Energy firms have spent vast sums on the security of their information systems, but they must reorient from a reactive, tactical posture regarding intrusions and attacks to a more strategic, holistic view that expands beyond the categorization of the issue as an IT problem, according to a new paper from Rice University’s Baker Institute for Public Policy.

The paper, “Cyber Security Issues and Policy Options for the US Energy Industry,” investigates how energy companies involved in the production and delivery of hydrocarbons, as well as companies that generate and transmit electricity, face new risks posed by malicious software. These risks can affect the continuity of operations, the capacity to deliver products and services, and the ability to protect investments (particularly in R&D) from theft or unauthorized disclosure.

The paper comes against the backdrop of the US Congress’ failure this summer to pass significant cyber-security legislation for the protection of commercial and government information technology infrastructure.

“For the energy industry, cyber security is not just a technology problem, but, rather, is one that includes the larger dynamics of information and operations,” said Christopher Bronk, the paper’s principal author and a Baker Institute fellow in information technology policy. “How public policy can form components of the response to cyber-security issues pertaining to the energy industry and the critical infrastructure that it builds, operates and maintains requires considering both the complexity of the issue and the nuance in potential policy prescriptions.”

The paper details examples of major oil and gas companies that have suffered a significant data breach or disruption of IT service, the latest being Saudi Aramco. In August, Saudi Aramco saw as many as 30,000 computers on the company’s network compromised by a malicious piece of “malware,” possibly the one labeled “Shamoon” by the computer malware community.

“The issues of cyber espionage and true cyber attacks—the ability to achieve kinetic outcomes by manipulation of computer systems—represent significant challenges for the energy industry, the United States government and the international community,” Mr. Bronk said. Mr. Bronk hosted a range of international cyber security experts from business, government and academia at the Baker Institute in September to discuss the latest information on how to detect, defend against and respond to emerging cyber threats. HP