[Log In] []

Exploring the science and magic of Identity and Access Management
Tuesday, September 27, 2016

My 11 Years Blogging on Identity

Blogging, Identity
Author: Mark Dixon
Friday, May 13, 2016
3:00 pm


Eleven years ago today, on May 13, 2005, also Friday the 13th, I wrote my first post for this Discovering Identity blog, then hosted on the Sun Microsystems blog server.  In my maiden post, entitled Sun-Microsoft Interoperability – Focus on Identity Management, I wrote about Scott McNealy and Steve Ballmer speaking about enabling interoperability between Microsoft and Sun platforms.  

In line with my focus on Identity Management, I commented:

Identity Management is the key to enabling interoperability. It is the pivot about which the Microsoft/Sun relationship turns. Why – because Identity, by its very nature, transcends platforms. Regardless of which application or platform is being used, a user’s basic identity doesn’t change. So, in a naturally heterogenous world, an ability to rise above the differences between computer platforms is necessary if companies are to reach goals of efficiency and connectivity they require for business success.

Although I might now change a word or two in that paragraph, the essence of the statement still holds true –  Identity is definitely a key enabler for digital interactions among people, systems, applications and devices.

As a novice blogger, I also commented about my excitement in joining Sun the previous October:

I’m delighted to be here, on the front lines of a market with high customer demand, multiple business benefits, interesting innovation, strong competition and real-world results.

It turned out that publishing my blog was the single most beneficial thing I did for my career at Sun. It opened doors, solidified my credibility, triggered new opportunities and launched new friendships with people all over the world.

A lot of water has passed under the proverbial bridge in the last eleven years. Just think – my blog is older than the iPhone and almost as old as Facebook!  Once a formidable giant, Sun Microsystems is no more. Interesting terms like the “Internet of Things” and “selfie” hadn’t yet been invented when this blog was launched. The number of channels for sharing information on the Internet has skyrocketed exponentially since then. But the content of this blog still hangs around. 

Although the frequency of my posts diminished dramatically after joining Oracle six years ago, and my blog’s popularity in the IAM industry certainly waned, I still find it enjoyable to make my little contribution to the blogosphere every now and then.

It makes me wonder, what will the next eleven years bring?

Comments Off on My 11 Years Blogging on Identity . Permalink . Trackback URL

Enabling Digital Transformation with REST API

Author: Mark Dixon
Friday, September 4, 2015
3:39 pm

I was recently introduced to a powerful new tool created by the folks at Persistent Systems, a long time Oracle development and systems integrator partner. The Oracle Identity and Access Management platform has a very rich set of Java APIs that enable developers to access nearly all of the functionality this platform from external applications.  The challenge is not completeness, but complexity.  To take advantage of this rich API set, external developers have to know much about the internal workings of the IAM products and the intricacies of writing the Java code to access the APIs.

The Persistent Systems engineers have developed a REST API on top of the Oracle Identity Governance Java API that exposes OIG capabilities in a much simpler, more “process friendly” way. For example, a few services available are:

  • User Access Request
  • Get User’s Provisioned Roles
  • Acting on Pending Authorizations
  • Authenticate User
  • Authorize User

… and the list goes on.

How would you like to translate those “business level” requests into Java API calls?

To demonstrate the capability of the REST API, a developer at Persistent Systems created the application shown in the image below, with a clean, easy-to use interface for OIG approvals and certifications – all without being an expert in Java or the detailed processes within OIG.  The iPhone and Apple watch images include screen shots from my phone and watch.  It really does work!

The most important thing to consider is not the neat user interface – although it has some cool features – it is how an intelligently constructed REST API can provide development agility, application flexibility and rapid deployment, all essential enablers for digital transformation.

Persistent Systems

 Leonardo Da Vinci has been credited with the wise statement, “Simplicity is the ultimate sophistication.”  I think Leonardo would like this approach.

Comments Off on Enabling Digital Transformation with REST API . Permalink . Trackback URL
WordPress Tags: , ,

#YJJ Architecture: Oracle #IoT Platform

Internet of Things, Yellow Jeep Journey, YJJ Architecture
Author: Mark Dixon
Saturday, March 22, 2014
8:06 am

As a starting point to explore how to implement the YJJ Architecture, let’s take a look at the Oracle Internet of Things platform. The following diagram highlights what parts of the Oracle reference architecture would be installed in the Jeep and which would be in the Yellow Jeep Cloud.


