Protecting digital property safeguards valuable resources

Nita Hefner,Infraworks Corp.

Revolutionary advances in technology have transformed the way companies conduct business. They now rely on the valuable resource of information tech-nology. This is especially true for the oil and gas industry, where more information is taking digital form. With deregulation, the rise in competition, and the outsourcing of more job functions, one of a company's biggest chall-enges is protecting proprietary data from falling into the hands of unauthorized individuals. Using digital property protection (DPP) solutions is not only a good business practice, it promotes the stability of national economic infrastructure.

Infrastructures must be protected from a variety of assailants, including disgruntled employees, political activists, international and domestic terrorists, and organized crime. So, while the Internet streamlines business operations and enables new business models, safeguarding these online processes and protecting digital property has become a matter of national security.

Ronald L. Dick, director of the National Infrastructure Protection Center told the US House Committee on Commerce, "The prospect of 'information warfare' by foreign militaries against our critical infrastructures is perhaps the greatest threat to our national security." The Office of Critical Infrastructure Protection and Emergency Preparedness reported that terrorists such as Osama bin Laden have already suggested using the computer as a weapon.

The oil and gas industry is one of the nation's primary critical infrastructures, essential to the minimum operations of the economy and government. Thus, oil and gas companies are targets for malicious and manipulative intent. Once digital property leaves the desktop - unprotected - it can go in a variety of directions, creating detrimental effects. Implementing a DPP solution not only protects data while it is in transit, but also limits how long and in what manner the recipient can use it. With it, a company can conduct ebusiness without exposing itself to many of the associated risks.

IT evolution

Companies in the oil and gas industry face new challenges as technology and globalization change the business environment. The exchange of digital property is vital to the success of a company. Companies and their affiliates must have access to the right information, at the right time, with the ability to process and protect it. Oil and gas companies now rely on the electronic exchange of digital information to operate many aspects of day-to-day business, including:

Upstream - management of seismic data, communication between pipelines and offshore platforms, exploration, and production activities
Midstream - communication for transport of raw energy and delivery to holding stations
Downstream - communication for refining, sale, and distribution of energy products.

Instantaneous exchange of digital information enhances the efficiency of these business operations. It streamlines communication between companies and their partners, suppliers and customers. It automates processes like purchasing, invoicing, payment, and delivery, reducing turn-around time and man-hours.

This dependency on digital technologies, however, increases the risk of digital property loss and business interruption. Most technology systems used to expedite business functions were not designed to protect managed data. These systems are inherently vulnerable to manipulation. There is an increased opportunity for intercepted communications, unauthorized dissemination of confidential information, altering or falsifying information, and breach of contracts. This can lead to loss of revenue, loss of stakeholder confidence, and damage to the company's reputation.

According to the 2001 CSI/FBI Computer Crime and Security Survey, "Eighty-five percent of large corporations and governmental agencies reported computer security breaches in the last 12 months and 64% reported financial losses due to these breaches ellipse it represents a loss of over $10 billion annually." And according to Bear Stearns 2000 Security Report, each security breach costs companies up to $1.8 million. Those numbers cannot be ignored.

Information sharing

One of the great advantages of the Internet and wireless communication is the capability of sharing valuable information almost instantaneously. Companies can communicate with all parties involved in a project, including consultants, suppliers, and partners. Whether the team member is sitting in the cubicle next door or on a platform in the middle of the ocean, immediate and continual communication is accessible.

The downfall, however, is that more people are sharing more information, over less restrictive channels. Ideas, plans, schedules, budgets, and specifications are all available to anyone who knows where and how to access them. Using a DPP tool can protect such sensitive information. A DDP tool provides variations of security appropriate to the sensitivity of the information, including redistribution restrictions, date and time expirations, as well as password and user authentication.

File sharing systems

Some other innovative tools derived from the advances of communications are file sharing systems that facilitate information management and sharing. File sharing systems include knowledge management systems, document libraries, and project management and collaboration networks.

Knowledge management systems provide users with rapid access to knowledgeable and experienced associates, inside and outside the organization, such as employees, vendors, partners, and consultants. Such systems collect and organize information in a central online databank. This databank is exposed to two significant vulnerabilities.

First, as various aspects of operation rely heavily on the communication of shared information, it is critical that the information be up-to-date and accurate. Aside from protecting the information from theft or misuse, a DPP tool can enforce expiration dates on downloaded data to insure that the user accesses current data and does not rely on outdated versions.

Second, databanks are a central location of valuable information and, therefore, a prime target for attack, via theft, dissemination, or modification. The very collection process can be intercepted by hackers. DPP tools can control who has access to these databanks, what can be done with the information, as well as protect the data from unauthorized access in the event the security of the data bank is ever compromised.

