Growing Danger of Cyber-Attacks Challenges Oil and Gas Industry
Energy industry systems are a frequently targeted area for cyber-criminals
Robbing a bank used to be easy. The bandit need only conceal his identify by donning a ski mask or other disguise before bursting into the bank, taking a hapless teller by surprise, and then intimidating her into handing over the loot. Hidden cameras and alarms were a hindrance, but only if the robber, or his gang of thieves, weren’t quick enough to get out of the bank before the cops arrived – screeching tires and all. At least, that’s how it always happened in the movies.
Nowadays, a bank robbery can take place silently, without detection by the bank or its customers, due to our increasing and some would say, over-reliance on the Internet.
That is what happened this past summer, when the largest bank in the United States, JP Morgan & Chase, announced that it had been the victim of a massive cyber-attack. During the attack, JP Morgan revealed, over 80 million bank accounts were breached, including 76 million household accounts and 7 million belonging to small businesses. While the company assured its clients that no personal information had been stolen, the scale of the security breach was alarming, and showed that big, seemingly secure banks are not immune to cyber-criminals.
Oil and gas companies don’t face the same point-of-sale challenges as banks and retailers when it comes to cyber-security, but what they do have is large operations with a great deal of automation and interoperability, huge cash flow moving between different parts of their businesses, and of course, critical infrastructure such as production wells, pipelines, processing facilities and waste disposal areas that are all vulnerable to sabotage.
According to a report by the U.S. Department of Homeland Security, out of all critical infrastructure sectors, energy was the most targeted for cyber-attacks during the first half of 2013. The department’s industrial control systems cyber emergency response team (ICS-CERT) reported that out of 200 incidents it responded to, over half (53 percent), were in the energy sector, compared to critical manufacturing at 17 percent. The majority of the incidents involved “watering hole attacks, SQL injection and spear phishing [e-mail] attacks,” states the report. In 2012, 41 percent of such attacks were directed at the oil and gas industry.
Another recent report by U.S. IT security provider Symantec showed the number of targeted cyber-attacks rose by 91 percent last year, with mining and oil and gas firms the most at risk. Symantec said the report demonstrates a significant shift toward “mega breaches,” meaning cyber-criminals are plotting far in advance before pulling off a huge heist, rather than executing quick hits for smaller rewards.
“One mega breach can be worth 50 smaller attacks,” says Kevin Haley, director, Symantec Security Response. “While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward was bigger and better.”
That sentiment is shared by Simon Goldsmith, director of cyber security with BAE Systems, which helps clients prepare for cyber-attacks by understanding and managing their exposure, thus enabling them to put effective protections in place.
In an interview with Oil and Gas Product News, Goldsmith said that while phishing remains the most common threat to most companies’ security, what energy companies should really be concerned about are “small, sophisticated attacks.”
“There are not many of them but they are very well targeted. There’s an awful lot of effort going into making sure they’re effective.”
Probably the most familiar example of a successful cyber-attack in an industrial setting occurred in 2010 with the Stuxnet worm. Targeted at uranium enrichment centrifuges used in Iran’s nuclear program, the computer worm was able to reconfigure the centrifuge drive controllers, causing the equipment to slowly destroy itself.
While hackers had infiltrated industrial complexes before, Stuxnet was the first worm to target programmable logic controllers (PLCs) used to run automated machinery employed in factory assembly lines, for example. That made it especially threatening to industries such as oil and gas which employ a lot of SCADA and industrial control systems (ICS).
While Stuxnet was eventually eradicated through software patches, the threats to industry did not disappear; in fact, Stuxnet has spawned many imitators.
The most immediate threat to oil and gas companies from a cyber-attack is physical sabotage – considering the potential damage to the environment, human health and company reputation – but according to Goldsmith, a slower, less visible infiltration can be equally disruptive over the longer term.
“Things like blocking or delaying information through SCADA and industrial control systems could disrupt the entire industrial process,” he said. “Changing the composition of a fluid flowing through a pipeline, for example, or the chemical mix, would obviously have some pretty catastrophic consequences.”
An industrial control system that has been tampered with can also lead companies to make bad decisions based on wrong information.
While oil and gas companies have used SCADA and ICS systems for years, what has changed from a cyber-security point of view, according to Goldsmith, is the convergence of information technology and automation technology – which used to be seen as entirely separate.
“Security was looked at as a rather unnecessary bolt-on because it was very separate from IT and the threats that would attack IT,” he explained. “So bringing those two types of technology together introduces automation technologies to all the risks that IT is exposed to, but automation isn't designed to be protected from it.”
Goldsmith said another thing that’s changed is the sophistication of hackers and their methods, whether their motivation is to make money or to embarrass the organization. Hacking is also cheaper than it used to be. Malware that has the capability of stealing millions of passwords now changes hands for just a few thousand dollars.
With these increased risks of digital crime, it’s more important than ever for companies to be aware of cyber-security. In this respect, the oil and gas industry does better than others. According to a 2014 report by BAE, titled “Business and the Cyber Threat: The Rise of Digital Criminality,” energy organizations are more likely than the finance/insurance and telecom sectors to be worried about industrial espionage and state-sponsored agents mounting targeted attacks against them.
Goldsmith, however, notes that while energy companies are more aware of threats – especially to plant safety and the environment – “what they don’t yet get is the probability of a cyber-attack.”
So what can oil and gas companies do to keep the hackers away from their industrial control systems and therefore avoid any potentially catastrophic security breaches?
According to Goldsmith, it’s important for companies to understand the nature of the threats against them, where their vulnerabilities lie, and where they should be prioritizing their investment in protection measures, such as monitoring software. “They can put that software into their own security operations which helps to protect against advanced attacks,” he says.
If a security breach has already taken place, Goldsmith said a company like BAE will lead an investigation into the attack.
“We’ll identify who’s attacked them, why they’ve attacked them and what is their activity on the network. Quite often, while we’ve been doing that in response, the attacker is still in there. We’re able to monitor that activity and make it safe for the customer so that they don’t suffer any more damage.”
In such occasions, time is obviously of the essence.
“You need to be very quick,” says Goldsmith. “The more advanced attackers will open up back doors and that sort of thing, in a very efficient way. We’ll help them with the remediation, with the media releases and the next step, which is hardening the estate and putting the right protection in at the critical points.”
Goldsmith also emphasized that while companies need to be vigilant and take all necessary measures to protect against cyber-espionage, there is also a risk of going too far, where security measures impede online access.
“There are new means to combat these threats, so don’t stop doing all these things which could give you a real competitive advantage just because you’re worried about the threat,” he said.