The Oracle architecture is built end-to-end on Java.  At the device and gateway end, Oracle Java ME Embedded can e leveraged in the sensor devices. Oracle Java SE Embedded would be used in the Gateway device that ties multiple sensor subsystems together and communicates wirelessly to the Yellow Jeep Cloud in a data center.

In the Yellow Jeep Cloud, a variety of Oracle middleware and application products, also implemented in Java, can be leveraged, based on the specific application. 

In future posts, I will drive to a deeper level of detail on both the Jeep and cloud sides of the architecture to examine how this reference architecture can be applied to equip my Yellow Jeep for its journey.

Comments Off on #YJJ Architecture: Oracle #IoT Platform . Permalink . Trackback URL
WordPress Tags: ,

Oracle Identity Management 11g R2: Securing the New Digital Experience

Author: Mark Dixon
Thursday, July 19, 2012
9:15 pm

Today, the 11g R2 version of the Oracle Identity and Access Management platform was formally announced, with the tagline, “Optimized to Secure the New Digital Experience.”

We in the information security organizations of Oracle have been waiting anxiously for this announcement.  This week, the North American Sales and Sales Consulting organizations gathered in Santa Clara, CA, to be training in this exciting new set of products.

There are three major reasons why I believe this announcement is a big step forward for our customers.

First, this release delivers advanced functionality that gives really compelling business reasons for existing Sun Identity Manager customers to migrate to the Oracle Platform. It is no longer an issue of “moving from point A to point A in functionality,” just to get on the Oracle platform before premium support expires for the Sun product.  It means moving to the Oracle platform to leverage really innovative capabilities that will accelerate business value..

Second, this platform brings to reality a dream we were promoting at Sun as part of Project Destination way back before the Oracle acquisition: integrating Identity and SOA technologies to deliver “highly personalized, identity-enabled, blended applications on mobile devices.”  The new Mobile and Social capabilities and Secure API functionality added to the Oracle Access Management platform, provide a fully-integrated platform to deliver such functionality more easily and more securely than ever before.  Back at Sun, many of our customers adopted the vision we espoused, but making it happen was pretty hard work.  Now, the Oracle Access Management platform does all the heavy lifting for us.

Third, this release shows continued, significant progress towards Oracle’s vision of a truly integrated, service-oriented architecture for Identity and Access Management.  No longer is the Oracle suite just a nice collection of acquired products.  From my perspective as an Enterprise Architect, it is great to see the convergence of data models, functionality, administration services and architectural components.  It is the simplification and streamlining of architecture that will ultimately solve the complexity our customers face.

So, it will be great to work with our customers to show how they can leverage this great platform to meet their business needs. Saddle up for a great ride!

Comments Off on Oracle Identity Management 11g R2: Securing the New Digital Experience . Permalink . Trackback URL
WordPress Tags:

Resurrecting Discovering Identity on Blogs.Oracle.Com

Author: Mark Dixon
Thursday, March 15, 2012
10:41 am

In response to requests that I refresh my Discovering Identity blog that has been lying dormant on blogs.oracle.com since February 2010, I have commenced today to satisfy that request.

Discovering Identity

I created this blog on blogs.sun.com in May 2005 and updated it regularly until Oracle acquired Sun in February 2010, at which time I switched to self-publishing the blog here at discoveringidentity.com.  The full archive of my posts from May 2005 to February 2010 is available on this site and also on the oracle.blogs.com site.  From now on, I will publish items of interest to the Oracle community on both sites and address issues beyond that scope on this discoveringidentity.com site.

If anyone has items you would like me to address specifically on the blogs.oracle.com site, please let me know.

Comments Off on Resurrecting Discovering Identity on Blogs.Oracle.Com . Permalink . Trackback URL
WordPress Tags: , ,

Solaris 11 is Coming!

Author: Mark Dixon
Thursday, October 27, 2011
6:19 pm

What are your plans for November 9th?  Why don’t you plan to join Mark Hurd, John Fowler and an elite cadre of Oracle folks at the Solaris 11 launch at Gotham Hall on Broadway in the Big Apple!

