SlideShare a Scribd company logo
JPT (Jun 2004): IT Security for Oil and Gas Companies                                                Page 1 of 3




                                                                                            June 2004


 Special
 Features           IT Security for Oil and Gas Companies
                    Richard Cole, Enterprise Consulting Services (ECS), and Bret Thomas, Enterprise
 Management         Infrastructure Solutions (EIS)

 Distinguished
 Author Series      Richard Cole is Chief Operating Officer for Enterprise Consulting Services (ECS),
                    a Houston-based technology firm that specializes in global network security through
 Departments        professional services deployment and remote systems. Bret Thomas is CEO of
                    Enterprise Infrastructure Solutions (EIS), a Houston-based firm specializing in global
 Deepwater          network security consulting for numerous Fortune 500 companies.
 E&P
                    Since information technology (IT) infrastructure is now integral to a company's entire
 Coiled             operations, threats to network security are not just "an IT issue" anymore but one for
 Tubing             management as well. One of the key threats facing oil and gas companies today is the
 Applications       ability of anyone to download sophisticated software programs off the Internet.
                    Advanced software programs can be downloaded from numerous software vendors
 Heavy Oil          and hacker sites that allow anyone to have complete, real-time access to a company's
                    network system, either internally through the Internet or through the company's
                    remote-access systems. With these tools loaded locally, a hacker can discover a
                    company's complete IT topology, including all of its network devices, without anybody
                    at the company ever knowing it. This occurs if there is no adequate network visibility to
 Full-Length        see what is occurring within the system.
 Technical
 Papers
                    Today's buzz phrase is "remote agents." Although these agents serve a useful
                    purpose in network system management by allowing remote management of a
 2004 Editorial
                    company's entire infrastructure to keep it optimized, they also can be used against a
 Calendar
                    company's network. That's because once installed, they can provide a remote control
                    of the system to hackers who successfully breach security and, once successful, can
                    then take over the company's network. In addition, a hacker can make a backup of
                    confidential information without affecting any part of the active network and can
                    retrieve data at any time. This can happen because there are no industry standards to
                    protect these databases and the company's confidential information.

                    Insiders Are the Largest Threat

                    The bad news for company management is that most hackers are not attacking from
                    the outside but are company employees, contractors, one-time solution providers, or
                    even sales associates from large software or hardware vendors. The common issue
                    with the oil and gas industry is that, historically, it has not kept pace in guarding
                    against increased hacker access or in the sophisticated levels of remote-access
                    software. Traditionally, companies have hired network system administrators to be
                    responsible for securing information resources but have provided them with limited, if
                    any, technological security tools or network visibility tools.

                    Network vulnerabilities should be considered of red-level importance for oil and gas
                    companies that have operations in some of the world's most politically volatile regions
                    where it is difficult to definitively know who is actually associated with whom. Many
                    people who appear "safe" (including those having successfully passed background
                    checks) have access to computers within the company's infrastructure and can gain
                    unauthorized access to critical information. If data logs exist that document these
                    activities, it is an extremely time-consuming task to review and analyze the logs to




http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html                    6/1/2004
JPT (Jun 2004): IT Security for Oil and Gas Companies                                                Page 2 of 3



                    determine if an event actually occurred and, if so, to what extent.

