One of the most disheartening things about the Gulf of Mexico disaster is to watch BP, the government and other involved parties appear to make up their response as they go along. Aren’t oil companies required to plan for failures and how to recover from them? As it turns out yes, they are. Tonight I found the official “Regional Oil Spill Response Plan – Gulf of Mexico” that BP filed with the US government. Some sections I read completely, but at a minimum I looked at every single page of it. (All 583 of them.) If you want to read through it you can download it here. In fact, you probably ought to grab your Incident Response Plan and compare it to BP’s response plan. Here’s some of my thoughts on their plan and what lessons may be for those of us in InfoSec to learn from.
The first thing I saw that this document was definitely written to meet regulatory requirements. It has lots of flow charts, organizational charts, and contact information. It details the contracts maintained with ships to perform oil skimming and position containment booms. Planes to drop dispersants? Check. Detailed info about the dispersants themselves? Yup, got that. Do they have procedures to use when deciding how to perform surface burns? Of course! There is information on how to assist animal life of all kinds, including some that have probably never been in the Gulf of Mexico. It even has a section on the “Worst Case Discharge”. And on it goes. So why are we still spilling 500,000 – 700,000 gallons (12,000 – 19,000 barrels) of oil per day in spite of this lovely plan?
The most glaring omission is that the plan has not a single mention of how to stop an active oil spill. Not a peep about it, whether its on land or on the ocean floor. There isn’t even a reference to other documents on how a blowout would be halted. It does mention practice exercises and ongoing training, but even that appears to be focused on mopping up oil on beaches and the ocean surface. I suspect that this plays into why containment chambers, top kills, junk shots and other ideas are getting thrown around. Question one. Does your incident response plan include or at least reference other docs on how to stop the bleeding?
Next issue. The “Worst Case Discharge” appendix contains an estimate of 250,000 barrels leaking per day using an official formula required by the US government. It has a containment and clean up strategy using oil skimmers and dispersants. Last it has a detailed inventory of ships and planes that will be used in the attempt. The problem that I see with this is that it has little relation to reality. Fine, its the worst possible amount of oil that can be discharged and fortunately, the current spill is not that big. But what happens if the entire drilling rig blows up? What do you do when the blowout preventer fails? How will you handle it when hurricane season hits? What if the failure is a mile underwater? What happens if multiple wells blow out? No mention of it. Question two. Does your incident response plan take into account business requirements? Like end of the month billing and an incident? Is your worst case scenario a dry formula or does it mean something to the business?
Last issue. The BP response plan looks like it was written to keep auditors happy. It looks like it has some really important information that I’d bet has been used during this process. Contact numbers for service providers and contracts with critical damage control resources is important. But I think this thing was written to meet a checklist. It met the legal requirements currently in force and passed muster. A document designed to keep an auditor happy is trouble in the making. Instead how about writing one that tries to meet the need of the potential crisis? It will probably have what the auditor wants and if there are a couple of hoops to add, so be it. But write the thing to deal with the leak of 500,000 gallons of oil coming out of the ground. Or is it credit cards leaking? Compliance is great… as long as it comes after the main issue is addressed.