Wednesday, November 09, 2011

9:00 a.m. – 1:30 p.m. ET

Gotham Hall, 1356 Broadway at 36th Street, New York, NY 10018

You can register here for an in-person seat.

You’ll take away knowledge of how to build your infrastructure with Oracle Solaris 11 to accelerate internal, public, and hybrid cloud applications, optimize application deployment with built-in virtualization and achieve top performance and cost advantages with Oracle Solaris 11–based engineered systems.


Comments Off on Solaris 11 is Coming! . Permalink . Trackback URL
WordPress Tags: ,

Nostalgia Near the Clock Tower

Author: Mark Dixon
Thursday, July 14, 2011
9:53 pm

I have spent the week with my North American information security colleagues from Oracle, meeting on the historic Oracle/Sun Microsystems campus in Santa Clara, California.  What a delight it was to visit this beautiful campus once again as I mingled with so many friends and professional associates.  This business campus was built on the site of the former Agnews Insane Asylum.  Several of the elegant old buildings remain, suitably updated and equipped for modern use.  But I heard flitting comments today that some people think these buildings are haunted.

Back in the day, the Clock Tower building was known as the Treatment Center.  It makes you wonder what went on there … and what ghosts the “treatments” left behind.

Here are a couple of photos I took of the Clock Tower building with my iPhone this week.


It was interesting that a Sun Microsystems sign/monument still occupies a prominent position in the rear of the Clock Tower building, near another smaller monument honoring a Sun Microsystems leader who perished in the 9/11 bombing in 2001. What irony!

All the other signs were brightly accented with bright Oracle red – a fitting reminder about whose campus this really is.

But it has been suitably nostalgic to visit this place today.  As I participated in an hour-long conference call while sitting on the concrete bench surrounding the beautiful fountain near the rear of the Clock Tower building today, I couldn’t help but think of the many, many hours I spent on this campus during my five years with Sun Microsystems, the wonderful colleagues I worked with, and the dreams we shared together.

Comments Off on Nostalgia Near the Clock Tower . Permalink . Trackback URL

Oracle Security Online Forum

Identity, Information Security
Author: Mark Dixon
Thursday, February 17, 2011
11:23 am

imagePlease join us for a set of informative discussions about Information Security in the Oracle Security Online Forum, sponsored by Oracle and Accenture, where leading industry executives and Oracle product experts will come together to discuss security trends, best practices, and proven solutions for your business.

The illustrious lineup includes:

  • Mary Ann Davidson, Oracle’s Chief Security Officer—on industry-leading standards, technologies, and practices that ensure that Oracle products—and your entire system—remain as secure as possible
  • Jeff Margolies, Partner, Accenture’s Security Practice—on key security trends and solutions to prepare for in 2011 and beyond
  • Tom Kyte, Senior Technical Architect and Oracle Database Guru—on how you can safeguard your enterprise application data with Oracle’s Database Security solutions
  • Vipin Samar, Vice President of Oracle Database Security Solutions—on new approaches to protecting data and database infrastructure against evolving threats
  • Nishant Kaushik, Oracle’s Chief Identity Strategist—on how organizations can use Oracle Identity Management solutions to reduce fraud and streamline compliance

Additionally, security solution experts will be on live chat throughout the event to answer your toughest questions.

You can register for the event here.

Hope to “see” you there.

Technorati Tags: ,,
Comments Off on Oracle Security Online Forum . Permalink . Trackback URL
WordPress Tags: , ,

Introducing Oracle Identity Management 11g

Author: Mark Dixon
Tuesday, July 13, 2010
12:58 pm

I am pleased to announce the official public webcast introducing Oracle Identity Management 11g:

Date: Wednesday, July 21, 2010
Time: 10:00 a.m. PT / 1:00 p.m. ET


Amit Jasuja,  Oracle’s Vice President Identity Management and Security Products, will lead the discussion, as he and other Oracle executives:


“… introduce a new and revolutionary approach in application security – Oracle Identity Management 11g.

“Modern enterprise architectures are evolving rapidly, yet many security solutions in use today represent decade old technology. Businesses must adapt swiftly to stay competitive, yet bolted-on security controls impede IT agility. Compliance mandates continue to grow in number, while organizations continue to struggle with their staggering costs and complexity.

