Middle East Attacks Highlight Cybersecurity Threat for O&G Industry
The cyberattacks launched earlier this year against Saudi Arabian national energy company Saudi Aramco and Qatar's RasGas highlight the potential threat of cyberattacks against oil and gas companies.
U.S. oil and gas companies have become more vulnerable to cyberattacks as information technology (IT) is now heavily used in energy production, processing and distribution operations, according to a September 2012 report by Rice University researchers on cybersecurity issues facing the oil and gas industry.
Energy companies are susceptible to cyber attacks in two major areas. These include the vulnerability of energy company operations systems – the computers that route electricity, open valves and operate motors – and the problem of controlling access to proprietary corporate information and data, from internal email communications to long-term development plans and new technologies, which also carry investments in the billions of dollars, according to the Rice report.
A severe threat, and one that is not out of the realm of possibility, is that hackers could infiltrate SCADA network that controls onshore and offshore pipelines and refineries, potentially taking control of production, said Srini Raghavan, a principal at Booz Allen Hamilton.
The fact that these companies are expanding their operations worldwide – with a variety of data from seismic to employee data to merger and acquisition plans shared among users – also makes them vulnerable to cyberattacks.
Storing digital plans or technical documents carries a degree of risk, because the ease of copying material in a digit format is seamless with essentially zero cost, according to the Rice report. Maintaining confidentiality and tight controls of digital information is an enormous problem without an easy solution.
The gains made in internet-connected IT in terms of productivity and efficiencies are now offset by risks such as system compromises by insiders, competitors and nation states that expose proprietary documents and processes.
"Additionally, growing concern exists that control processes throughout the energy supply chain are vulnerable to electronic tampering or manipulation," the Rice report noted.
The challenge for U.S.-based oil and gas companies that have expanded operations overseas or are working in joint ventures with foreign companies is protecting data from foreign hackers or picking and choosing data they share. U.S. energy companies must deal with the capability of competitors, particularly the intelligence proxies of national oil companies, to see inside their organizations, according to the Rice report.
"Cybersecurity may not represent an existential threat to U.S. firms or companies in the energy sector, but it does appear a more real threat than perhaps five or 10 years ago," according to the Rice report.
Evolution of Cyberattacks Against O&G Companies
In the past, cyberattacks were carried out by individuals seeking to gain attention by defacing websites or stealing employee directories. Today, the clients with whom Deloitte and Touche partner Adnan Amjad works with are mostly concerned about intellectual data theft from a cyberattack, adding that the political statement the group behind the Saudi Aramco act was trying to make is more an exception to the rule. In recent years, these attacks have become very specific and customized, such as an email targeting a chief operating officer for information.
"I think that the groups that are really active are more interested in stealing intellectual property, rather than an attack on offshore infrastructure," said Amjad.
While the Stuxnet attack, in which physical infrastructure was altered by a cyberattack, made some of Amjad's clients nervous, most of the effort by oil and gas companies against cyberattacks is more about protecting data.
Although it is difficult at times to determine which group is behind a specific attack, China and Russia are viewed as the main source of cyberattacks towards companies worldwide. Iran is perceived to be a growing threat in terms of cybersecurity, with U.S. officials recently naming Iran as responsible for cyberattacks against the recent attacks on Persian oil and gas companies.
Interest by Chinese oil and gas companies in U.S. and Canadian shale plays – including CNOOC's proposed acquisition of Nexen – has spurred a wave of acquisition activity by Chinese companies not only seeking shale assets, but access to the technology that made the U.S. shale boom possible, said Raghavan.
If a hacker gets into a company's computer system and gets access to their planned bids or bidding strategy for a project or licensing round, the loss of that kind of information could negatively impact a company's bottom line, said Martin Libnicki, senior management scientist with Rand Corporation.
While hackers seek a competitive advantage by stealing data or technology, implementing that technology without the know-how of a company's workers can be difficult.
"A lot of a company's intellectual data is what lies between people's ears," said Libnicki.
"How much can I learn actually by stealing files?" Libnicki questioned, noting that it's almost always better to get a human spy to gather information.
In regards to the Saudi Aramco attack, it is not unusual for computers to be infected with something at some time, Libnicki said. Ninety-nine percent of the time, hackers who infiltrate a company's computer system may be looking to steal passwords for bank accounts or credit card information, not disable computers.
