation, and are suc-cessfully dealing with the legal and liabilityissues.



The research and development (R&D) goal insupport of critical infrastructure protection

should be the development of technologies andprocesses that will reduce vulnerabilities andcounter threats in those areas having the potentialfor causing significant national security, eco-nomic, and/or social impacts. The oil and naturalgas industries primarily rely on commercialproviders for R&D in information technology,telecommunications, and supervisory control and data acquisition (SCADA) systems. Con-sequently, the oil and natural gas industries havefew core competencies in these areas.

Government-funded R&D should addressnational security and key critical infrastructureprotection issues that transcend the capabilities ofindividual companies in the oil and natural gassector. The government should work withindustry to focus and prioritize their R&Dprogram and ensure that mechanisms exist torapidly transfer the results that enhance criticalinfrastructure protection.

In 1996, the President's Commission on CriticalInfrastructure Protection identified severalcommon R&D themes that crosscut all criticalinfrastructures:

• Protecting infrastructures

• Detecting intrusions

• Mitigating the effects of disruptions

• Facilitating recovery

• Developing analytical or supporting technologies.

The challenge for government is to work withthe oil and natural gas industries and the other

critical infrastructures to help focus R&D,leverage existing technologies, and enhancecritical infrastructure protection. An importantingredient in this cooperative effort will be thetechnology transfer to industry from governmentof the pertinent results from the R&D work.

PROPOSED RESEARCH AND DEVELOPMENT NEEDS

The R&D needs proposed in this section arefrom the perspective of the oil and natural gasindustries. They range from specific informationtechnology, telecommunications, and interdepen-dencies to issues related to physical asset pro-tection. The majority of the needs would be ofvalue to other infrastructures as well.

• Information Assurance. As national infrastruc-tures increasingly depend on computers andnetworked information systems to improveefficiency and enhance economic competi-tiveness, they also become more vulnerable topotential cyber attacks. In addition, the basictechnology is changing rapidly, open architec-tures are being pursued, and globalization isintensifying competition. These changes affectboth the individual critical infrastructures andthe national interdependent infrastructures.Significant new investments in R&D arerequired to protect the information technologyand telecommunications infrastructures, andthe information created, stored, processed, andtransmitted on it.

• Interdependencies and Systems Complexity.The energy infrastructures depend strongly oncomputers and computing systems for opera-tions and communication along with all othercritical infrastructures. The energy infrastructures

Research and Development Needs Chapter 7


CHAPTER 7

Research and Development Needs

also depend on itself (e.g., dependenciesbetween oil and natural gas and electricpower). Advanced methods and tools for vul-nerability assessment and systems analysis areneeded to identify critical nodes within infra-structures, examine interdependencies, andhelp understand the behavior of these complexsystems. Modeling and simulation tools andtest beds for studying infrastructure-relatedproblems are essential for understanding theinterdependent infrastructures.

• Physical Protection Assessment. Research willresult in enhancements focused on the pro-tection of physical assets of the oil and naturalgas industries, current protection methods, andstrategies for future protection.

• Multisensor and Warning Technologies.Central to the protection of any infrastructure isthe implementation of an integrated, collabo-rative system of overlapping cyber technologiesdesigned to warn against intruders at any of thecritical facilities and control nodes along thatsystem. The proposed integrated Multi-sensorand Warning Technologies (MSWT) systemwould further facilitate analysis of data toprovide information that can be used to antici-pate attacks and identify perpetrators.

• Protection and Mitigation. Real-time systemcontrol, infrastructure hardening, and con-tainment technologies are needed to protectinfrastructure systems against threats and mitigate the impacts of disruptions. Advancedsurvivability, reliability, and assuranceenhancement measures need to be exploredand developed. Technologies are needed tocontain and isolate the impacts of informationsystem disruption so that the complete systemor dependent infrastructures are not affected.

