Public utilities and the oil and gas industries, which are critical foundations of the U.S. economy and infrastructure, are becoming more vulnerable to security threats, according to a recent report. The sectors are vulnerable to malicious actors from within and from nonstate actors and terrorists abroad, according to a report on the state of security in those industries. Further, the vulnerabilities highlighted in the report make plain that the utilities and oil and gas sectors could be doing more to shore up their defenses.
The U.S. utilities and oil and gas industries are massive in terms of market scale and power. According to Fidelity, the utilities industry has a total market capitalization of around $1 trillion, while the oil and gas sector has a market capitalization of nearly $2.4 trillion.
Big industries make big targets. According to a report from consulting firm PwC, The Global State of Information Security Survey 2015, there were 5,493 detected security incidents directed against the oil and gas sector in 2014, and 7,391 against the utilities industry.
According to the PwC report, attacks against these sectors can carry a large financial cost. The report notes that ¬security incidents in the power and utilities sector cause $1.2 million in financial losses on average, and for the oil and gas sector the figure is even higher, at $4 million.
The attacks vary widely in nature and scope. Some are physical attacks on infrastructure, while others are cyberattacks that target computer systems and networks.
In April 2013, a shooter fired at PG&E's Metcalf substation. The San Francisco Chronicle reported that the attack “damaged 17 transformers, caused $15 million in damage and shook up the utilities industry.” According to a CNN report in October 2015, the shooter had not been found, but a Department of Homeland Security official said the agency thinks the shooting may have been committed by a company insider. Jon Wellinghoff, who was chairman of the Federal Energy Regulatory Commission at the time of the attack, called it “the most significant incident of domestic terrorism involving the grid that has ever occurred,” according to the Wall Street Journal.
In August 2012, Saudi Aramco, one of the world’s largest oil companies, was struck by a massive cyberattack, which U.S. intelligence officials say was perpetrated by hackers in Iran, according to the New York Times, though that assertion has never been conclusively proven. The attack destroyed or partially wiped 35,000 of the company’s computers in only hours, CNN reported.
No attacks on that scale have happened in the United States to date. However, in October Ohio-based utility company FirstEnergy Corp. was hit by an attempted denial of service attack, which the company’s firewalls thwarted, according to EnergyWire.
The threat of cyberattacks is real but the oil and gas industries and utilities do not seem to be spending a great deal of money to counter that threat. According to PwC, companies in the utilities industry spend an average of $3.7 million per year on information security, and oil and gas firms spend $5.7 million annually on average.
One reason that the cybersecurity spending might seem low is because utilities, in particular, might feel that the government would compensate them in the event of an attack. According to Moody’s Investors Service, “the likelihood of governmental intervention to financially restore a damaged utility and its services is high, and helps mitigate any rating impact from an attack.”
There are several strategies energy and utilities companies can deploy to secure their IT infrastructure, according to PwC. These include physical and perimeter security, as well as greater investment in authentication, device and endpoint security, and monitoring.
Around 55 percent of utilities reported using intrusion-detection tools in 2014, according to PwC, and 64 percent of oil and gas firms are doing so, leaving large portions of the industries unsecured.
However, such a lax approach to cybersecurity is not unique to utilities and the energy sector. The Ponemon Institute, a research center dedicated to privacy, data protection and information security policy, surveyed 1,825 IT management and security practitioners from 42 countries in North America, Europe, the Middle East, Africa, Asia-Pacific and Latin America. According to the Ponemon report issued in May, only 58 percent of survey respondents say they have invested enough in IT security to comply with security standards and laws.