Those visiting headquarters of major oil companies almost invariably are afterwards heard to say, “Whew, security there is tight.” And it’s justifiably so. Another kind of industry security challenge, less remarked upon, ultimately may prove more intractable. While the evidence starts with your own PC or laptop, the threat of cyber attacks on petroleum industry installations is real, and even if in the main thwarted, could do real harm to efforts to increase oil industry productivity using the Internet and information technology. On December 6, an article in The New York Times pointed out we’re losing the battle against criminal Internet use. The Organization for Security and Cooperation in Europe estimates that credit card thefts, bank frauds, and other scams rob computer users of $100 billion a year. As legitimate businessmen do with their profits, thieves invest some of that money in R&D that keeps them ahead of the global cycle of distributing security patches. “In October,” the article goes on to say, “researchers at the Georgia Tech Information Security Center reported that the percentage of online computers worldwide infected by botnets—networks of programs connected via the Internet that send spam or disrupt Internet-based services—is likely to increase to 15 percent by the end of this year, from 10 percent in 2007. That suggests a staggering number of infected computers, as many as 10 million, being used to distribute spam and malware over the Internet each day, according to research compiled by PandaLabs.” It’s more difficult to get information on cyber attacks on industrial installations, including in oil & gas. But according to “Critical Infrastructure Cyber-Security,” an Energy Insights analysis of a survey of about 200 security experts and “industry insiders” who have first-hand knowledge of critical infrastructure cyber-security issues, more than 50% of respondents said that critical infrastructure had already been attacked. Unfortunately, the report, published in November, goes on to say that the very technologies poised to improve oil industry productivity and streamline IT costs are exactly the ones most likely to increase vulnerability to cyber attacks in the industry, as follows: • Increases in the number of access points through the deployment of “intelligent” devices such as sensors and actuators; • Deployment of IP-based communications networks, including IP-based SCADA systems, public wireless networks, and mesh networks; • More integration between operational and corporate networks; and • Greater reliance on “standard” or commodity IT platforms, especially the migration of network automation and control systems form Unix to Microsoft Windows. When it comes to the degree of preparedness to combat cyber threats, respondents said they saw only one industry, financial services, as being “prepared.” Moreover, “the results indicate that owners of some of the most critical infrastructure assets—such as utilities, oil & gas companies, transportation companies, chemical companies, and postal/shipping companies—are the worst prepared.” Finally, respondents saw the energy industry (including oil & gas and utilities) as the biggest target, the most vulnerable, and as having the most potential for serious harm. The way ahead isn’t entirely clear. While 14% of survey respondents expect a major cyber attack to occur in the next 12 months, Energy Insights recommends companies not delay the deployment of new technologies based on cyber threats, and says companies should increase their vigilance. It further notes that as the regulatory regime in this area expands, companies will either have to cut elsewhere or increase IT budgets. In January, President Bush signed National Security Presidential Directive 54, in response to a string of attacks that had occurred on networks at the State, Commerce, Defense, and Homeland Security departments. Details of the program are secret, but securing these networks is expected to cost billions of dollars. One criticism of the program is that it doesn’t include the private sector, where, according to an article published in the Washington Post at the time, “90% of the threat exists.”