“Oracle Identity Management 11g redefines the architectures that secure the modern enterprise, ushering in a new era of agile security, rapid ROI, and sustainable compliance. Join us to learn more about the exciting new developments.”

I’m looking forward to this event.  We hope you can join us, too.

You can register by clicking here.

Technorati Tags: ,
Comments Off on Introducing Oracle Identity Management 11g . Permalink . Trackback URL
WordPress Tags: ,

Information Security in the Oil and Gas Critical Infrastructure Protection (CIP) Sectors

Author: Mark Dixon
Tuesday, July 13, 2010
12:22 pm

In a recent post, I highlighted a new Oracle white paper entitled, “Protecting the Electric Grid in a Dangerous World,” which describes how Oracle Identity Management solutions and the Oracle data security portfolio offer an effective, defense-in-depth security strategy to help meet this challenge, playing a key role in the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards.

image An Oracle colleague asked appropriately, What about the oil and gas industry?  Isn’t this part of the energy industry also considered part of the critical infrastructure in the United States?  Isn’t the oil and gas industry vulnerable to cyber attack? Aren’t methods for protecting information assets in the oil and gas industry similar to those in the electrical distribution industry? 

The answer to each question is a resounding “Yes,” but with some differences. Let’s explore a bit of history and discuss the focus of Information Security in the Oil and Gas Critical Infrastructure. This post is longer than most of my blog posts, but I felt the length was justified to give a good overview of the topic.

Historical Perspective

image The Federal Government official recognition of the vulnerability of critical infrastructure in the US began with the Presidential Decision Directive NSC-63 on Critical Infrastructure Protection, signed by Bill Clinton on May 22, 1988.  The executive summary of that directive reads in part:

The United States possesses both the world’s strongest military and its largest national economy. Those two aspects of our power are mutually reinforcing and dependent. They are also increasingly reliant upon certain critical infrastructures and upon cyber-based information systems.

Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Many of the nation’s critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security.

The Homeland Security Presidential Directive – HSPD-7 entitled “Critical Infrastructure Identification, Prioritization, and Protection", signed by President George W. Bush, on December 17, 2003, served to amplify the focus and attention on Critical Infrastructure Protection.

Terrorists seek to destroy, incapacitate, or exploit critical infrastructure and key resources across the United States to threaten national security, cause mass casualties, weaken our economy, and damage public morale and confidence.

America’s open and technologically complex society includes a wide array of critical infrastructure and key resources that are potential terrorist targets. The majority of these are owned and operated by the private sector and State or local governments. These critical infrastructures and key resources are both physical and cyber-based and span all sectors of the economy.

Critical infrastructure and key resources provide the essential services that underpin American society. The Nation possesses numerous key resources, whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction, or could profoundly affect our national prestige and morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or destruction, through terrorist attack, could have a debilitating effect on security and economic well-being.

While it is not possible to protect or eliminate the vulnerability of all critical infrastructure and key resources throughout the country, strategic improvements in security can make it more difficult for attacks to succeed and can lessen the impact of attacks that may occur. In addition to strategic security enhancements, tactical security improvements can be rapidly implemented to deter, mitigate, or neutralize potential attacks.

In response to this directive, seventeen CIP sectors of national importance were specified:

    1. Information technology
    2. Telecommunications
    3. Chemicals
    4. Transportation systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems
    5. Emergency services
    6. Postal and shipping services
    7. Agriculture, food (meat, poultry, egg products)
    8. Public health, health care, and food (other than meat, poultry, egg products)
    9. Drinking water and waste water treatment systems
    10. Energy, including the production refining, storage, and distribution of oil and gas, and electric power
    11. Banking and finance
    12. National monuments and icons
    13. Defense industrial base

The US Department of Energy (DOE) bears responsibility for leadership of the Energy sector, encompassing  the production refining, storage, and distribution of oil and gas, and electric power except for commercial nuclear power facilities.  DOE responsibilities in this sector include:

  • collaboration with all relevant Federal departments and agencies, State and local governments, and the private sector, including with key persons and entities in their infrastructure sector;
  • conducting or facilitating vulnerability assessments of the sector; and
  • encouraging risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources.