• Risk Management. Improved methodologiesand tools are needed to identify and managerisks to infrastructures and information.Research areas include developing method-ologies for measuring the relative risks and the

degree of impact of infrastructure assuranceinvestment strategies; for enhancing the abilityof users to perform consequence assessmentand risk analysis; for developing effective riskmanagement approaches and strategies; fordealing with uncertainties in, or incompleteknowledge of, threats, vulnerabilities, and pro-tection measures; and for managing risksacross the multiple components and organiza-tions involved in the infrastructures. Methodsalso are needed to more effectively characterizerisks and communicate risk information.

• Critical Consequence Analysis. This R&Dtopic would develop a thorough under-standing of the possible consequences ofphysical and cyber failures, as well as strategiesfor coping with them.

• SCADA Protection Enhancement. The oil andnatural gas industries’ SCADA systems areincreasingly being linked with electronicbusiness systems and are therefore becomingmore vulnerable to cyber intrusion. This taskwill assist in developing a viable method toeconomically enhance the security of SCADAsystems.

• Monitoring and Detection. A protection andattack sensing and warning capability isneeded to provide early threat warning to gov-ernment organizations and private-sectorinfrastructure owners and operators, therebypreventing widespread infrastructure disrup-tions that have potentially serious conse-quences on our national security, economy, andquality of life.

• Modeling and Simulation. Modeling and simu-lation tools and environments (e.g., test beds)need to be developed for studying infrastructure-related problems and dynamic response mecha-nisms under varying conditions. Such toolsallow experimentation that cannot be performedin realistic environments of any appreciablescale. For example, robust infrastructure andnodal analysis techniques and tools need to be

Chapter 7 Research and Development Needs


developed for modeling large-scale distributed/networked systems and interdependent infra-structures. Such tools would support systemsanalysis and decision making.

• Decision Support. Decision support method-ologies, tools, and information systems areneeded to help identify and prioritize criticalassets for protection, mitigation, incident man-agement, and recovery; compute return oninvestment in completing security tech-nologies; and develop overall infrastructureassurance investment strategies. Measurablecriteria also need to be established that addressnational security, economic competitiveness,quality of life, and other important attributes.Such methodologies, tools, and informationsystems would help determine what infra-structure assets are critical, and thus aid in thepriority use of resources in a degraded envi-ronment.

• Institutional Barriers. This research topicfocuses on institutional issues that are potentialimpediments to the successful implementationof critical infrastructure protection. Accord-ingly, it is based more on the disciplines ofpolicy and operations research than on techno-logical disciplines. The result of this researchand analysis is a series of plans that recognizeand address the potential strategic, policy, and

structural constraints facing an initiative thatembraces national coordination and alignmentto a common set of priorities. The plans mayinclude operating charters in which teams areeither involved or proposed


• The oil and natural gas industries primarilyrely on commercial providers for R&D in theareas of information technology, telecommuni-cation, electronic commerce, and SCADAsystems and related critical infrastructure pro-tection security.

• Government-funded research is appropriatewhere the issues transcend individual indus-tries and address national security needs.Availability of the results of such research willaid industry’s efforts in protecting their criticalinfrastructures. This effort will require cooper-ation among infrastructure owners and oper-ators along with government and their researchorganizations.

• The unique challenge for government will bethe concomitant technology transfer plan thatwill accelerate the introduction of infra-structure assurance measures to the oil andnatural gas industries and other key infrastruc-tures in the private sector.

Research and Development Needs Chapter 7


APPENDICESAPPENDICES

Appendix ARequest Lettersand Description of theNational Petroleum Council

Appendix BStudy Group Rosters

National Petroleum Council A-1

Request Letter Appendix A

A-2 National Petroleum Council

Appendix A Request Letter


Request Letter Appendix A

Description of the National Petroleum CouncilIn May 1946, the President stated in a letter to the Secretary of the Interior that he had been impressedby the contribution made through government/industry cooperation to the success of the World War IIpetroleum program. He felt that it would be beneficial if this close relationship were to be continuedand suggested that the Secretary of the Interior establish an industry organization to advise the Secre-tary on oil and natural gas matters.

