Earlier this year, President Barack Obama created the 12-member Commission on Enhancing National Cybersecurity. In May, commission members traveled to New York to hear about cyber-threats to banks and insurance companies. They then went to San Francisco to talk with computer developers from Silicon Valley about the latest technology to stop cyber-attacks.
Then, last week, the commission came to Houston to learn about the threat to critical industries including oil & gas, electricity, and telecommunications.
One hot topic of the testimony was what happened last December — not in the U.S .— but in Ukraine. Computer hackers had shut down the electricity grid, leaving a quarter million Ukrainians in the dark. Operators were able to regain control in a few hours by manually resetting circuit breakers.
"A great lesson coming out of Ukraine; they're still operating in a degraded state but they're operating and that's what matters," said Scott Aaronson, a security director with Edison Electric Institute, who testified at the Houston meeting.
He and other experts told the commission that preventing cyber-attacks can be addressed through technology like security software but that employees play a critical role.
Just look what they're doing at Exxon-Mobil. Employees can no longer check their personal email accounts from work computers. Scott Robichaux, Cyber Security manager for ExxonMobil, says that's not all they're doing to reduce the risk of viruses infecting the oil giant's computers.
"We made some difficult choices in some instances to improve security over user productivity. Several years ago we made a case for restricting the use of removable media devices, USBs and CDs," Robichaux told the commission.
Those USB or "thumb" drives and other devices employees or contractors might bring into an office have been linked to virus attacks in the oil & gas industry. But one cyber-expert says many oil industry executives aren't taking the threat seriously.
Steve Mustard, a cybersecurity expert with the Automation Federation, testified about his experience as an IT engineer analyzing security at oil companies. He said there's a great safety culture at a lot of companies in which employees know they have the power to stop someone doing something dangerous like opening the wrong valve at a refinery.
"But if you see someone carrying a USB drive that they just got out of their bag, and they just arrived at the facility and they want to stick it in to download a file so they can print it out, there's no concept of stopping them doing that. And that's very, very dangerous because that is the way malware gets into these systems, that's the way we're going to introduce security problems," Mustard said.
The commission will take what it learned in Houston and the other cities and hand its recommendations to the President later this year.