In June 2006, the U.S. Department of Homeland Security (DHS) announced completion of the National Infrastructure Protection Plan (NIPP) Base Plan, including a sector-specific plan for the Energy Sector.  The Vision statement for the energy sector stated:

The Energy Sector envisions a robust, resilient energy infrastructure in which continuity of business and services is maintained through secure and reliable information sharing, effective risk management programs, coordinated response capabilities, and trusted relationships between public and private security partners at all levels of industry and government.

Relevant Systems

The following diagrams included in the Energy Sector plan highlight the components in the relevant systems addressed by this sector.  Each of these sectors is highly dependent of information systems to administer and control complex, interconnected systems.

The descriptions accompanying each diagram came from the National Infrastructure Protection Plan (Energy Sector).

The electrical distribution grid


The U.S. electricity segment contains more than 5,300 power plants with approximately 1,075 gigawatts of installed generating capacity. Approximately 49 percent of electricity is produced by combusting coal (primarily transported by rail), 19 percent in nuclear power plants, and 20 percent by combusting natural gas. The remaining generation is provided by hydroelectric plants (7 percent), oil (2 percent), and by renewable (solar, wind, and geothermal) and other sources (3 percent). Electricity generated at power plants is transmitted over 211,000 miles of high-voltage transmission lines. Voltage is stepped down at substations before being distributed to 140 million customers over millions of miles of lower voltage distribution lines. The electricity infrastructure is highly automated and controlled by utilities and regional grid operators using sophisticated energy management systems that are supplied by supervisory control and data acquisition (SCADA) systems to keep the system in balance.


 The Petroleum System


The petroleum segment entails the exploration, production, storage, transport, and refinement of crude oil. The crude oil is refined into petroleum products that are then stored and distributed to key economic sectors throughout the United States. Key petroleum products include motor gasoline, jet fuel, distillate fuel oil, residual fuel oil, and liquefied petroleum gases. Both crude oil and petroleum products are imported, primarily by ship, as well as produced domestically. Currently, 66 percent of the crude oil required to fuel the U.S. economy is imported. In the United States, there are more than 500,000 crude oil-producing wells, 30,000 miles of gathering pipeline, and 51,000 miles of crude oil pipeline. There are 133 operable petroleum refineries, 116,000 miles of product pipeline, and 1,400 petroleum terminals. Petroleum also relies on sophisticated SCADA and other systems to control production and distribution; however, crude oil and petroleum products are stored in tank farms and other facilities.

The Flow of Natural Gas


Natural gas is also produced, piped, stored, and distributed in the United States. Imports of liquefied natural gas (LNG) are increasing to meet growing demand. There are more than 448,000 gas production and condensate wells and 20,000 miles of gathering pipeline in the country. Gas is processed (impurities removed) at over 550 operable gas processing plants and there are almost 302,000 miles of interstate and intrastate pipeline for the transmission of natural gas. Gas is stored at 399 underground storage fields and 103 LNG peaking facilities. Finally, natural gas is distributed to homes and businesses over 1,175,000 miles of distribution pipelines. The heavy reliance on pipelines highlights the interdependency with the Transportation Sector and the reliance on the Energy Sector for power means that virtually all sectors have dependencies with the Energy Sector.

Interdependencies across the economy

Although the electricity, oil and gas sub-sectors are complex in and of themselves, we must also recognize that these systems interact with other key CIP sectors.  The networked connectivity among these sectors amplifies increases the probability of an attack in one sector to directly affect multiple other sectors.

It is interesting to note that even small and medium size U.S. companies included in this interconnected network:

…  are more and more exposed to cyber threats from organized crime, foreign intelligence services, and probably terrorist organizations; 85 percent of U.S. critical infrastructure is owned and operated by private companies — and these companies are especially vulnerable to determined attacks which may ruin or seriously disrupt company operations.… (source: Homeland Security Newswire: “Cyber threats now targeting traditional companies”)


In recognition of the importance of addressing information security issues, the Energy sector plan states:

Today’s developing “information age” technology has intensified the importance of CIP, in which cyber security has become as critical as physical security to protecting energy CI/KR. The Energy Sector has rapidly responded to the increasing need for enterprise-level physical and cyber security efforts and business continuity plans. Voluntarily conducted vulnerability assessments have not only improved sector security but have also demonstrated industry commitment to a secure and resilient Energy Sector. Many asset owners and operators conduct self-assessments or contract with third parties to perform energy vulnerability assessments and implement protective programs at their facilities.