Pursuant to this request, Interior Secretary J. A. Krug established the National Petroleum Council(NPC) on June 18, 1946. In October 1977, the Department of Energy was established and the Councilwas transferred to the new department.

The purpose of the NPC is solely to advise, inform, and make recommendations to the Secretary of Energy on any matter, requested by the Secretary, relating to oil and natural gas or the oil and gas industries. Matters that the Secretary of Energy would like to have considered by the Council are sub-mitted in the form of a letter outlining the nature and scope of the study. The Council reserves the rightto decide whether it will consider any matter referred to it.

Examples of studies undertaken by the NPC at the request of the Secretary of Energy include:

• Factors Affecting U.S. Oil & Gas Outlook (1987)• Integrating R&D Efforts (1988)• Petroleum Storage & Transportation (1989)• Industry Assistance to Government – Methods for Providing Petroleum Industry Expertise

During Emergencies (1991)• Short-Term Petroleum Outlook – An Examination of Issues and Projections (1991)• Petroleum Refining in the 1990s – Meeting the Challenges of the Clean Air Act (1991)• The Potential for Natural Gas in the United States (1992)• U.S. Petroleum Refining – Meeting Requirements for Cleaner Fuels and Refineries (1993)• The Oil Pollution Act of 1990: Issues and Solutions (1994)• Marginal Wells (1994)• Research, Development, and Demonstration Needs of the Oil and Gas Industry (1995)• Future Issues – A View of U.S. Oil & Natural Gas to 2020 (1995)• Issues for Interagency Consideration – A Supplement to the NPC’s Report: Future Issues –

A View of U.S. Oil & Natural Gas to 2020 (1996)• U.S. Petroleum Product Supply – Inventory Dynamics (1998)• Meeting the Challenges of the Nation’s Growing Natural Gas Demand (1999)• U.S. Petroleum Refining – Assuring the Adequacy and Affordability of Cleaner Fuels (2000).

The NPC does not concern itself with trade practices, nor does it engage in any of the usual trade asso-ciation activities. The Council is subject to the provisions of the Federal Advisory Committee Act of1972.

Members of the National Petroleum Council are appointed by the Secretary of Energy and represent allsegments of the oil and gas industries and related interests. The NPC is headed by a Chair and a ViceChair, who are elected by the Council. The Council is supported entirely by voluntary contributionsfrom its members.


Description of the National Petroleum Council Appendix A

Jacob AdamsPresidentArctic Slope Regional Corporation

Robert O. AgbedePresident and Chief Executive OfficerAdvanced Technology Systems, Inc.

George A. AlcornPresidentAlcorn Exploration, Inc.

Benjamin B. AlexanderPresidentDasco Energy Corporation

Conrad K. AllenVice PresidentNational Association of Black Geologists and Geophysicists

Robert J. Allison, Jr.Chairman and Chief Executive OfficerAnadarko Petroleum Corporation

Robert O. AndersonRoswell, New Mexico

Philip F. AnschutzPresidentThe Anschutz Corporation

Gregory L. ArmstrongChairman and Chief Executive OfficerPlains All American

Robert G. ArmstrongPresidentArmstrong Energy Corporation

O. Truman ArnoldChairman of the Board and Chief Executive OfficerTruman Arnold Companies

Ralph E. BaileyChairman and Chief Executive OfficerXpronet Inc.

D. Euan BairdChairman, President and Chief Executive OfficerSchlumberger Limited

William W. BallardPresidentBallard Petroleum, L.L.C.

William J. BarrettChairman and Chief Executive OfficerBarrett Resources Corporation

Gonzalo BarrientosState SenatorThe Senate of The State of Texas

Michael L. BeattyMichael L. Beatty & Associates

Riley P. BechtelChairman and Chief Executive OfficerBechtel Group, Inc.

David W. BieglerPresident and Chief Operating OfficerTXU

Peter I. BijurRetired Chairman of the BoardTexaco Inc.

