Kendra L. Martin

1
Roles Expectations
SECURITY in the Oil Industry

• Kendra L. Martin
• CIO Director of E-Business
• American Petroleum Institute
• December 12, 2002

2
American Petroleum Institute

• Trade association representing oil and natural
  gas industry (well head to service station )
  
• Public policy development in support of a strong,
  viable U.S. oil and natural gas industry
  essential to meet the energy needs of consumers
  in an efficient, environmentally responsible
  manner.
• Federal and state legislative and regulatory
  advocacy based on scientific research technical,
  legal and economic analysis and public issues
  communication
• Industry forum to develop consensus policies and
  collective action on issues impacting its
  members and
  
• Collaboration with all industry oil and gas
  associations, and other organizations, to
  enhance industry unity and effectiveness in its
  advocacy.
• API also provides the opportunity for standards
  development, technical cooperation and other
  activities to improve the industrys
  competitiveness.

3
Security Objectives

• Energy Assurance
• Supporting the security of domestic oil and
  natural gas assets and operations
  
• Energy Confidence
• For our customers, stakeholders and the American
  public
  
• Energy Responsiveness
• In partnership with federal, state and local
  agencies

4
Y2K déjà vu ?
5
API SECURITY ACTIVITIES

• Coordinating Oil Industry Associations Security
  Coalition
  
• Responding to Legislative Initiatives
• Public Communications on the Adequacy of
  Petroleum Product Supplies
  
• Security Standards Initiatives
• Working with Federal Agencies
• Outreach to State Agencies

6
OIL NATURAL GAS INTERCONNECTIVITY

• Upstream

Inbound
Processing
Marketing
Distribution
Outbound
Exploration Data analysis Drilling Producing G
athering
Processing Storage
Pipelines Trains Shipping Ports Trading
Pipelines Trucks Barge Trading
Terminals Trucking Distributor
Refining Co-generation Liquefying Storage
Retail Aviation Marine Industry Commercial Re
sidential
Credit card
Power
Banking
Water
Telecommunications
Transaction systems
Security
Gas
Transportation routes
Computer networks
Market
Partners
Shareholders
Suppliers
Customers
Employees
Governments
Contractors
Consumers
7
Oil Association Security Coalition includes

• American Petroleum Institute
• American Waterways Operators
• Association of Oil Pipe Lines
• Canadian Assn. of Petroleum Producers
• Chamber of Shipping of America
• Domestic Petroleum Council
• Energy ISAC
• Energy Security Council
• Independent Liquid Terminals Assn.
• Independent Pet. Producers Assn. of America
• International Association of Drilling
  Contractors
  
• Natl Association of C-Stores
• Natl Ocean Industries Assn.
• Natl Petrochemical Refiners Assn.
• Natural Gas Supply Association
• Off-shore Operators Committee
• Petroleum Marketers Assn. of America
• Service Station Dealers of America
• Society of Independent Gasoline Marketers of
  America
  

Plus close coordination with our natural gas
counterparts, including AGA INGAA electric
power and petro-chemical counterparts
8
Information Sharing

• Serving as oil industry security alert
  distribution point -- from FBI/NIPC/DOE/DOT to
  hundreds of oil and natural gas companies (short
  term)
• Supporting Energy Information Sharing Analysis
  Center (ISAC), more robust long term solution
  

9
Recommendations to Senate Energy Natural
Resources Committee

• Legislative
• FOIA Exemption for voluntary and mandatory
  information
  
• Liability and Antitrust relief for critical
  infrastructure protection
  
• Access to law Enforcement and Intelligence
  Information
  
• Government industry should work together to
  develop a process that ensures the sharing of
  relevant information
  

10
API Standards Program

• API formed in 1919 division of Standardization
  formed in 1923, first standard published in 1924
  
• All Segments active in standardization
• API publishes 500 technical standards
• Basis for Operations Worldwide
• Core of Institutes Technical Authority

11
Participation in API Standards Activities

• API standards meetings are open to all interested
  parties. Interested parties include consumers,
  manufacturers, contractors, distributors,
  designers, and the general public
• Standardization subordinate unit membership may
  include representatives of non-API member
  companies to satisfy legal and operational needs,
  to achieve industry consensus in standards
  development, and to meet needs for special
  expertise or skills

12
API IT Security Forumformed Summer 2000
API sponsored forum to identify and address
industry-wide cyber security issues and
opportunities
Objectives

• Pro-actively work together to address areas of
  common interest to the petroleum industry
  
• Demonstrate that the petroleum industry is taking
  prudent steps to protect our IT infrastructure
  to reliably deliver energy services in support of
  our nations economy

13
API IT Security Forum Activities

• Lessons Learned Sharing - CERT, Security
  Awareness Training, etc.
  
• Standardization
• Common language protocol for inclusion in Joint
  Venture agreements Security Architecture
  
• Common recommendations for protecting critical
  information technology assets Data
  Classification
  
• Provide input on policy issues related to IT
  security
  
• Leverages opportunities to influence key
  legislative and regulatory activity
  
• Joint funding of common interest research
  development
  
• Benchmarking size, budget, tools, intrusions,
  outsourcing

14
API IT Security Forum Incident Response Framework

• Computer Security Incident Response Plan
  Framework
  
• improve the security of the corporate
  infrastructure
  
• minimize the threat of damage from malicious
  activities
  
• GOAL maintain/restore business continuity

15
API/AOPL Pipeline Security Task Force

• Working with DOTs Office of Pipeline Safety
• Developing alert levels and countermeasures
  specific to oil pipeline industry
  
• Developing oil pipeline industry guidance on
  security practices and risk assessment

16
Oil Industry Security Standards Initiatives

• GOAL
• Industry-wide agreement on security condition
  alert levels (based on DOE 5 levels)
  
• Counter Measures Response Activity Templates
• Vary by industry segment
• Range of options based on size of company,
  location, other variables

17
Targeted Timeline

• December 2001More than 50 complete for
  pipeline segment
  
• Early 2002Cyber agreement, working with ISACs
• 1st Quarter 2002General consensus
  industry-wide, refinement throughout the spring

18
API State Petroleum Councils

• Offices in 27 state capitals
• Responsibility for 6 additional states
• Information sharing relationship with other state
  and regional organizations
  
• Responsible for state legislative, regulatory and
  public affairs
  
• Liaison with other oil and gas related
  associations in states

19

Alaska Oil Gas Assn.
API Eastern Region
API Central Region
Western States Petroleum Assn..
NM Oil Gas Assn..
API Southern Region
Mid-Continent Oil Gas Assn..
New Mexico Oil Gas Assn.. Former RMOGA States
Western States Petroleum Assn..
20
API States Security Survey

• Who is lead agency and is there a designated
  energy-specific contact?
  
• Lead agency generally falls to emergency
  management agency, public safety/state police,
  National Guard or new security position/task
  force
• Fewer than 10 had energy-specific contacts

21
Agency/Industry Collaboration

• Need to work together
• To prevent onerous legislation
• To ensure continued partnership between
  government and industry
  
• Current Examples of bad legislation include
• Chemical Security Act
• Legislation mandating security standards
• Jointly engage Homeland Security on Energy Issues

22
FOR FURTHER INFORMATION
Kendra L. Martin API Security Team Leader Americ
an Petroleum Institute tel. 202-682-8517 martink
_at_api.org
www.api.org