The facilities of the oil and gas infrastructures are vast and complex, covering large geographic areas and involving numerous components. Tools for vulnerability assessment and prioritization of key assets in these systems must be used to ensure that owners’ limited resources are applied effectively. Such tools have been used extensively in the national security and defense communities, and it is recommended that they be aggressively directed to energy infrastructures as well (see Recommendation 6.2).
The oil and gas industries are dependent on cybersystems. Because these industries have not yet suffered the consequences of sophisticated cyberattacks, their expertise on high-security cybersystems is relatively undeveloped; until September 11, they had little incentive to consider the use of these often-expensive security measures. The situation has now changed, and the industries—along with their vendors, standard-setting organizations, and technology suppliers—need to develop and deploy more robust terrorist-resistant cybersystems (see Recommendation 6.9). A partnership with government, perhaps through the national laboratories, might be an appropriate way to pursue this goal.
Individual companies need timely information on potential attacks in order to take actions that deter them or minimize their impact. A reasonable balance is needed between corporate America’s need to know its own risks and the need to secure information for homeland and national security.
Industries, including oil and gas, need a mechanism such as an information sharing and analysis center for receiving and disseminating critical real-time threat information. In fact, the oil and gas industries are in the process of forming such a center. However, one consequence of the industry’s highly competitive nature is that industry members are often reluctant to share information with the government if by so doing that information may later be accessed and exposed through a Freedom of Information Act (FOIA) request. FOIA should therefore be modified to exempt information on critical-infrastructure protection (NPC, 2001). Members of the oil and gas industries are also concerned about antitrust and liability issues. All parties must realize that the business-as-usual environment of the past is clearly not suited to the defense of our homeland today, but companies will need to see some changes in government policy to be confident they can move forward without causing new problems for themselves (see Recommendation 6.3).