Document libraries

In lieu of databanks, many knowledge management systems now use document libraries to host intellectual property. The same DPP tools that protect knowledge management systems can be used to protect document libraries. Permissions can be controlled, limiting who has access to data, when they have access, for how long, and what can be done with it. Other security mechanisms available with a DPP tool include password protection and user authentication.

Project management

Another network system becoming standard practice is the project management and collaboration network. These networks include sensitive information such as:

Proposal narratives
Research and exploration data
Construction plans
Platform diagrams
Detailed delivery schedules
Bid specifications
Risk and issue management systems
Modeling and seismic analysis
Codes and operating standards.

If a DPP tool is not in place to protect this highly sensitive information, it can be accessed and disseminated by unauthorized individuals. Redistribution of the information can compromise a company's competitive edge. Sophisticated management systems should be protected with equally sophisticated security measures.

Hackers

Businesses are not the only ones to reap the benefits of new and radical innovations in technology. The fusion of business and technology has spawned adversaries that avidly seek means of exploitation for a variety of intents and purposes, including monetary gain, competitive pursuits and activists' demonstrations. Today's hacker may be a 14-year-old expressing mischievous curiosity, a professional who buys and sells trade secrets, or a terrorist attacking national infrastructures. Common attacks include identity theft, intellectual property theft for competitive gain, alteration of electronic fund exchanges, and modification of information used for investment or invoicing.

Electronic eavesdropping is more prevalent in the realm of intellectual property theft and corporate espionage. With the technology innovations of wireless transmissions, information can be electronically beamed to and from computers, cell phones, and personal digital assistants. Consequently, this digital information can be intercepted during transmission.

Without appropriate DPP tools in place, communications transmitted by such devices are easily compromised. So, to prevent exposing your company's best-kept secrets and well-laid plans to the world, it is important to put layers of robust technological defense in place.

Internal threats

The threats of disrupted business operations and the loss of intellectual property do not begin and end with the hacker. In fact, according to KPMG, 80% of security incidents involve employees. Security experts agree that the internal threat is often the biggest concern. Disgruntled employees and other insiders with legitimate access to critical business networks prove to be a significant threat to corporate security. "Sixty to 65% of all unauthorized computer access is achieved by people within an organization," according to the CSI/FBI survey.

With any downturn in the economy and change in business environments, disgruntled employees can quickly become a problem. When businesses restructure and downsize, employees are expected to do more with less. They have less job security, and consequently, less concern for their companies' overall best interest. What they do have is intimate access to the organizations' network environment. They may have access to confidential and sensitive information, including budgets, bids, and product specifications. Employees can sell the information to competitors or take it with them as they migrate to other companies.

Even if the dissemination is not malicious, simple carelessness and human error can result in equally catastrophic repercussions. NFO In Depth Interactive revealed startling survey statistics to IDG News Service in the September 2001 article "Study: security at risk as confidential emails soar."

A survey of 498 employees working in a variety of organizations revealed that "40% of respondents admitted to receiving confidential information about other companies via the Internet - a 356% increase since 1999." Without appropriate DPP solutions in place to safeguard the use of sensitive data, inappropriate use and accidental dissemination is inevitable.

Globalization

Globalization also significantly affects the security of critical infrastructures. Several industries of critical infrastructures, including information technology, energy, transportation, finance, and banking, are all evolving at an accelerated pace. The globalization of critical infrastructures - coupled with unprecedented advances in technology - results in altogether new business models. Evidence of these changes includes restructuring of corporate organization, the rise of legal and regulatory issues, and increasing interdependencies on other critical infrastructures.

According to the National Petroleum Council, many industries have become more multinational. This is evidenced by the growing foreign ownership of US companies and the increasing dependence on foreign supply.

The advances in ebusiness and the Internet have solidified the globalization of critical infrastructures. The result is a diversity of owners, operators, suppliers, vendors, and employees, all with potential conflict of interest and inconsistent loyalties.

The uncertainties in foreign relations, politics, and regulatory issues have exponentially increased the need for companies to equip themselves with the DPP tools that enable them to share vast types of information without depending on trust and legal contract to protect valuable information.

Globalization within critical infrastructures leads to legal and regulatory issues. As the necessity of communication and information sharing transcends US borders and the protection of US law, businesses can no longer rely on legal contract to bind foreign affiliates. This raises the issues of antitrust infringement, copyright violations, protection of confidential information, and breach of contracts.

Organizations are emerging to address the issues of international regulations of intellectual property, but the process of establishing international law is slow and complex. In the meantime, this leaves electronic systems and ebusiness environments exposed to exploitation, unless individual security mechanisms are implemented to protect digital property.

Conclusion

By implementing DPP security solutions, oil and gas companies can safely maximize many of the benefits of the technology revolution, expand beyond national borders, and make optimal use of the Internet. Although the challenges facing the critical industries are far from resolved, companies now have a security mechanism that enables secure employment of information technology and telecommunications.