October 4, 2006

Buying, selling energy being conducted in safer environment due to Sandia standards assessments

ALBUQUERQUE, N.M. — Companies buying and selling natural gas and electricity are conducting business in a safer environment thanks to three information standards assessments done by Sandia National Laboratories since 2000.

“Buying and selling natural gas used to occur in a system where everyone knew each other. All transactions were handled by phone and fax, and people trusted each other,” says Sandia researcher David Duggan, who has been involved in three assessments of information standards set by the North American Energy Standards Board (NAESB), formerly the Gas Industries Standards Board (GISB). The Department of Energy (DOE), Office of Fossil Energy (FE), Office of Oil and Gas sponsored the assessments.

All that changed with the arrival of the Internet. Bidding and purchasing of fossil fuels are done electronically with limited or no personal contact — opening the door for fake transactions or worse.

In 2000 a Sandia team performed assessments of the GISB’s Electronic Delivery Mechanism (EDM) standard for wholesale gas distribution.

“At that time the organization didn’t understand much about information security and didn’t realize how easy it could be for someone to break into the system,” Duggan says. “As a result, we found a number of critical security issues in the standards and reported them to GISB along with suggested mitigation strategies.”

Sandia is a National Nuclear Security Administration laboratory.

As is generally expected with security assessments, GISB was not in complete agreement with Sandia’s assessments of all the vulnerabilities. However, the GISB made enough direct changes to the standards that when a second Sandia assessment team did a follow-up in late 2005 and early 2006, they found that more than half of the original vulnerabilities had been corrected.

“More than half of the residual vulnerabilities were eliminated by the addition of improved technology,” Duggan says. “For example, new and better encryption methods were adopted methods that didn’t exist in 2000. It is to GISB’s credit that they, as an industry consortium, have addressed a majority of the vulnerabilities and are working on plans to address the remaining vulnerabilities.”

A third assessment team recently completed an analysis of proposed public key infrastructure (PKI) standards for the wholesale electric power sector, finding some vulnerabilities and offering mitigation strategies. Since these are new standards that have not yet been adopted and used by NAESB members, “a proactive opportunity exists for NAESB to address a number of these issues before the standard is ever implemented,” Duggan says.

“If these mitigation strategies for PKI are followed, it will enable the standard to be secure for many years to come,” Duggan says. “Without the leadership and collaborative approach of DOE’s Office of Oil and Gas, these assessments would never have been performed on this important component of the U.S. critical infrastructure and electronic transactions in the energy sector would be considerably more vulnerable.”

The North American Energy Standards Board (NAESB) is an independent and voluntary North American organization that develops and promotes the use of business practices and electronic communications standards for the wholesale and retail natural gas and electricity industries. Its members include more than 300 companies and organizations that participate actively in the retail and wholesale natural gas and electricity markets.

Top of Page

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin company, for the U.S. Department of Energy’s National Nuclear Security Administration. Sandia has major R&D responsibilities in national security, energy and environmental technologies, and economic competitiveness.

Sandia news media contact: Chris Burroughs,, (505) 844-0948