                    Five-Part Solution
                                                                  An IT security breach?
                                                                  How serious could that be?
                    Given the threats to IT network security
                    within the oil and gas industry, what can
                                                                 IT security vulnerabilities strike right at
                    management proactively do? Initially, it
                                                                 the core of oil and gas operations. For
                    must gain an understanding of the basics
                                                                 example:
                    of security threats and solutions by
                    working in conjunction with the company's
                    IT department. Then, it must develop a              At a large Houston-based E&P
                    comprehensive security program and                  company, a vendor's software
                    implement it. Essentially, it's a five-part         package (being used legitimately
                    solution beginning with the most important:         at the company) fell into the
                    infrastructure visibility.                          hands of a contractor. After
                                                                        gaining unauthorized access to
                                                                        several network systems, the
                    That visibility should allow continuous
                                                                        contractor "mirrored" the
                    monitoring of the company's IT
                                                                        network's information, showing
                    infrastructure including a company's
                                                                        real-time transactions, onto a
                    switches, routers, and network hardware
                                                                        storage device. Mirroring the port
                    configurations. It includes monitoring
                                                                        caused a significant drain on
                    actual cabling and connectivity, transport
                                                                        bandwidth, slowing the
                    mechanisms (fiber, copper, or wireless),
                                                                        capabilities of the primary system
                    and the protocols that are used to
                                                                        to the point that the company had
                    communicate.
                                                                        difficulty with daily operations.
                                                                        Another oil and gas company
                    The second part of the solution involves            belatedly noticed that several
                    monitoring the company's information                thousand barrels of oil were
                    transport, data, and application systems            missing. Consequently, its
                    and, additionally, the servers and desktops         accounting department spent a
                    they run on. The most widely accepted               substantial amount of time poring
                    approach is the broadest one: monitoring            over financial information in an
                    the application structure by employing a            attempt to uncover the problem,
                    full-featured product that monitors all             which actually involved
                    computer and business applications in real          manipulation of the company's
                    time. These are the most important,                 network system.
                    critical, and vulnerable because this is
                    where a company's data are stored.
                                                                 As a result, it had to replace the missing
                                                                 barrels and incur the resulting revenue
                    The third part of the solution focuses on    loss.
                    security-analysis software. The company's
                    security-application group needs to be able to identify and defend in real time
                    unauthorized access through firewalls or unauthorized access to applications and
                    databases.

                    The fourth part enables companies to stop any unauthorized processes in real time.
                    This is typically accomplished with an application suite specifically designed for
                    protecting resources from unauthorized use. Different from security-analysis software,
                    security management suites allow a company to prevent unauthorized processes from
                    even starting. Additionally, it provides a traceable and accountable transaction log
                    from beginning to end of the unauthorized process.

                    The most sophisticated is the fifth part of the solution: the custom-configuration
                    component. This enables the four solution applications to interoperate and deliver a
                    single-user interface that identifies the health of the company's data and
                    communications infrastructure.

                    By properly establishing policies, procedures, and operational models, companies that
                    have the best visibility throughout the infrastructure can determine their security needs




http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html                     6/1/2004
JPT (Jun 2004): IT Security for Oil and Gas Companies                                                Page 3 of 3



                    on the basis of specified applications and data. The more sensitive data can be
                    determined "high-level security." This allows companies to adjust their security posture
                    in real time, thus enabling them to operate the network at the highest efficiency and
                    productivity levels with maximum security without hindering corporate profitability.

                    The Outlook

                    The IT security future for the oil and gas industry appears considerably brighter than in
                    recent years, with the industry largely adopting standards that previously had not been
                    followed. The industry is becoming more sophisticated in using advanced application
                    suites and methodologies that aid in implementing the solutions outlined. In addition, a
                    growing number of professionals within the oil and gas industry are implementing
                    advanced-support mechanisms that address both infrastructure security and
                    infrastructure productivity.

                    The bad news is that hackers have ready access to an increasingly wide array of tools
                    and are becoming more sophisticated in their ability to gain access to network
                    systems. To combat this, second-generation applications go well beyond even those
                    used in the late 1990s. These applications are more robust, more intelligent, more
                    user-friendly, and much more manageable. Most of the first-generation applications
                    required months and thousands of man-hours to deploy, while today's applications can
                    be deployed in weeks, and some within days.