NATIONAL PETROLEUM COUNCIL

MEMBERSHIP

2000/2001


Appendix A NPC Membership Roster

M. Frank BishopExecutive DirectorNational Association of State Energy Officials

Carl E. Bolch, Jr.Chairman and Chief Executive OfficerRacetrac Petroleum, Inc.

John F. BookoutHouston, Texas

Charles T. BryanPresident and Chief Executive OfficerDeGolyer and MacNaughton Inc.

Carl BurhananPresidentOasis Aviation, Inc.

Victor A. BurkManaging PartnerGlobal Energy & UtilitiesArthur Andersen, L.L.P.

Frank M. Burke, Jr.Chairman and Chief Executive OfficerBurke, Mayborn Company, Ltd.

Charles William BurtonPartnerJones, Day, Reavis & Pogue

Karl R. ButlerPresident and Chief Executive OfficerICC Energy Corporation

George Campbell, Jr.PresidentThe Cooper Union for the Advancement of Science and Art

Philip J. CarrollChairman and Chief Executive OfficerFluor Corporation

R. D. CashChairman and Chief Executive OfficerQuestar Corporation

Robert B. CatellChairman and Chief Executive OfficerKeySpan

Clarence P. Cazalot, Jr.PresidentMarathon Oil Company

Paul W. ChellgrenChairman of the Board and Chief Exceutive OfficerAshland Inc.

Danny H. ConklinPartnerPhilcon Development Co.

Luke R. CorbettChairman and Chief Executive OfficerKerr-McGee Corporation

Michael B. CoulsonPresidentCoulson Oil Co.

Gregory L. CraigPresidentCook Inlet Energy Supply

Hector J. CuellarManaging DirectorArea/Industries ManagerBank of America

William A. CustardPresident and Chief Executive OfficerDallas Production, Inc.

Robert DarbelnetPresident and Chief Executive OfficerAAA

George A. Davidson, Jr.Retired ChairmanDominion Resources, Inc.


NPC Membership Roster Appendix A


Claiborne P. DemingPresident and Chief Executive OfficerMurphy Oil Corporation

Cortlandt S. DietlerPresident and Chief Executive OfficerTransMontaigne Oil Company

David F. DornChairman EmeritusForest Oil Corporation

John G. DrosdickChairman, President and Chief Executive OfficerSunoco, Inc.

Archie W. DunhamChairman, President and Chief Executive OfficerConoco Inc.

W. Byron DunnPresident and Chief Executive OfficerLone Star Steel Company

Daniel C. EckermannPresident and Chief Executive OfficerLeTourneau, Inc.

James W. EmisonChairman and Chief Executive OfficerWestern Petroleum Company

Ronald A. EricksonChief Executive OfficerHoliday Companies

Sheldon R. EriksonChairman of the Board, President and Chief Executive OfficerCooper Cameron Corporation

John G. FarbesPresidentBig Lake Corporation

Thomas L. FisherChairman, President and Chief Executive OfficerNicor Inc.

William L. FisherLeonidas T. Barrow Chair in Mineral ResourcesDepartment of Geological SciencesUniversity of Texas at Austin

James C. FloresChairman, President and Chief Executive OfficerSable Minerals, Inc.

Douglas L. FosheeHouston, Texas

Joe B. FosterNon-executive ChairmanNewfield Exploration Company

Robert W. FriDirectorThe National Museum of Natural HistorySmithsonian Institution

J. E. GallegosAttorneyEnergy & Environmental LawGallegos Law Firm

Jean GaulinChairman, President and Chief Executive OfficerUltramar Diamond Shamrock Corp.

Murry S. GerberPresident and Chief Executive OfficerEquitable Resources

James A. GibbsPresidentFive States Energy Company

Rufus D. GladneyChairmanAmerican Association of Blacks in Energy

Alfred R. Glancy IIIRetired Chairman of the BoardMCN Energy Group Inc.



Bruce C. GottwaldChairman of the BoardEthyl Corporation

S. Diane GrahamChairman and Chief Executive OfficerSTRATCO, Inc.

Frederic C. HamiltonChairmanThe Hamilton Companies

Christine HansenExecutive DirectorInterstate Oil and Gas Compact Commission

Michael F. HarnessPresidentOsyka Corporation

Angela E. HarrisonChairman and Chief Executive OfficerWELSCO, Inc.

