Computer security breaches in energy companies pose a double threat. They endanger corporate data privacy, and they also threaten the stability of the oil and gas supply along with the national energy grid infrastructure. This is especially true in today's environment, where record high crude oil prices, dwindling fossil fuel reserves, the ongoing threat of global terrorism and increasing geopolitical instability in the Middle East remind the world of its dependence on a stable oil supply on a daily basis.
The challenge of maintaining information security in an oil and gas company is exacerbated by the size of the refining and distribution network. With hundreds of locations that can be thousands of miles apart in dozens of countries, energy companies can run between 5,000 and 26,000 applications to support their work. Each application typically requires a password for user access, creating daunting vulnerabilities and administrative burdens.
With decentralised operations extending to remote oilfields and distant offshore drilling platforms, for example, field personnel at a rig are often casual about sharing passwords. This creates the potential for unauthorised access to applications and sensitive data files. So does the fact that users often create passwords that are easy-to-figure-out derivatives of names and birthdays. A determined hacker may be able to crack the code with relatively little effort, leaving company systems and applications at risk.
Another problem is that, remote oil field employees who forget their passwords frequently can't get their jobs done. If a geologist in the field is locked out of test well data files he needs because he forgot his primary password, for instance, that may delay the drilling of a new production well or – worse – cause a drilling error that diminishes the output of the new well. Help desks can and do provide password reset services, but analyst firms estimate that each password reset call to the help desk costs between $25 and $40. This adds up to millions of dollars annually for some enterprises.
Concerns about ineffective password systems and lax password security have led to industry regulations. In the U.S., for example, Sarbanes-Oxley includes a call for improved password security.
Almost half of the major energy companies worldwide have turned to enterprise single sign-on (ESSO) technology to combat these and other problems. ESSO enables users to sign onto the corporate network at the start of their workday with a single password. Once users are signed in, their application passwords are entered automatically and securely by the ESSO system, enabling users to gain immediate access to drilling data, production reports and other critical information without having to create, remember, update and otherwise manage multiple passwords themselves.
The ease and convenience of ESSO eliminates the need for oil and gas workers to remember a dozen or more individual passwords and does not require password synchronization. With the human memory factor removed, complex application credentials and randomly generated user IDs and passwords can be applied and changed as frequently as the application permits. With different, complex credentials for each user and each application, systems are more difficult to breach and data is more securely locked down.
Indeed, implementing ESSO either on a stand-alone basis or integrated into an Identity Management (IDM) system eliminates most of the problems associated with traditional password use: lost or forgotten log-in details, productivity losses, excessive support costs and network intrusion related to password pilfering. ESSO also aids compliance with the Sarbanes-Oxley Act in the U.S., the Data Protection Act in the UK, and other regulations requiring data to be kept private, confidential and secure.
The benefit: added protection for geo-scientific surveys, proven and probable reserves data, pipeline pumping stations, process controls, and other sensitive databases and mission-critical infrastructures vital to the energy company's privacy as well as national security.
In addition, since ESSO executes application access on the user's behalf, it can capture real-time data showing which employees access various applications and when. It can therefore provide comprehensive reports on password-related activity and full audit trail visibility about the issuance and use of passwords, ensuring that security policy is maintained over time.
With or without ESSO, homeland security concerns are prompting many companies today to move from simple authentication, which uses only a password, to advanced or “strong” authentication, which typically requires both a password and an authentication device. This provides granular control over the level of authentication required to access specific applications. In graded two-factor authentication, for example, a user who has lost her smart card but remembers her password can get limited access to some network resources until she receives a new card.