                    In addition, these second-generation tools operate on united platforms, which means
                    their operation considers all layers of the network, and they are critical for the
                    convergence of various technologies. The tools to deploy against IT security threats
                    and vulnerabilities are better than ever but are useless if company management is not
                    proactive in taking initiatives to implement these tools.




http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html                    6/1/2004

More Related Content

What's hot

2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats
Lumension
 
Iaona handbook for network security - draft rfc 0.4
Iaona   handbook for network security - draft rfc 0.4Iaona   handbook for network security - draft rfc 0.4
Iaona handbook for network security - draft rfc 0.4
Ivan Carmona
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
CMR WORLD TECH
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
CMR WORLD TECH
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
VSD infotech
 
Regulatory Compliance Financial Institution
Regulatory Compliance Financial InstitutionRegulatory Compliance Financial Institution
Regulatory Compliance Financial Institution
Apani Enterprise Security Software
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of Mobility
Booz Allen Hamilton
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
Courtland Smith
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
Ivan Carmona
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomi
Ivan Carmona
 
Cloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryCloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research Summary
Intel IT Center
 
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
researchinventy
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET-  	  Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET-  	  Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET Journal
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Gerry Skipwith
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
Zsolt Nemeth
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaper
Alan Rudd
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
Zsolt Nemeth
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
Zsolt Nemeth
 

What's hot (20)

2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats2009 Security Mega Trends & Emerging Threats
2009 Security Mega Trends & Emerging Threats
 
Iaona handbook for network security - draft rfc 0.4
Iaona   handbook for network security - draft rfc 0.4Iaona   handbook for network security - draft rfc 0.4
Iaona handbook for network security - draft rfc 0.4
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
 
Regulatory Compliance Financial Institution
Regulatory Compliance Financial InstitutionRegulatory Compliance Financial Institution
Regulatory Compliance Financial Institution
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of Mobility
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomi
 
Cloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryCloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research Summary
 
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET-  	  Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET-  	  Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaper
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 

Similar to IT Security for Oil and Gas Companies

Tech trendnotes
Tech trendnotesTech trendnotes
Tech trendnotes
Studying
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
maribethy2y
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network career
Universitas Bina Darma Palembang
 
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assign
Ronald Jackson, Jr
 
Final Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxFinal Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docx
lmelaine
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docxRunning Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
toltonkendal
 
supply chain management.pptx
supply chain management.pptxsupply chain management.pptx
supply chain management.pptx
MinnySkyy
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teaser
eForensicsMag
 
Is Your Network Ready for the Age of IoT?
Is Your Network Ready for the Age of IoT?Is Your Network Ready for the Age of IoT?
Is Your Network Ready for the Age of IoT?
GENIANS, INC.
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
Commit Software Sh.p.k.
 
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETSDISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
iQHub
 
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETSDISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
iQHub
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
The Security of Things Forum
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
Tiffany Graham
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
E.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
Ken Flott
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
ClubHack
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
ecarrow
 
How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks
Abaram Network Solutions
 

Similar to IT Security for Oil and Gas Companies (20)

Tech trendnotes
Tech trendnotesTech trendnotes
Tech trendnotes
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network career
 
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assign
 
Final Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxFinal Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docx
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docxRunning Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
 
supply chain management.pptx
supply chain management.pptxsupply chain management.pptx
supply chain management.pptx
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teaser
 
Is Your Network Ready for the Age of IoT?
Is Your Network Ready for the Age of IoT?Is Your Network Ready for the Age of IoT?
Is Your Network Ready for the Age of IoT?
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETSDISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
 
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETSDISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
DISCUSSION ON SECURITY MEASURES FOR PIPELINE CYBER ASSETS
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
 
How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks
 

More from Richard Cole

Richard Cole Professional Portfolio
Richard Cole Professional PortfolioRichard Cole Professional Portfolio
Richard Cole Professional Portfolio
Richard Cole
 
Richard B Cole Biography
Richard B Cole BiographyRichard B Cole Biography
Richard B Cole Biography
Richard Cole
 
Richard Cole Résumé
Richard Cole RésuméRichard Cole Résumé
Richard Cole Résumé
Richard Cole
 
Alliance Group Research (AGR) Corporate Presentation
Alliance Group Research (AGR) Corporate PresentationAlliance Group Research (AGR) Corporate Presentation
Alliance Group Research (AGR) Corporate Presentation
Richard Cole
 
Internet-based business model revs up savings for auto dealers
Internet-based business model revs up savings for auto dealersInternet-based business model revs up savings for auto dealers
Internet-based business model revs up savings for auto dealers
Richard Cole
 