Timothy C. HeadingtonPresident/OwnerHeadington Oil Company

John B. HessChairman of the Board and Chief Executive OfficerAmerada Hess Corporation

Jack D. HightowerChairman of the Board, President and Chief Executive OfficerPure Resources, Inc.

Jerry V. HoffmanChairman, President and Chief Executive OfficerBerry Petroleum Company

R. Earl HoldingPresident and Chief Executive OfficerSinclair Oil Corporation

Roy M. HuffingtonChairman of the Board and Chief Executive OfficerRoy M. Huffington, Inc.

Ray L. HuntChairman of the BoardHunt Oil Company

James M. HutchisonPresidentHUTCO Inc.

Frank J. IarossiChairman and Chief Executive OfficerAmerican Bureau of Shipping & Affiliated Companies

Eugene M. IsenbergChairman and Chief Executive OfficerNabors Industries, Inc.

A. V. Jones, Jr.ChairmanVan Operating, Ltd.

Jon Rex JonesChairmanEnerVest Management Company, L. C.

Jerry D. JordanPresidentJordan Energy Inc.

Fred C. JulanderPresidentJulander Energy Company

Robert KelleyRetired Chairman of the BoardNoble Affiliates, Incorporated

Bernard J. KennedyChairman and Chief Executive OfficerNational Fuel Gas Company

Richard D. KinderChairman and Chief Executive OfficerKinder Morgan Energy Partners, L.P.



Harold M. KorellPresident and Chief Executive OfficerSouthwestern Energy Company

Fred KruppExecutive DirectorEnvironmental Defense Fund

Susan M. LandonPetroleum Geologist

Kenneth L. LayChairman of the BoardEnron Corp.

Stephen D. LaytonPresidentE&B Natural Resources

Virginia B. LazenbyChairman and Chief Executive OfficerBretagne G.P.

Lila LeathersPresident and Chief Executive OfficerLeathers Oil Co.

David L. LemmonPresident and Chief Executive OfficerColonial Pipeline Company

David J. LesarChairman of the Board, President and Chief Executive OfficerHalliburton Company

John H. LichtblauChairman and Chief Executive OfficerPetroleum Industry Research Foundation, Inc.

Daniel H. LopezPresidentNew Mexico Institute of Mining and Technology

Thomas E. LoveChairman and Chief Executive OfficerLove’s Country Stores, Inc.

William D. McCabeDirector of Energy Resources & SupplyCouncil of Energy Resource Tribes

Ferrell P. McCleanManaging DirectorJ. P. Morgan Securities Inc.

S. Todd MaclinManaging Director and Global Oil & Gas Group ExecutiveJ. P. Morgan Securities Inc.

Cary M. MaguirePresidentMaguire Oil Company

Robert A. MaloneRegional President for the Western United StatesBP p.l.c.

Timothy M. MarquezPresident and Chief Executive OfficerVenoco, Inc.

Frederick R. MayerChairmanCaptiva Resources, Inc.

F. H. MerelliChairman and Chief Executive OfficerKey Production Company, Inc.

C. John MillerChief Executive OfficerMiller Energy, Inc.

Steven L. MillerChairman, President and Chief Executive OfficerShell Oil Company

Claudie D. Minor, Jr.President and Chief Executive OfficerPremier Energy Supply Corp.

George P. MitchellChairman of the Board and Chief Executive OfficerMitchell Energy and Development Corp.


Mark E. MonroePresident and Chief Executive OfficerLouis Dreyfus Natural Gas

Herman Morris, Jr.President and Chief Executive OfficerMemphis Light, Gas & Water Division

James J. MulvaChairman of the Board and Chief Executive OfficerPhillips Petroleum Company

John Thomas MunroPresidentMunro Petroleum & Terminal Corporation

Mark B. MurphyPresidentStrata Production Company

Gary L. NealeChairman, President and Chief Executive OfficerNiSource Inc.

