CybersecurityEnergy companies prime targets for hackers
A third of the cyber incidents handled in 2014 by DHS’s Industrial Control Systems Cyber Emergency Response Team involved energy companies. Oil and gas operators face the greatest cyber risks among energy producers because their projects often involve multiple companies working together, sharing information, and trying to integrate systems. Still, 60 percent of energy companies around the world said they do not have a cyberattack response plan.
A third of the cyber incidents handled in 2014 by DHS’s Industrial Control Systems Cyber Emergency Response Team involved energy companies. Oil and gas operators face the greatest cyber risks among energy producers because their projects often involve multiple companies working together, sharing information, and trying to integrate systems. One partner firm might drill a hole, another frack the shale, followed by another transporting the gas through a pipeline. The activities often are then monitored remotely, with information being sent to field offices and corporate headquarters. Each step involves computers and corporate networks, creating an open target for hackers. “The more third parties you work with, in general, they could then become a target to pivot into your network,” said Bob Marx, a cybersecurity and industrial automation consultant with Cimation, an energy consulting company headquartered in Houston, Texas.
Paul Kurtz, CEO of TruSTAR Technology, points out that hackers target energy firms regularly because of the information and technology involved. He cautions though that the risk from these cyberattacks go beyond losing information to opening opportunities for serious damage. In 2007 the Energy Department showed how a cyber intrusion can cause an electricity generator to spew black smoke. Three years later, the computer virus Stuxnet destroyed Iran’s uranium centrifuges. In 2012 hackers wiped out 30,000 computers at Saudi Aramco . The “malicious virus that originated from external sources” could have been aided by insiders, said Cedric Leighton, a former National Security Agency official who now heads his own consulting firm. “These systems are vulnerable and unfortunately we’re only as good as the weakest link,” he said back in 2012.
The Pittsburgh Tribune-Review reports that 60 percent of energy companies around the world said they do not have a cyberattack response plan, according to a survey this year by Oil and Gas IQ. “It’s quite easy for people to say, ‘It’s not going to happen here,’” said Kurtz, who was White House senior director for critical infrastructure protection in the Bill Clinton and George W. Bush administrations. “The problem is that the bad guys aren’t necessarily that selective. … There is no doubt that you could use a cyberattack to make things blow up.”
Graham Speake, who teaches cybersecurity to oil and gas executives at SANS Institute, said lack of education and awareness remain the top hurdles in preventing cyberattacks against oil and gas operations. Marcellus shale operations are particularly vulnerable because smaller companies are handling the drilling, and executives often know little about cyber risks or where to seek information.
While security firms continue to ring the alarm on cyberthreats against oil and gas companies, many in theindustry consider the dangers limited. Terry Boss, senior vice president of environment, safety, and operations at Interstate Natural Gas Association of America, told the Pittsburgh Tribune-Review that a major pipeline incident “isn’t realistic.” Should a hacker get past cybersecurity protections, he said, simple mechanical controls can prevent pressure buildup. “Is it disruptive if there’s a cyberevent for a company? Absolutely,” Boss said. “Is it going to affect the health of the customers along the pipeline or delivery? No. We’re doing everything we can do to prevent that sort of thing.”