Technology boosts health care compliance, training systems
Technology boosts health care compliance, training systemsTechnology boosts health care compliance, training systems
Technology boosts health care compliance, training systems
Richard Cole
 
Richard Cole SoQ
Richard Cole SoQRichard Cole SoQ
Richard Cole SoQ
Richard Cole
 

More from Richard Cole (7)

Richard Cole Professional Portfolio
Richard Cole Professional PortfolioRichard Cole Professional Portfolio
Richard Cole Professional Portfolio
 
Richard B Cole Biography
Richard B Cole BiographyRichard B Cole Biography
Richard B Cole Biography
 
Richard Cole Résumé
Richard Cole RésuméRichard Cole Résumé
Richard Cole Résumé
 
Alliance Group Research (AGR) Corporate Presentation
Alliance Group Research (AGR) Corporate PresentationAlliance Group Research (AGR) Corporate Presentation
Alliance Group Research (AGR) Corporate Presentation
 
Internet-based business model revs up savings for auto dealers
Internet-based business model revs up savings for auto dealersInternet-based business model revs up savings for auto dealers
Internet-based business model revs up savings for auto dealers
 
Technology boosts health care compliance, training systems
Technology boosts health care compliance, training systemsTechnology boosts health care compliance, training systems
Technology boosts health care compliance, training systems
 
Richard Cole SoQ
Richard Cole SoQRichard Cole SoQ
Richard Cole SoQ
 

Recently uploaded

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 

Recently uploaded (20)