J. Larry NicholsChairman of the Board, President and Chief Executive OfficerDevon Energy Corporation

René O. OliveiraState RepresentativeThe House of Representatives of The State of Texas

David J. O'ReillyChairman of the Board and Chief Executive OfficerChevron Corporation

C. R. PalmerChairman of the Board, President and Chief Executive OfficerRowan Companies, Inc.

Mark G. PapaChairman and Chief Executive OfficerEOG Resources, Inc.

Paul H. ParkerVice PresidentCenter for Resource Management

Robert L. Parker, Sr.Chairman of the BoardParker Drilling Company

Emil PeñaPresident and Chief Executive OfficerGeneration Power Inc.

L. Frank PittsOwnerPitts Energy Group

Richard B. PrioryChairman and Chief Executive OfficerDuke Energy Corporation

Caroline QuinnPresidentFarrar Oil Company

Daniel RappaportFormer Chairman of the BoardNew York Mercantile Exchange

Edward B. RasmusonChairman of the Board and Chief Executive OfficerNational Bank of Alaska

Lee R. RaymondChairman, President and Chief Executive OfficerExxon Mobil Corporation

John G. RicePresident and Chief Executive OfficerGE Power Systems

Corbin J. Robertson, Jr.PresidentQuintana Minerals Corporation

Robert E. RoseChairman, President and Chief Executive OfficerGlobal Marine Inc.



Henry A. Rosenberg, Jr.Chairman of the BoardCrown Central Petroleum Corporation

A. R. Sanchez, Jr.Chairman of the Board and Chief Executive OfficerSanchez-O'Brien Oil and Gas Corporation

Robert SantistevanDirectorSouthern Ute Indian Tribe Growth Fund

S. Scott SewellPresidentDelta Energy Management, Inc.

Bobby S. ShackoulsChairman, President and Chief Executive OfficerBurlington Resources Inc.

Donald M. SimmonsMuskogee, Oklahoma

Matthew R. SimmonsPresidentSimmons and Company International

Arlie M. SkovPresidentArlie M. Skov, Inc.

Arthur L. SmithChairmanJohn S. Herold, Inc.

Bruce A. SmithChairman, President and Chief Executive OfficerTesoro Petroleum Corporation

Joel V. StaffChairman and Chief Executive OfficerNational-Oilwell, Inc.

Charles C. Stephenson, Jr.Chairman of the BoardVintage Petroleum, Inc.

James H. StoneChairman of the BoardStone Energy Corporation

Carroll W. SuggsChairman of the Board, President and Chief Executive OfficerPetroleum Helicopters, Inc.

Patrick F. TaylorChairman and Chief Executive OfficerTaylor Energy Company

Richard E. TerryChairman and Chief Executive OfficerPeoples Energy Corporation

Gerald TorresAssociate Dean for Academic Affairs University of Texas School of Law andVice ProvostUniversity of Texas at Austin

H. A. True, IIIPartnerTrue Oil Company

Randy E. VelardePresidentThe Plaza Group

Thurman VelardeAdministratorOil and Gas AdministrationJicarilla Apache Tribe

Philip K. Verleger, Jr.PKVerleger, L.L.C.

Joseph C. Walter, IIIPresidentWalter Oil & Gas Corporation

L. O. WardOwner-PresidentWard Petroleum Corporation

C. L. WatsonChairman of the Board and Chief Executive OfficerDynegy Inc.

Michael E. WileyChairman, President and Chief Executive OfficerBaker Hughes Incorporated




Bruce W. WilkinsonChairman of the Board and Chief Executive OfficerMcDermott International, Inc.

Mary Jane WilsonPresident and Chief Executive OfficerWZI Inc.

Irene S. WischerPresident and Chief Executive OfficerPanhandle Producing Company

Brion G. WiseChairman and Chief Executive OfficerWestern Gas Resources, Inc.