Specific efforts to address information security in the Electricity subsector include:

NERC has developed Cyber Security Standards CIP-002 through 009,37 which have been filed with FERC for approval and address the following requirements:

  • Data and information classification according to confidentiality
  • Identification and protection of cyber assets related to reliable operation of the bulk electric systems
  • Process control, SCADA, and incident reporting

NERC’s CIPC has issued a summary of several electric power vulnerability assessment methodologies, including a variation of DOE’s Vulnerability and Risk Analysis Program methodology, in a suite of potential vulnerability assessment tools that electric power companies should consider using.

Specific work to address information security in the Oil and Natural Gas subsectors include:

Establishing goals for vulnerability identification, detection and response:

  • Assess  security vulnerabilities at single-point assets such as refineries, storage terminals, and other buildings, as well as networked features such as pipelines and cyber systems and
  • Work toward resilient and secure cyber networks and SCADA systems to detect and respond to cyber attacks.

The AGA, the Interstate Natural Gas Association of America (INGAA), and APGA worked together to develop and release Security Guidelines: Natural Gas Industry, Transmission and Distribution. These guidelines provide an approach for vulnerability assessment, a critical facility definition, detection/deterrent methods, response and recovery guidance, cyber security information, and relevant operational standards. The industry security guidelines incorporate a risk-based approach for natural gas companies to consider when identifying critical facilities and determining appropriate actions, and are based on the DHS Homeland Security Advisory System (HSAS). The TSA, along with the PHMSA, is currently conducting onsite reviews based on these guidelines.

Importance of Energy Sector

So, just how important is the Energy Sector as a Critical Infrastructure? Though somewhat outdated, the 2006 DCSINT Handbook No. 1.02,  Threats and Terrorism states:

Energy is the infrastructure that supplies the driving force in most of American life today. Energy of some kind heats our homes, moves us for one point to another and drives our businesses and industry. The energy sector is critical to the well being of our economy, national defense and quality of life. The sector is divided into to areas, electricity and oil/natural gas. Electricity is required to operate and maintain homes, hospitals, schools, businesses and industrial plants; it is also necessary to refine oil. Disruption of electrical flow or a power grid would impact the economy and defense as well as response and recovery. Natural Gas consists of three major components: exploration and production, transmission, and distribution, with the U.S. producing 20% of the world’s natural gas supply. Oil’s infrastructure consists of five components: production, crude oil transport, refining, product transport and distribution, and control and other external support systems. The thousands of miles of pipelines offer an endless list of targets for terrorist attacks, and during transport there are opportunities for impacting more than one critical infrastructure. Over 43% of the total U.S. oil refining capacity is clustered along the Texas and Louisiana coasts. This area is subject to natural attacks as well as those of terrorists.

Recently the oil industry occupied the headlines, and the criticality of this infrastructure is not lost on terrorists. In mid-December 2004, Arab television aired an alleged audiotape message by Usama bin Laden in which he called upon his followers to wreak havoc on the U.S. and world economy by disrupting oil supplies from the Persian Gulf to the United States. The U.S. uses over 20.7 million barrels a day of crude oil and products and imports 58.4% of that requirement. On 19 January 2006 al-Qaeda leader Osama bin Laden announced in a video release that, “The war against America and its allies will not be confined to Iraq…..”, and since June of 2003 there have been 298 recorded attacks against Iraqi oil facilities. Terrorists conduct research as to the easiest point to damage the flow of oil or to the point where the most damage can be done.

Scenarios involving the oil fields themselves, a jetliner crashing into the Ras Tanura
facility in Saudi Arabia could remove 10 percent of the world’s energy imports in one
act. Maritime attacks are also option for terrorists; on October 6, 2002 a French tanker carrying 397,000 barrels of crude oil from Iran to Malaysia was rammed by an explosive laden boat off of the port of Ash Shihr, 353 miles east of Aden. The double-hulled tanker was breached, and maritime insurers tripled the rates. Energy most travel often long distances from the site where it is obtained to the point where it is converted into energy for use, a catastrophic event at any of the sites or along its route can adversely impact the energy infrastructure and cause ripples in other infrastructures. The security of the pipeline in Alaska increases in importance as efforts are made to make America more independent on energy use.

