At many energy companies, cybersecurity efforts have long taken a backseat to physical security measures. IT and operational technology departments have frequently been kept separate from one another, with the latter often given preference over the former. Partly, this is a function of legacy, as many oil executives have backgrounds in exploration and extraction, rather than IT. But a simple bottom-line calculus also factors into the situation. While drills and pumps bring moneymaking natural resources to the earth’s surface, firewalls and anti-virus software do not.
That calculus is quickly changing, however. While cybersecurity measures still cannot add to a company’s revenue, they can certainly protect against losses. And with cyberattacks growing in both number and sophistication, executives at many energy companies are beginning to understand just how substantial those losses can be.
According to security firm Trend Micro’s 2015 “Report on Cybersecurity and Critical Infrastructure in the Americas,” 76 percent of security leaders say that attacks against infrastructure are becoming more sophisticated. In that same survey, 55 percent of respondents said they had noticed an uptick in the number of attacks over the previous year (with only 7 percent reporting a decrease), and 43 percent of respondents said they had detected cyberincidents that were specifically targeting infrastructure. Perhaps most concerning is the fact that the energy industry ranked second (behind only government) on the list of sectors facing malicious attacks designed to delete or destroy information.
At the same time that attack levels are rising, so are the costs of a successful breach. IBM and the Ponemon Institute estimate the cost incurred for each sensitive stolen record at $217, with the average total cost of a data breach at $6.5 million. Energy companies, in particular, have a special set of vulnerabilities. Similar to enterprises in fields such as finance and healthcare, they store sensitive data, including payment information and personally identifiable information. But unlike companies in those sectors, many oil, gas and utility companies use their IT networks to control large physical systems. Add in the fact that energy companies’ IT systems contain treasure troves of valuable intellectual property, and it is easy to see why a successful cyberattack against an energy company has the potential to be catastrophic in multiple ways.
Additionally, many energy companies operate in remote locations and harsh environments, making it more difficult to secure and monitor networks and equipment. Often, these enterprises’ operations run 24/7, making it impossible to detect network activity that occurs “after hours.” Most critically, many companies in this sector manage powerful equipment that could lead to physical harm for workers or the general public if it were commandeered by attackers.
This multitude of potential targets within energy companies demonstrates how the industry is under assault from a number of different angles. For obvious reasons, energy companies are attractive targets for terrorists who want to cripple Western operations and generally wreak havoc by inflicting physical damage in a spectacular fashion. The sector is also vulnerable to antagonistic activists and nation-states. The trade secrets housed on company information systems make them vulnerable to corporate espionage, as well as organized crime syndicates working on behalf of competitors. Finally, malicious insiders may target their own companies for any of the above reasons, or simply because they are unhappy with their employer.
Cybercriminals are currently using three popular methods of attack on the networks of energy companies: network-based attacks, watering holes and spear phishing. In network-based attacks, cyberattackers utilize platforms such as the Nuclear exploit kit to launch attacks directly against a company’s infrastructure. A watering hole is a third-party website known to be visited by energy stakeholders (for example, the energy section of a major news website) that has been infected by hackers, allowing malware placed there by attackers to then spread to an energy company’s own network. Spear phishing is a form of “social engineering” in which attackers send fraudulent emails purporting to be from a known contact of the victim. The recipient is then prompted to either click on a malicious link or provide confidential information.
The following two attacks illustrate the potential consequences when cyberattackers target critical infrastructure:
Haifa: In 2013, the Associated Press reported that the northern Israeli city of Haifa had fallen victim to unknown, sophisticated cyberattackers who targeted a toll road there. Using a Trojan horse attack to take control of systems, the cyberattackers shut down the roadway for 20 minutes on one day, and then the next day locked down the tollway for eight hours.
Stuxnet: Widely seen as the world’s “first digital weapon,” the Stuxnet worm that sabotaged Iran’s nuclear program was discovered in 2010. The worm attacks programmable logic controllers used to control machinery, and it was introduced into networks via an infected flash drive. The worm demonstrated how mechanical systems can be just as vulnerable to cyberattacks as computer systems.
To learn how energy companies can prepare for and respond to cyberattacks, read the white paper “Protecting IT Resources in Oil, Gas and Utilities.”