It would be impolite not to express heartfelt thanks to the reporter who wrote the original article upon which this is based. Seldom can the energy sector respond to so many inaccuracies in one venue!(Before you get too far in, make sure you read the first part of this story.)The article provides some apparent intelligence information, \u201cThe Coast Guard has received several reports that foreign\u00a0ships attempted to probe the wireless networks of industrial facilities along U.S. waterways, federal\u00a0authorities say. Homeland Security, which oversees the Coast Guard, declined to confirm details of any\u00a0operation and intelligence but acknowledged a growing effort to protect oil, gas and chemical systems\u00a0from hacking.\u201dWow. That sounds scary, right up to the point where you understand there\u2019s no data backing up that\u00a0statement. Could it be the Chinese looking for vulnerabilities in our ports. Sure! It might also be your cousin Eddie is coming home on a cruise ship and trying to get a free wi-fi signal. Is every external contact counted as an attempt to probe the network, or just those attributed to potential threats? No information. Even an actual scanning attempt using an ICS-finding engine like SHODAN is not an indication of evil intent. \u00a0Technology is great at telling us how our networks are being scanned, but the technology will require integration with good, old-fashioned Human Intelligence (HUMINT) to determine why.Antique road showKudos to the media for their next thought: \u201c\u2026many oil and gas facilities still use networks run by\u00a0Windows XP, a 2003 system that Microsoft no longer updates, according to federal authorities and cyber\u00a0security consultants. Others use even earlier versions of the Windows operating system from the 1990s;\u00a0in rare cases, a few still use MS-DOS, the precursor to Windows.\u201dGuilty. And it\u2019s completely upon us in the energy sector to fix this. But when you say \u201cmany,\u201d is that a majority? More than two? What do these systems control? Perhaps door locks, payroll, or something critical, e.g., ICS? Context, like words matters.\u201cMore often than not,\u201d Edwards said, \u201cwe find that there have been corners cut or they haven\u2019t taken a hard look at security when they designed those networks.\u201d Who is to blame here? Even more likely is the failure of the software and hardware industry to use parallel security and software processing in the development of code and systems. Until very, very recently, security was an afterthought.In an immediate reversal of that line of thinking, the article says, \u201cSome companies have begun to install firewalls, anti-virus and anti-malware programs, and require\u00a0stricter security measures from equipment manufacturers, among other improvements, cyber security\u00a0consultants said.\u201dThat\u2019s right; industry can no longer accept software and hardware lacking security features.\u00a0For some time now, compelled by the energy sector and supported by many government agencies, manufacturers are\u00a0incorporating security from the earliest stages of concept. The energy sector is voting with their\u00a0checkbooks, selecting vendors that have already considered and implemented security in new devices.If you make 10,000 regulations...\u201cStrict cybersecurity regulations govern power, chemical and nuclear facilities, but no federal laws\u00a0impose such standards in the oil and gas industry,\u201d states the article. This is a split thought and\u00a0misleading. The energy sector has strict cybersecurity regulations \u2013 oil and gas companies are free to develop\u00a0those that work best for them. Do either of these approaches always succeed? No. Neither does the cybersecurity at the NSA\u00a0(ask that traitorous little punk hiding in Russia).The energy sector was early to realize that no one can legislate cybersecurity. Regulation often acts as a ceiling to cybersecurity innovation and deployment, whereas the process of security establishes a baseline without boundaries. Unless you can give me specifics on who, from where, will use exactly what code on exactly what device, and predict on what date it will happen \u2013 regulation and legislation won\u2019t work. Did I say this already? You can\u2019t legislate cybersecurity.Not your business\u00a0\u201cWhen oil and gas companies have been infiltrated by a hacker, they aren\u2019t required to report the\u00a0incident. And if they turn to federal authorities for help, the specifics are typically kept secret because\u00a0companies disclose information in exchange for anonymity and discretion.\u201d That\u2019s right in some respects; so I hope that statement was meant to be positive.Anonymity and protection of proprietary and personal information is mandated by the Cybersecurity Information Sharing Act (CISA), 2015. Here\u2019s the gist of the federal act:\u201cThe Act promotes the goal of sharing while simultaneously providing privacy protections in two\u00a0ways: first, by specifying the types of cyber threat information that can be shared under the Act\u00a0between and among non-federal and federal entities; and, second, by limiting sharing under the\u00a0Act only to those circumstances in which such information is necessary to describe or identify\u00a0threats to information and information systems.