William A. WiseChairman, President and Chief Executive OfficerEl Paso Corporation

George M. YatesPresident and Chief Executive OfficerHarvey E. Yates Company

John A. YatesPresidentYates Petroleum Corporation

Daniel H. YerginPresidentCambridge Energy Research Associates

Henry ZarrowVice ChairmanSooner Pipe & Supply Corporation


* Eugene E. Habiger , Director, Office of Security and Emergency Operations, served until January 2001.

COMMITTEE ONCRITICAL INFRASTRUCTURE PROTECTION

CHAIR

David J. LesarChairman of the Board, President and Chief Executive OfficerHalliburton Company

EX OFFICIO

Archie W. DunhamChairNational Petroleum Council

ACTING GOVERNMENT COCHAIR*

Paula L. ScalingiDirectorOffice of Critical Infrastructure ProtectionU.S. Department of Energy

EX OFFICIO

William A. WiseVice ChairNational Petroleum Council

SECRETARY

Marshall W. NicholsExecutive Director

National Petroleum Council

* * *

Riley P. BechtelChairman and Chief Executive OfficerBechtel Group, Inc.

David W. BieglerPresident and Chief Operating OfficerTXU

Peter I. BijurRetired Chairman of the BoardTexaco Inc.


Philip J. CarrollChairman and Chief Executive OfficerFluor Corporation

R. D. CashChairman and Chief Executive OfficerQuestar Corporation

Robert B. CatellChairman and Chief Executive OfficerKeySpan

Hector J. CuellarManaging DirectorArea/Industries ManagerBank of America

Ronald A. EricksonChief Executive OfficerHoliday Companies

Ray L. HuntChairman of the BoardHunt Oil Company

Kenneth L. LayChairman of the BoardEnron Corp.

National Petroleum Council B-1

Study Group Rosters Appendix B

* * *

B-2 National Petroleum Council

David L. LemmonPresident and Chief Executive OfficerColonial Pipeline Company

John H. LichtblauChairman and Chief Executive OfficerPetroleum Industry Research Foundation, Inc.

Steven L. MillerChairman, President and Chief Executive OfficerShell Oil Company

James J. MulvaPresident and Chief Executive OfficerPhillips Petroleum Company

Richard B. PrioryChairman and Chief Executive OfficerDuke Energy Corporation

Daniel RappaportFormer Chairman of the BoardNew York Mercantile Exchange

Lee R. RaymondChairman, President and Chief Executive OfficerExxon Mobil Corporation

Richard E. TerryChairman and Chief Executive OfficerPeoples Energy Corporation

Gerald TorresAssociate Dean for Academic Affairs University of Texas School of Law andVice ProvostUniversity of Texas at Austin

C. L. WatsonChairman of the Board and Chief Executive OfficerDynegy Inc.

Daniel H. YerginPresidentCambridge Energy Research Associates

Appendix B Study Group Rosters

National Petroleum Council B-3

COORDINATING SUBCOMMITTEEOF THE

NPC COMMITTEE ONCRITICAL INFRASTRUCTURE PROTECTION

CHAIR

Charles E. DominyVice PresidentGovernment AffairsHalliburton Company

ASSISTANT TO THE CHAIR

Forrest L. Carpenter IIICyber Security ConsultantGlobal Information ServicesTexaco Inc.

GOVERNMENT COCHAIR

Paula L. ScalingiDirectorOffice of Critical Infrastructure ProtectionU.S. Department of Energy

SECRETARY

Marshall W. NicholsExecutive DirectorNational Petroleum Council

* * *

Raymond W. BergeronManagerCorporate SecurityShell Oil Company


Thomas D. CarmelCorporate CounselConoco Inc.

Donald M. FieldExecutive Vice PresidentPeoples Energy Corporation

Bobby R. GillhamManagerGlobal SecurityConoco Inc.

Lawrence J. GoldsteinPresidentPetroleum Industry Research Foundation, Inc.

Michael C. HicksManagerCorporate SecurityEnron Corp.

