• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
631
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 1 of 3 June 2004 Special Features IT Security for Oil and Gas Companies Richard Cole, Enterprise Consulting Services (ECS), and Bret Thomas, Enterprise Management Infrastructure Solutions (EIS) Distinguished Author Series Richard Cole is Chief Operating Officer for Enterprise Consulting Services (ECS), a Houston-based technology firm that specializes in global network security through Departments professional services deployment and remote systems. Bret Thomas is CEO of Enterprise Infrastructure Solutions (EIS), a Houston-based firm specializing in global Deepwater network security consulting for numerous Fortune 500 companies. E&P Since information technology (IT) infrastructure is now integral to a companys entire Coiled operations, threats to network security are not just "an IT issue" anymore but one for Tubing management as well. One of the key threats facing oil and gas companies today is the Applications ability of anyone to download sophisticated software programs off the Internet. Advanced software programs can be downloaded from numerous software vendors Heavy Oil and hacker sites that allow anyone to have complete, real-time access to a companys network system, either internally through the Internet or through the companys remote-access systems. With these tools loaded locally, a hacker can discover a companys complete IT topology, including all of its network devices, without anybody at the company ever knowing it. This occurs if there is no adequate network visibility to Full-Length see what is occurring within the system. Technical Papers Todays buzz phrase is "remote agents." Although these agents serve a useful purpose in network system management by allowing remote management of a 2004 Editorial companys entire infrastructure to keep it optimized, they also can be used against a Calendar companys network. Thats because once installed, they can provide a remote control of the system to hackers who successfully breach security and, once successful, can then take over the companys network. In addition, a hacker can make a backup of confidential information without affecting any part of the active network and can retrieve data at any time. This can happen because there are no industry standards to protect these databases and the companys confidential information. Insiders Are the Largest Threat The bad news for company management is that most hackers are not attacking from the outside but are company employees, contractors, one-time solution providers, or even sales associates from large software or hardware vendors. The common issue with the oil and gas industry is that, historically, it has not kept pace in guarding against increased hacker access or in the sophisticated levels of remote-access software. Traditionally, companies have hired network system administrators to be responsible for securing information resources but have provided them with limited, if any, technological security tools or network visibility tools. Network vulnerabilities should be considered of red-level importance for oil and gas companies that have operations in some of the worlds most politically volatile regions where it is difficult to definitively know who is actually associated with whom. Many people who appear "safe" (including those having successfully passed background checks) have access to computers within the companys infrastructure and can gain unauthorized access to critical information. If data logs exist that document these activities, it is an extremely time-consuming task to review and analyze the logs tohttp://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004
  • 2. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 2 of 3 determine if an event actually occurred and, if so, to what extent. Five-Part Solution An IT security breach? How serious could that be? Given the threats to IT network security within the oil and gas industry, what can IT security vulnerabilities strike right at management proactively do? Initially, it the core of oil and gas operations. For must gain an understanding of the basics example: of security threats and solutions by working in conjunction with the companys IT department. Then, it must develop a At a large Houston-based E&P comprehensive security program and company, a vendors software implement it. Essentially, its a five-part package (being used legitimately solution beginning with the most important: at the company) fell into the infrastructure visibility. hands of a contractor. After gaining unauthorized access to several network systems, the That visibility should allow continuous contractor "mirrored" the monitoring of the companys IT networks information, showing infrastructure including a companys real-time transactions, onto a switches, routers, and network hardware storage device. Mirroring the port configurations. It includes monitoring caused a significant drain on actual cabling and connectivity, transport bandwidth, slowing the mechanisms (fiber, copper, or wireless), capabilities of the primary system and the protocols that are used to to the point that the company had communicate. difficulty with daily operations. Another oil and gas company The second part of the solution involves belatedly noticed that several monitoring the companys information thousand barrels of oil were transport, data, and application systems missing. Consequently, its and, additionally, the servers and desktops accounting department spent a they run on. The most widely accepted substantial amount of time poring approach is the broadest one: monitoring over financial information in an the application structure by employing a attempt to uncover the problem, full-featured product that monitors all which actually involved computer and business applications in real manipulation of the companys time. These are the most important, network system. critical, and vulnerable because this is where a companys data are stored. As a result, it had to replace the missing barrels and incur the resulting revenue The third part of the solution focuses on loss. security-analysis software. The companys security-application group needs to be able to identify and defend in real time unauthorized access through firewalls or unauthorized access to applications and databases. The fourth part enables companies to stop any unauthorized processes in real time. This is typically accomplished with an application suite specifically designed for protecting resources from unauthorized use. Different from security-analysis software, security management suites allow a company to prevent unauthorized processes from even starting. Additionally, it provides a traceable and accountable transaction log from beginning to end of the unauthorized process. The most sophisticated is the fifth part of the solution: the custom-configuration component. This enables the four solution applications to interoperate and deliver a single-user interface that identifies the health of the companys data and communications infrastructure. By properly establishing policies, procedures, and operational models, companies that have the best visibility throughout the infrastructure can determine their security needshttp://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004
  • 3. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 3 of 3 on the basis of specified applications and data. The more sensitive data can be determined "high-level security." This allows companies to adjust their security posture in real time, thus enabling them to operate the network at the highest efficiency and productivity levels with maximum security without hindering corporate profitability. The Outlook The IT security future for the oil and gas industry appears considerably brighter than in recent years, with the industry largely adopting standards that previously had not been followed. The industry is becoming more sophisticated in using advanced application suites and methodologies that aid in implementing the solutions outlined. In addition, a growing number of professionals within the oil and gas industry are implementing advanced-support mechanisms that address both infrastructure security and infrastructure productivity. The bad news is that hackers have ready access to an increasingly wide array of tools and are becoming more sophisticated in their ability to gain access to network systems. To combat this, second-generation applications go well beyond even those used in the late 1990s. These applications are more robust, more intelligent, more user-friendly, and much more manageable. Most of the first-generation applications required months and thousands of man-hours to deploy, while todays applications can be deployed in weeks, and some within days. In addition, these second-generation tools operate on united platforms, which means their operation considers all layers of the network, and they are critical for the convergence of various technologies. The tools to deploy against IT security threats and vulnerabilities are better than ever but are useless if company management is not proactive in taking initiatives to implement these tools.http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004