The legal profession is often seen as having the rather dubious distinction of seeking to profit at the misfortunes of others or, more simply, of being ambulance chasers. As law graduate myself, I don’t dispute that many practicing lawyers get rather aggressive around accident sites. Nonetheless, much of the profession’s bad name derives instead from the highly valuable function they perform, which is helping people resolve disputes in a (usually) civilized manner, or more frequently, helping clients to prevent those disputes in the first place. Arguably, the information security profession has a similar nature. We spend most of our time helping customers and employers prevent successful attacks and profit most handsomely when we help investigate or root out the effects of a successful attack. So, it begs the question for those of us exploring new business opportunities: Is the oil industry about to allocate more resources for cyber security?
While there is absolutely no evidence that the Deepwater Horizon accident was caused in any way by a cyber security attack or even inadvertent computer error, accidents like this tend to draw scrutiny from all quarters. Regulars often use the opportunity and political capital they’ve gained to impose new rules and investigate practices in areas far beyond the scope of the accident that spawned the authority. After the September 11 attacks, cyber security efforts were accelerated through the passage of legislation such as the Federal Information Security Management Act (FISMA). The Enron and Worldcom scandals led to passage of the Sarbanes-Oxley Act, which was a boon to countless information security auditors. Of course, not every disaster results in increased attention to cyber security. For example, it is highly unlikely that the recent West Virginia mining disaster will lead to more scrutiny of IT security controls even though one could make the argument that the integrity of the data collected from the gas-sensing equipment is highly critical. However, sadly, I’m afraid for cultural and socio-economic reasons that even mine safety issues won’t get the attention they deserve.
However, the oil industry is different. It is much more visible, dominated by a small number of large conglomerates, and the harms that they can cause with oil spills affect a much larger population. Moreover, stories predating the recent spill clearly indicated the industry faces some real cyber security threats that could lead to significant harm to the companies and the environment. As a recent article in Foreign Policy noted, offshore drilling rigs heavily rely on remote-controlled computer systems such as the supervisory control and data acquisition (SCADA) systems that I’ve referenced in earlier posts. In a case of sabotage by a disgruntled contractor, “[p]rosecutors say the contractor hacked into a shore-to-rig communications network that, among other functions, detected oil leaks. He caused thousands of dollars worth of damage, they charge, though, fortunately, no leaks.” If that weren’t bad enough, there is also evidence that highly sophisticated organizations, possibly foreign intelligence agencies or organized crime, have broken into oil companies and have obtained sensitive documents regarding locations of oil discoveries. So, now we know that threat exists and the potential harms are significant. Lest we salivate over the business to be won in responding to incidents, cyber security professionals and oil companies should consider the value of forestalling before it makes the headlines. After all, it’s our environment too.