Learning from the oil spill disaster

January 12, 2011/Frederick Scholl/, , , ,

I believe that information security professionals can learn from disasters reported in other areas.  After all, the basic security mission of prevent, detect and respond is the same whether the assets being protected are bytes of data or barrels of oil.

Yesterday the National Oil Spill Commision released its final report on the Deepwater disaster of April 20, 2010.  The section on root causes was especially interesting.  It is not often that we get a real analysis of the root cause of a security incident.  In this case the identified root causes were failures in management and communications, both of which directly apply to information security management.

Here are the causes identified by the Commission and the corresponding actions that should be taken by security managers to help avoid a security disaster:

 

1.  There was no process to evaluate the risks associated with last minute changes in well design or procedures.  This highlights the necessity of security representation on the Change Advisory Board as well as a strong change management process overall.

2.  Inadequate testing of well processes before utilization.  Again, this highlights the need for a strong change management process and QA function.

3.  Inadequate communications between BP, Transocean and Halliburton.  Most security operations today are at least partly outsourced to one or more vendors.  In the case of Deepwater there were numerous communications failures between vendors and between well management and operational personnel.  This highlights the need for including vendors in the security incident process and for expanding this process to include security events that may be leading to a larger incident.

4.  Inadequate communication of previous near disaster.  Another rig operated by Transocean had experienced a similar blowout four months prior to the Deepwater disaster.  Transocean had prepared an advisory regarding this event, but it was not communicated to the Deepwater team.  This highlights the need for regular review of security incidents by security management and continuous improvement of security controls.

 

The Commission report states that this accident was the result of mistakes and was avoidable.  Implementing the above procedures will help eliminate similar types of avoidable information security disasters.

Posted in
Tags: , , , ,

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

Book an Appointment

More Good Reading

Healthcare: Time to Review Your Cybersecurity Plan

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58