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 

IT Security for Oil and Gas Companies

  • 1. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 1 of 3 June 2004 Special Features IT Security for Oil and Gas Companies Richard Cole, Enterprise Consulting Services (ECS), and Bret Thomas, Enterprise Management Infrastructure Solutions (EIS) Distinguished Author Series Richard Cole is Chief Operating Officer for Enterprise Consulting Services (ECS), a Houston-based technology firm that specializes in global network security through Departments professional services deployment and remote systems. Bret Thomas is CEO of Enterprise Infrastructure Solutions (EIS), a Houston-based firm specializing in global Deepwater network security consulting for numerous Fortune 500 companies. E&P Since information technology (IT) infrastructure is now integral to a company's entire Coiled operations, threats to network security are not just "an IT issue" anymore but one for Tubing management as well. One of the key threats facing oil and gas companies today is the Applications ability of anyone to download sophisticated software programs off the Internet. Advanced software programs can be downloaded from numerous software vendors Heavy Oil and hacker sites that allow anyone to have complete, real-time access to a company's network system, either internally through the Internet or through the company's remote-access systems. With these tools loaded locally, a hacker can discover a company's complete IT topology, including all of its network devices, without anybody at the company ever knowing it. This occurs if there is no adequate network visibility to Full-Length see what is occurring within the system. Technical Papers Today's buzz phrase is "remote agents." Although these agents serve a useful purpose in network system management by allowing remote management of a 2004 Editorial company's entire infrastructure to keep it optimized, they also can be used against a Calendar company's network. That's because once installed, they can provide a remote control of the system to hackers who successfully breach security and, once successful, can then take over the company's network. In addition, a hacker can make a backup of confidential information without affecting any part of the active network and can retrieve data at any time. This can happen because there are no industry standards to protect these databases and the company's confidential information. Insiders Are the Largest Threat The bad news for company management is that most hackers are not attacking from the outside but are company employees, contractors, one-time solution providers, or even sales associates from large software or hardware vendors. The common issue with the oil and gas industry is that, historically, it has not kept pace in guarding against increased hacker access or in the sophisticated levels of remote-access software. Traditionally, companies have hired network system administrators to be responsible for securing information resources but have provided them with limited, if any, technological security tools or network visibility tools. Network vulnerabilities should be considered of red-level importance for oil and gas companies that have operations in some of the world's most politically volatile regions where it is difficult to definitively know who is actually associated with whom. Many people who appear "safe" (including those having successfully passed background checks) have access to computers within the company's infrastructure and can gain unauthorized access to critical information. If data logs exist that document these activities, it is an extremely time-consuming task to review and analyze the logs to http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004
  • 2. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 2 of 3 determine if an event actually occurred and, if so, to what extent. Five-Part Solution An IT security breach? How serious could that be? Given the threats to IT network security within the oil and gas industry, what can IT security vulnerabilities strike right at management proactively do? Initially, it the core of oil and gas operations. For must gain an understanding of the basics example: of security threats and solutions by working in conjunction with the company's IT department. Then, it must develop a At a large Houston-based E&P comprehensive security program and company, a vendor's software implement it. Essentially, it's a five-part package (being used legitimately solution beginning with the most important: at the company) fell into the infrastructure visibility. hands of a contractor. After gaining unauthorized access to several network systems, the That visibility should allow continuous contractor "mirrored" the monitoring of the company's IT network's information, showing infrastructure including a company's real-time transactions, onto a switches, routers, and network hardware storage device. Mirroring the port configurations. It includes monitoring caused a significant drain on actual cabling and connectivity, transport bandwidth, slowing the mechanisms (fiber, copper, or wireless), capabilities of the primary system and the protocols that are used to to the point that the company had communicate. difficulty with daily operations. Another oil and gas company The second part of the solution involves belatedly noticed that several monitoring the company's information thousand barrels of oil were transport, data, and application systems missing. Consequently, its and, additionally, the servers and desktops accounting department spent a they run on. The most widely accepted substantial amount of time poring approach is the broadest one: monitoring over financial information in an the application structure by employing a attempt to uncover the problem, full-featured product that monitors all which actually involved computer and business applications in real manipulation of the company's time. These are the most important, network system. critical, and vulnerable because this is where a company's data are stored. As a result, it had to replace the missing barrels and incur the resulting revenue The third part of the solution focuses on loss. security-analysis software. The company's security-application group needs to be able to identify and defend in real time unauthorized access through firewalls or unauthorized access to applications and databases. The fourth part enables companies to stop any unauthorized processes in real time. This is typically accomplished with an application suite specifically designed for protecting resources from unauthorized use. Different from security-analysis software, security management suites allow a company to prevent unauthorized processes from even starting. Additionally, it provides a traceable and accountable transaction log from beginning to end of the unauthorized process. The most sophisticated is the fifth part of the solution: the custom-configuration component. This enables the four solution applications to interoperate and deliver a single-user interface that identifies the health of the company's data and communications infrastructure. By properly establishing policies, procedures, and operational models, companies that have the best visibility throughout the infrastructure can determine their security needs http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004
  • 3. JPT (Jun 2004): IT Security for Oil and Gas Companies Page 3 of 3 on the basis of specified applications and data. The more sensitive data can be determined "high-level security." This allows companies to adjust their security posture in real time, thus enabling them to operate the network at the highest efficiency and productivity levels with maximum security without hindering corporate profitability. The Outlook The IT security future for the oil and gas industry appears considerably brighter than in recent years, with the industry largely adopting standards that previously had not been followed. The industry is becoming more sophisticated in using advanced application suites and methodologies that aid in implementing the solutions outlined. In addition, a growing number of professionals within the oil and gas industry are implementing advanced-support mechanisms that address both infrastructure security and infrastructure productivity. The bad news is that hackers have ready access to an increasingly wide array of tools and are becoming more sophisticated in their ability to gain access to network systems. To combat this, second-generation applications go well beyond even those used in the late 1990s. These applications are more robust, more intelligent, more user-friendly, and much more manageable. Most of the first-generation applications required months and thousands of man-hours to deploy, while today's applications can be deployed in weeks, and some within days. In addition, these second-generation tools operate on united platforms, which means their operation considers all layers of the network, and they are critical for the convergence of various technologies. The tools to deploy against IT security threats and vulnerabilities are better than ever but are useless if company management is not proactive in taking initiatives to implement these tools. http://www.spe.org/spe/jpt/jsp/jptmonthlysection/0,2440,1104_1585_0_2505730,00.html 6/1/2004