CircleID

BP and the Oil Industry are taking a lot of heat these days — much of it rightly so. Moving beyond the drama and evaluating the overall response of BP and others reinforces much of what is taught in incident response training and preparation… by showing the outcomes when one does not respond well. This is probably the most important incident that the responders involved will deal with in their professional lives.

For those of us working to protect Internet Infrastructure and resources there are useful lessons as we consider what is happening in the Gulf of Mexico and their response effort. Five of those lessons relate to:

• Incident Avoidance
• Preparation
• Containment
• Response Resources
• Credibility

Many are asking whether the Deepwater Horizon explosion and subsequent consequences could have been avoided. From the information coming out, there are strong indications that it could have been. Pressure to keep costs down and to complete the drilling as soon as possible seem to have played a significant role in setting the stage. How often do we encounter security cost containment and resistance to implementing security measures because they "interfere"?

Lack of preparation also played a significant role in dealing with the initial explosion and subsequent events. Response plans were pro forma and purchased from a 3rd party. Based on questions and statements during recent U.S. Congressional hearings it appears that other oil companies also purchased these same plans with nobody actually determining whether the response plans made sense. Language about protecting (nonexistent) walruses in the Gulf is a smoking gun in this respect. Studies show that the majority of organizations fail to test their (security) incident response plans or run incident response exercises.

Whether containing oil or data, there is always a tension between the need to move quickly and the risks associated with the impact of the response effort. As illustrated by the BP response, there is a tendency to underestimate the scope and scale of an incident during the first phases of a response. Initially the public estimates were 1,000 barrels per day. This was then increased to 5,000 barrels per day and after several more revisions the most recent flow estimate was revised to as much as 60,000 barrels per day. Based on how BP and others responded, these estimates were most likely used internally as much as they were for public consumption. If the initial estimates used were at the higher end of the range we would likely have seen a more aggressive response in preparing for oil reaching coastal areas and other impacts. Understanding the scale of a security incident is always difficult in the initial timeframe but the tendency seems to be to underestimate and respond in a manner similar to BP.

It takes time and money to bring response resources to bear. For containing oil this means hiring personnel and training them, acquiring and positioning booms, boats, support equipment and a host of other things. The logistics of incident response are complex whether the leak is oil or data. In the security realm something seemingly as simple as a 3rd party security firm acquiring forensic images from partner or vendor machines might take as long as a week just to sort out authorizations and legal agreements. Key personnel may have to be pulled from other projects or outside contractors arranged. The lesson here is to get ahead of the curve in applying resources as a means of mitigating and controlling damage.

The final lesson — although many more might be gleaned from the BP experience — is to think about the impact of comments and announcements and how others might perceive you. When BP CEO Tony Hayward said he just wanted his life back, he really didn't understand how others might perceive his comment. When coupled with delays in assistance payments to impacted individuals and companies, his remarks were news stories waiting to happen. It's a reasonable assumption that he has plenty of advisors and coaches helping him in his dealings with the media and the public. Are your public facing contacts prepared for a major security incident?

If the external communications appear this way, consider what the internal communications must look like. Engineers, Line Managers, Brand Managers, HR, Lawyers, Consultants, Finance, Risk Management, Compliance, Public Relations and others are just some of the people trying to work through the myriad of issues that need resolution. In a security incident, who in your organization might get involved? How well will internal communications be handled?

The analogy between the BP incident and data breaches or fighting attacks against Internet infrastructure might not be perfect but it is close enough that all involved with CSIRTs (Computer Security Incident Response Teams), crisis management or organization infrastructure and data ignore these lessons at our peril.

A special thanks to James Lohman for his asssistance with this article.

By Michael Hammer

Related topics: Cyberattack, Cybercrime, Data Center, Privacy, Security