"The attack did not penetrate Aramco's oil production and distribution capability, which is isolated from the company's automation networks," said Libnicki. "The takeaway is that isolation works; it is an effective way of protecting critical infrastructure from attacks of this level of sophistication."
Cyberattacks against oil and gas companies are also being carried out in protest of oil and gas company operations, Amjad noted. In July, the hacker collective Anonymous and CyberZeist hacked into the computer systems of ExxonMobil, Shell, BP, Gazprom and Rosneft in protest of the companies' plans to drill for oil in the Arctic.
Intellectual property theft is a major target of cyberattacks, but the theft of employee information also presents a security issue. Shell had information on employees in Nigeria stolen, which could potentially have put those employees at risk for kidnapping, Amjad noted. Social networking sites such as Facebook also make it easier for hackers to gain access to personal data.
Though cybersecurity has been recognized as an important issue in the oil and gas industry, attempts to introduce new legislation in U.S. Congress to improve the level of security for computer network systems used by the government, the private sector and other public sector agencies have not been successful.
After a series of bills failed, Sen. Joseph I. Lieberman (D-Conn.) introduced the Cyber Security Act of 2012, which was intended to address the issue of the perceived problem of an insecure cyber infrastructure in the United States. However, Congress recessed until after the presidential elections next month without passing the cybersecurity legislation.
Libnicki has mixed feelings on whether legislation proposed in Congress to address cybersecurity issues will be effective. While ensuring the integrity of oil and gas infrastructure – particularly midstream and downstream assets such as pipelines and refineries – is critical, Libnicki feels that information sharing in itself will not do much to address the issue. He also doesn't trust the potential standards of legislation not that flawed legislation could potentially do more harm than good.
Banks and cybersecurity companies are the most effective in terms of addressing cybersecurity issues because they have working on these issues for decades. In comparison, the oil and gas sector is not as good at dealing with cybersecurity issues, and also lack the relationship with the U.S. government that the banking and telephone company industries have, Libnicki noted.
What the Oil & Gas Industry Can Do
Greater collaboration among oil and gas companies already working on cybersecurity issues and with third parties who collect and pool cyberattack data are some of the suggestions made by Rice researchers in their report. Oil and gas companies should also position themselves to receive cyber intelligence from U.S. government agencies and their allies when the information is timely and relevant.
Energy firms also need to combine their abundant geopolitical knowledge with inputs from their IT organizations to understand not just the "what and when" in the event that their information systems are attacked, but also the "how and why", according to the Rice report. Additionally, oil and gas companies should assess the costs of their cybersecurity efforts to more accurately assess and economies may be located.
According to PricewaterhouseCoopers' (PwC) Global State of Information Security Survey 2013, most global oil and gas executives are confident in the effectiveness of their information security practices. However, diminished budgets have impacted the effectiveness security programs. Reported security incidents are on the rise, and new technologies are being adopted faster than they can be safeguarded, the survey found.
Forty-two percent of oil and gas respondents surveyed say their organization has a strategy in place and is proactive in executing it – exhibiting two distinctive attributes of a leader, PwC said in its survey.
However, PwC found that 15 percent of oil and gas respondents rank as leaders when comparing their self-appraisal against four key areas of leadership, including having an overall information security strategy; employing a CISO or equivalent who reports to a CEO, CFO, COO or legal counsel; having measured and reviewed the effectiveness of security within the past year, and understanding exactly what type of security events have occurred in the past year.
Seventy-six percent of oil and gas survey respondents are confident that they have installed effective security behaviors in their company's culture, yet most do not have a process in place to handle third-party breaches, PwC noted.
"What's more, only one-third require third parties to comply with privacy policies. This suggests a troubling gap in perception."
Fifty-four percent of oil and gas respondents expect security budgets to increase in the coming year, PwC reported.
"More encouragingly, they report fewer deferrals and fewer budget cutbacks for security initiatives. Compared with last year, for instance, 16 percent more respondents say they had not cut capital expenditures for security programs."
Oil and gas companies have started to focus on addressing cybersecurity issues, with monetary budgets set aside to purchase technology to thwart cyberattacks. However, education is the most effective tool companies can employ in addressing cybersecurity issues.
Just over half of oil and gas respondents have an employee security awareness training program – a fundamental element of an effective security culture, PwC reported in its survey. The PwC survey found that staff dedicated to security awareness and training is in place at 56 percent of oil and gas companies, the lowest since 2007.
Taking a risk-based approach and applying the right measures to protect against cyberattacks is a journey, not about just putting up a tool, said Amjad.
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.