\u201dThe article makes a most insightful comment when it states: \u201cMost companies are loath to talk\u00a0publicly about the security of computer systems and industrial controls for fear of providing information\u00a0that could be used to exploit their operations.\u201d Yes. They are loath to talk publicly. Why? The energy sector is smart enough not to publish our game plan and make the adversary's job easier. If only the media would take the hint\u2026 \u201cStop outing our protective measures.\u201dLoose lips sink shipsSo do we, in the sector, disclose any information at all? \u201cMore than 20 of the nation\u2019s largest oil companies, including Exxon Mobil Corp. and ConocoPhillips, refiners Phillips 66 and Valero, service companies Halliburton and Baker Hughes, and pipeline operators Kinder Morgan and Enterprise Products Partners, declined to comment or did not respond to multiple requests for comment. The American Petroleum Institute, the national trade association of oil and gas, declined comment as well.\u201dSounds pretty tight-lipped, huh? Good. Our specific protections, defenses, and practices may be somebody else\u2019s concern, but it\u2019s not their business.The gas sector won't play with us\u201cThe Department of Energy has developed a model of best practices while trade groups such as the American Petroleum Institute have adopted industry standards, but none is mandatory.\u201d While not\u00a0mandatory, the gas sub-sector has voluntarily complied with the Transportation Safety Administration\u2019s\u00a0gas pipeline standard for years, and regularly coordinates through government-private sector security\u00a0councils and meetings. \u00a0Overall, the energy sector complies with the Department of Energy\u2019s Cybersecurity Capability Maturity Model\u00a0(C2M2). C2M2 has a generalized version as well as two separate versions for both Electric and Oil&Natural Gas. All three support, as well as measure, adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The gas sub-sector doesn\u2019t need to be hit over the head with regulation, we voluntarily comply as well as constantly develop greater capability hand-in-hand with the U.S. government.A global problemCaptioning a photo was, \u201cWith a refinery that could be vulnerable to hackers behind it, a ship\u00a0navigates through Buffalo Bayou heading to the Houston Ship Channel earlier this year.\u201d Ironically, it\u2019s the most important (of the systems) but the least secure,\u201d said Joe Weiss, managing director of the international cybersecurity standards body ISA99.Could. \u00a0A refinery that \u201ccould\u201d be vulnerable. A ship that could be vulnerable. Lights across town, connected to a smart grid that \u201ccould\u201d be vulnerable. And\u00a0the reporter\u2019s smartphone \u201ccould\u201d be vulnerable. It\u2019s all vulnerable. It\u2019s not because of or in spite of anything being done by the energy sector. Why tie it to us?In the same vein, \u201cCyber criminals have tried to steal money by sending employees fake invoices,\u201d reports the article. \u201cOther hackers lured workers to download malicious software designed to lock people out of computers or other devices until they pay a ransom.\u201d None of this is unique to energy. Ask hospitals, homeowners, municipalities, police departments, schools\u2026Who's the baddest kid on the cyber block?Phillip Quade, the former chief of the NSA\u2019s cyber task force, said the threat is more than theoretical, pointing to two viruses launched at energy operations: Stuxnet, which damaged thousands of centrifuges at an Iranian nuclear facility in 2010, and Shamoon, which wiped out computer files in Saudi Arabian oil and gas facilities two years later. \u00a0True, and chilling. Of course, the Stuxnet virus generally is attributed to the United States and was used as a weapon against Iran, while Shamoon is thought by\u00a0many to be retaliation by the Iranians. The major player -- capable of doing the most damage to an energy sector target -- is us, the United States.Train like you fightThe energy sector continues to conduct international, interagency, week-long exercises to practice defending the U.S. energy grid. A quick web search will reveal endless conferences, training sessions, and collaboration efforts with multiple government agencies. Internal safeguards like anti-phishing training programs, cybersecurity operations centers, and sharing through the ISACS create strong, credible, and flexible defenses for the energy sector.Myth. Busted.It is unfair and completely incorrect to paint our sector with every cyber threat known to man and call\u00a0us \u201cvulnerable.\u201d Electricity, oil, and natural gas work together with our government partners and with\u00a0each other 24\/7. If you\u2019re reading this article by artificial light, in the comfort of your air conditioned or\u00a0heated home, then we\u2019re doing our job. You\u2019re welcome, media.