Energy firms must acknowledge cybersecurity as more than an IT problem, according to new Rice University paper

David Ruth
713-348-6327
david@rice.edu 

Jeff Falk
713-348-6775
jfalk@rice.edu 

Energy firms must acknowledge cybersecurity as more than an IT problem, according to new Rice University paper

HOUSTON – (Sept. 17, 2012) – Energy firms have spent vast sums on the security of their information systems, but they must reorient from a reactive, tactical posture regarding intrusions and attacks to a more strategic, holistic view that expands beyond the categorization of the issue as an IT problem, according to a new paper from Rice University’s Baker Institute for Public Policy.

Titled “Cybersecurity Issues and Policy Options for the U.S. Energy Industry,” the paper investigates how energy companies involved in the production and delivery of hydrocarbons, as well as companies that generate and transmit electricity, face new risks posed by malicious software (“malware”). These risks can affect the continuity of their operations, capacity to deliver products and services and ability to protect investments — particularly in research and development — from theft or unauthorized disclosure. 

The paper comes against the backdrop of the U.S. Congress’ failure this summer to pass significant cybersecurity legislation for the protection of commercial and government information technology infrastructure.

“For the energy industry, cybersecurity is not just a technology problem, but rather is one that includes the larger dynamics of information and operations,” said Christopher Bronk, the paper’s principal author and a Baker Institute fellow in information technology policy. “How public policy can form components of the response to cybersecurity issues pertaining to the energy industry and the critical infrastructure that it builds, operates and maintains requires considering both the complexity of the issue and the nuance in potential policy prescriptions.”

The paper details examples of major oil and gas companies that have suffered a significant data breach or disruption of IT service, the latest being Saudi Aramco. In August, Saudi Aramco saw as many as 30,000 computers on the company’s network compromised by a malicious piece of  “malware,” possibly the one labeled “Shamoon” by the computer malware analysis community.

“The issues of cyberespionage and true cyberattacks — the ability to achieve kinetic outcomes by manipulation of computer systems — represent significant challenges for the energy industry, the United States government and the international community,” Bronk said.

“Constructing institutions to cope with these problems and move beyond a reactive posture will require greater research investment, collaboration and unorthodox combinations of expertise from within the computing field and beyond it.”

Bronk will host a range of international cybersecurity experts from business, government and academia at the Baker Institute tomorrow, Sept. 18, to share and discuss the latest information on how to detect, defend against and respond to emerging cyberthreats. For more information about this conference, visit http://www.bakerinstitute.org/events/emerging-cyber-security-threats-public-policy-and-technology-response.

Bronk previously served as a career diplomat with the Department of State, where his last assignment was in the Office of eDiplomacy, the department’s internal think tank on information technology, knowledge management, computer security and interagency collaboration. 

Adam Pridgen, a graduate student and cybersecurity researcher in Rice’s Department of Computer Science, is the paper’s secondary author. Deloitte LLP supported the research activity from which this paper was drawn.

-30-

For more information or to schedule an interview with Bronk, contact Jeff Falk, associate director of national media relations at Rice, at jfalk@rice.edu or 713-348-6775.

Related materials:

“Cybersecurity Issues and Policy Options for the U.S. Energy Industry” paper:  http://www.bakerinstitute.org/policyreport53

Christopher Bronk bio: http://bakerinstitute.org/personnel/fellows-scholars/cbronk 

Bronk on Twitter: http://twitter.com/techpologist @techpologist

Founded in 1993, the James A. Baker III Institute for Public Policy at Rice University in Houston ranks among the top 20 university-affiliated think tanks globally and top 30 think tanks in the United States. As a premier nonpartisan think tank, the institute sponsors more than 20 programs that conduct research on domestic and foreign policy issues with the goal of bridging the gap between the theory and practice of public policy. The institute’s strong track record of achievement reflects the work of its endowed fellows and Rice University scholars. Learn more about the institute at www.bakerinstitute.org or on the institute’s blog, http://blogs.chron.com/bakerblog.