1. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 1 of 3
June 2004
Special
Features IT Security for Oil and Gas Companies
Richard Cole, Enterprise Consulting Services (ECS), and Bret Thomas, Enterprise
Management Infrastructure Solutions (EIS)
Distinguished
Author Series Richard Cole is Chief Operating Officer for Enterprise Consulting Services (ECS),
a Houston-based technology firm that specializes in global network security through
Departments professional services deployment and remote systems. Bret Thomas is CEO of
Enterprise Infrastructure Solutions (EIS), a Houston-based firm specializing in global
Deepwater network security consulting for numerous Fortune 500 companies.
E&P
Since information technology (IT) infrastructure is now integral to a company's entire
Coiled operations, threats to network security are not just "an IT issue" anymore but one for
Tubing management as well. One of the key threats facing oil and gas companies today is the
Applications ability of anyone to download sophisticated software programs off the Internet.
Advanced software programs can be downloaded from numerous software vendors
Heavy Oil and hacker sites that allow anyone to have complete, real-time access to a company's
network system, either internally through the Internet or through the company's
remote-access systems. With these tools loaded locally, a hacker can discover a
company's complete IT topology, including all of its network devices, without anybody
at the company ever knowing it. This occurs if there is no adequate network visibility to
Full-Length see what is occurring within the system.
Technical
Papers
Today's buzz phrase is "remote agents." Although these agents serve a useful
purpose in network system management by allowing remote management of a
2004 Editorial
company's entire infrastructure to keep it optimized, they also can be used against a
Calendar
company's network. That's because once installed, they can provide a remote control
of the system to hackers who successfully breach security and, once successful, can
then take over the company's network. In addition, a hacker can make a backup of
confidential information without affecting any part of the active network and can
retrieve data at any time. This can happen because there are no industry standards to
protect these databases and the company's confidential information.
Insiders Are the Largest Threat
The bad news for company management is that most hackers are not attacking from
the outside but are company employees, contractors, one-time solution providers, or
even sales associates from large software or hardware vendors. The common issue
with the oil and gas industry is that, historically, it has not kept pace in guarding
against increased hacker access or in the sophisticated levels of remote-access
software. Traditionally, companies have hired network system administrators to be
responsible for securing information resources but have provided them with limited, if
any, technological security tools or network visibility tools.
Network vulnerabilities should be considered of red-level importance for oil and gas
companies that have operations in some of the world's most politically volatile regions
where it is difficult to definitively know who is actually associated with whom. Many
people who appear "safe" (including those having successfully passed background
checks) have access to computers within the company's infrastructure and can gain
unauthorized access to critical information. If data logs exist that document these
activities, it is an extremely time-consuming task to review and analyze the logs to
http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004
2. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 2 of 3
determine if an event actually occurred and, if so, to what extent.
Five-Part Solution
An IT security breach?
How serious could that be?
Given the threats to IT network security
within the oil and gas industry, what can
IT security vulnerabilities strike right at
management proactively do? Initially, it
the core of oil and gas operations. For
must gain an understanding of the basics
example:
of security threats and solutions by
working in conjunction with the company's
IT department. Then, it must develop a At a large Houston-based E&P
comprehensive security program and company, a vendor's software
implement it. Essentially, it's a five-part package (being used legitimately
solution beginning with the most important: at the company) fell into the
infrastructure visibility. hands of a contractor. After
gaining unauthorized access to
several network systems, the
That visibility should allow continuous
contractor "mirrored" the
monitoring of the company's IT
network's information, showing
infrastructure including a company's
real-time transactions, onto a
switches, routers, and network hardware
storage device. Mirroring the port
configurations. It includes monitoring
caused a significant drain on
actual cabling and connectivity, transport
bandwidth, slowing the
mechanisms (fiber, copper, or wireless),
capabilities of the primary system
and the protocols that are used to
to the point that the company had
communicate.
difficulty with daily operations.
Another oil and gas company
The second part of the solution involves belatedly noticed that several
monitoring the company's information thousand barrels of oil were
transport, data, and application systems missing. Consequently, its
and, additionally, the servers and desktops accounting department spent a
they run on. The most widely accepted substantial amount of time poring
approach is the broadest one: monitoring over financial information in an
the application structure by employing a attempt to uncover the problem,
full-featured product that monitors all which actually involved
computer and business applications in real manipulation of the company's
time. These are the most important, network system.
critical, and vulnerable because this is
where a company's data are stored.
As a result, it had to replace the missing
barrels and incur the resulting revenue
The third part of the solution focuses on loss.
security-analysis software. The company's
security-application group needs to be able to identify and defend in real time
unauthorized access through firewalls or unauthorized access to applications and
databases.
The fourth part enables companies to stop any unauthorized processes in real time.
This is typically accomplished with an application suite specifically designed for
protecting resources from unauthorized use. Different from security-analysis software,
security management suites allow a company to prevent unauthorized processes from
even starting. Additionally, it provides a traceable and accountable transaction log
from beginning to end of the unauthorized process.
The most sophisticated is the fifth part of the solution: the custom-configuration
component. This enables the four solution applications to interoperate and deliver a
single-user interface that identifies the health of the company's data and
communications infrastructure.
By properly establishing policies, procedures, and operational models, companies that
have the best visibility throughout the infrastructure can determine their security needs
http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004
3. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 3 of 3
on the basis of specified applications and data. The more sensitive data can be
determined "high-level security." This allows companies to adjust their security posture
in real time, thus enabling them to operate the network at the highest efficiency and
productivity levels with maximum security without hindering corporate profitability.
The Outlook
The IT security future for the oil and gas industry appears considerably brighter than in
recent years, with the industry largely adopting standards that previously had not been
followed. The industry is becoming more sophisticated in using advanced application
suites and methodologies that aid in implementing the solutions outlined. In addition, a
growing number of professionals within the oil and gas industry are implementing
advanced-support mechanisms that address both infrastructure security and
infrastructure productivity.
The bad news is that hackers have ready access to an increasingly wide array of tools
and are becoming more sophisticated in their ability to gain access to network
systems. To combat this, second-generation applications go well beyond even those
used in the late 1990s. These applications are more robust, more intelligent, more
user-friendly, and much more manageable. Most of the first-generation applications
required months and thousands of man-hours to deploy, while today's applications can
be deployed in weeks, and some within days.
In addition, these second-generation tools operate on united platforms, which means
their operation considers all layers of the network, and they are critical for the
convergence of various technologies. The tools to deploy against IT security threats
and vulnerabilities are better than ever but are useless if company management is not
proactive in taking initiatives to implement these tools.
http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004