Securing Information and Control Systems

Of course, the business of oil and gas production and distribution relies heavily on security information management systems, the systems which control energy production and distribution represent widely points of access for potential cyber attacks.

In a report entitled, “21 Steps to Improve Cyber Security of SCADA Networks,” the US Department of Energy stressed the importance of security in control systems:

The U.S. energy sector operates the most robust and reliable energy infrastructure in the world. This level of reliability is made possible by the extensive use of Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), and other control systems that enable automated control of energy production and distribution. These systems integrate a variety of distributed electronic devices and networks to help monitor and control energy flows in the electric grid and oil and gas infrastructure.

Automated control has helped to improve the productivity, flexibility, and reliability of energy systems. However, energy control systems communicate with a multitude of physically dispersed devices and various information systems that can expose energy systems to malicious cyber attacks. A successful cyber attack could compromise control systems and disrupt energy networks and the critical sectors that depend on them.

Securing control systems is a key element in protecting the Nation’s energy infrastructure. The National Research Council identified "protecting energy distribution services by improving the security of SCADA systems" as one of the 14 most important technical initiatives for making the nation safer across all critical infrastructures.

In addition, the National Strategy to Secure Cyberspace states that "securing DCS/SCADA is a national priority".

Athough the NERC CIP standards apply specifically to electricity generation and distribution, the major categories could just as well apply to the Petroleum and Natural Gas subsectors:

    1. Identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the [oil or gas distribution system].
    2. Minimum security management controls in place to protect critical cyber assets.
    3. An appropriate level of personnel risk assessment, training, and security awareness for personnel having authorized cyber or unescorted physical access to critical cyber assets, including contractors and service vendors.
    4. Identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter.
    5. Implementation of a physical security program for the protection of critical cyber assets.
    6. Defined methods, processes, and procedures for securing those systems determined to be critical cyber Assets, as well as the non-critical cyber assets within the electronic security perimeters.
    7. Identification, classification, response, and reporting of cyber security incidents related to critical cyber assets.
    8. Recovery plans for critical cyber assets that follow established business continuity and disaster recovery techniques and practices.

Recognized best practices for data security that are aligned with and answer the demands of these requirements include:

  1. Critical asset identification and documentation.
  2. Data classification.
  3. Encryption of data at rest and in transit.
  4. Data masking to hide information, for example, in test and development environments.
  5. Access control to assure robust identification, authentication and authorization of system users.
  6. Separation of duties to define administrative roles according to need.
  7. Privileged user access control, closely tied to separation of duties, allows administrators only that access required to perform their jobs.
  8. Database access monitoring, alerting and reporting.
  9. Change control and configuration management.
  10. Audit controls for all security processes.

Oracle Data Security Solutions

Oracle provides a wide range of information security products to meet the needs of industry requirements and information security best practices, including:

  1. Encryption (for data at rest and in transit)
  2. Data Masking
  3. Privileged Database User Access Control
  4. Identity and Role Administration
  5. Access Control
  6. Audit and Compliance Management
  7. Label Security
  8. Information Rights Management

In addition, complementary products from other vendors can be combined with the Oracle suite of products to implement a Defense-in-Depth Critical Infrastructure Protection security strategy strategy for the oil and gas industries.

Phew!  That’s a lot of information from many sources.  I hope you find this helpful.

A partial list of sources I used:

  1. Oracle White Paper: Protecting the Electric Grid in a Dangerous World
  2. Energy: Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan (Redacted)
  3. North American Energy Reliability Corporation (NERC)
  4. NERC Critical Infrastructure Protection (CIP) cyber security standards
  5. Presidential Decision Directive NSC-63 on Critical Infrastructure Protection
  6. Homeland Security Presidential Directive – HSPD-7
  7. DHS Sector-specific plan for the Energy Sector
  8. National Infrastructure Protection Plan (Energy Sector)
  9. DCSINT Handbook No. 1.02,  Threats and Terrorism
  10. 21 Steps to Improve Cyber Security of SCADA Networks
  11. National Strategy to Secure Cyberspace (February 2003)

Thanks for getting this far!  If you have any input or suggestions, please submit a comment or drop me an email.

Copyright © 2005-2013, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.