Thomas R. Holland, Jr.ManagerCorporate Security – WorldwidePhillips Petroleum Company

Kevin J. LindemerSenior DirectorRefined Products and Global DownstreamCambridge Energy Research Associates

David J. ManningSenior Vice PresidentCorporate AffairsKeySpan Energy

Study Group Rosters Appendix B

* * *

B-4 National Petroleum Council

James R. MetzgerVice President and Chief Technology OfficerTexaco Inc.

Rolando D. MossSenior DirectorCorporate SecurityDynegy Inc.

A. R. MullinaxSenior Vice PresidentGlobal Sourcing and LogisticsDuke Energy Corporation

Catherine A. TravisDirectorInformation SecurityQuestar Corp.

Vic A. YarboroughVice President Technology

Colonial Pipeline Company

SPECIAL ASSISTANTS

W. R. FingerPresidentProxPro, Inc.

Ronald E. FisherDeputy DirectorInfrastructure Assurance CenterArgonne National Laboratory

Joseph S. GurgaManagerProgram OfficeInformation Technology ServicesPeoples Energy Corporation

John H. Guy, IVDeputy Executive DirectorNational Petroleum Council

John R. JohnsonPrincipal AdvisorShell Services International

Stuart L. SchertzManagerSecurity ServicesShell Oil Company

Curtis R. SmithManagerInformation SecurityConoco Inc.

Richard D. VanceStrategic Business ConsultantDuke Energy Corporation

Peter van de GohmDirector

Information Assets ProtectionEnron Energy Services

Appendix B Study Group Rosters

B2B business to business

CCPS American Institute of Chemical Engineers’ Center for Chemical Process Safety

CIAO Critical Infrastructure Assurance Office

CIP critical infrastructure protection

CIRP Cyber Incident Response Plan

CDC Centers for Disease Control

DOE U.S. Department of Energy

DOJ U.S. Department of Justice

DOT U.S. Department of Transportation

e electronic

EEI Edison Electric Institute

EIA Energy Information Administration

EPA Environmental Protection Agency

EPRI Electric Power Research Institute

EU European Union

FBI U.S. Federal Bureau of Investigation

FEMA Federal Emergency Management Agency

FERC Federal Energy Regulatory Commission

FOIA Freedom of Information Act

FS/ISAC Financial Services Information Sharing and Analysis Center

GRI Gas Research Institute

G8 Group of Eight industrialized economies: Britain, France, Germany, Japan, United States, Italy, Canada, and Russia

IEA International Energy Agency

IEC International Electrotechnical Commission

ISAC Information and Sharing Analysis Center

ISO International Standards Organization

IT information technology

IT/ISAC Information Technology Information Sharing and Analysis Center

ITAA Information Technology Association of America

LLC Limited Liability Company

LNG liquefied natural gas

LPG liquefied petroleum gas

MEMS Mutual Emergency Materials Support

MOU Memorandum of Understanding

MSWT Multisensor and Warning Technologies

NAFTA North American Free Trade Association

NASA National Aeronautics and Space Administration

NCC National Coordinating Center for Telecommunications

NERC North American Electric Reliability Council

NIPC National Infrastructure Protection Center

NPC National Petroleum Council

NTSB National Transportation Safety Board

OCA offsite consequence analysis

OPS Office of Pipeline Safety

PDA Personal Digital Assistant

R&D research and development

RMP risk management plans

SCADA supervisory control and data acquisition

SPR U.S. Strategic Petroleum Reserve

Y2K Year 2000

Acronyms and Abbreviations

National Petroleum Council AC-1

Acronyms and Abbreviations

National Petroleum Council1625 K Street, NW

Suite 600Washington, DC 20006

recycledpaper

National Petroleum Council1625 K Street, NW

Suite 600Washington, DC 20006

NATIONAL PETROLEUM COUNCILchnm.gmu.edu/cipdigitalarchive/files/219_NPC... · Petroleum Council’s...

Documents

Transcript of NATIONAL PETROLEUM COUNCILchnm.gmu.edu/cipdigitalarchive/files/219_NPC... · Petroleum Council’s...