The Fuse

The Unique Cyber-Vulnerabilities of the Oil and Gas Industry

by Leslie Hayward | April 30, 2015

At the most recent Information Systems Security Association conference, a sample poll of cybersecurity experts found that a majority of them believe there will be a “major” cyberterrorism event within the next year. A plurality predicts that this attack will focus on the energy industry. Thirty-five percent of the security professionals polled pointed at the power grid as the target of this strike, while 13 percent predicts the oil and gas industry would be targeted.

While cyberterror attacks against all corporations are on the rise, there is a consensus among industry experts that energy is a disproportionately large target. The implications of a successful attack are sweeping, ranging in severity from a significant oil supply outage or spill, to a power outage, damage to industrial equipment, or a compromise of personal or company information.

While the energy sector only represents 5-6 percent of U.S. GDP, the energy industry is subject to roughly 32 percent of all cyberattacks.

The energy sector represents some 5-6 percent of U.S. GDP, while energy extraction activities alone comprise roughly 2 percent, according to EIA. However, the energy industry was the subject of roughly 32 percent of all cyberattacks in 2014. According to the CEO of cybersecurity firm Symantec, “Targeted attacks are increasing dramatically. It could be state sponsored or it could be just hacktivists or it could be a cyber-criminal organization. But we know the number one target is government institutions and the second is manufacturing, including oil and gas.”

Motivations of cyber terrorists, who are unlikely to profit financially by attacking energy infrastructure, are unclear. According to Ernst and Young’s report on Oil and Gas Cybersecurity, sophisticated networks of skilled “hacktivists” are now in place, solely motivated to create highly visible incidents that embarrass or harm companies involved in the oil and gas industry. Such agents have little accountability. The fact that they are not motivated by financial gain or other conventional norms raises concerns about who these actors are, and why the oil and gas industry provokes their ire.

An axe to grind?

To date, perhaps the most prominent cyberterror attack on the oil and gas industry was the August 2012 strike against Saudi Aramco, the state oil company of Saudi Arabia. In the attack, more than 30,000 of Aramco’s computers were infected with a virus. The attack was traced to a group of Iranian hackers who refer to themselves as “Cutting Sword of Justice.” The group took credit for the attack on PasteBin, a hacker forum, and justified it as retaliation against the Stuxnet virus attack against Iran’s nuclear facilities. More specifically, the hacker group criticized Saudi Arabia’s cooperation with “tyrants of other countries,” and accused Aramco of “sponsoring these tyrants with Muslim oil resources.”

According to the New York Times, the virus replaced company data on thousands of computers with an image of a burning American flag. Investigators found that the attack against Aramco, and a subsequent attack at Qatari Energy Company RasGas, were the work of Iranian hackers. Israeli officials determined that the attacks were the work of Iran’s new “cybercorps”—a group that formed after the cyberattacks coordinated by the United States and Israel against Iran’s nuclear facilities. Specifically, the attack was likely a response to the deployment of the Stuxnet computer worm, which debilitated Iran’s uranium enrichment program by damaging more than 1,000 centrifuges at Iran’s Natanz facility. In the years since, cyberattacks from Iranian hackers have increased.

As is often the case with terrorism, these groups are of particular concern to security experts and energy companies due to their perceived lack of accountability.

Saudi Aramco said that the attackers had failed to penetrate its oil production systems only because the company maintained a separation between its employees’ administrative computers and the computers used to control and monitor production. It posted on its Facebook page that the disruption appeared “to be the result of a virus that had infected personal workstations” but said the virus “had no impact whatsoever on any of the company’s production operations.” RasGas said the attack on its computers had failed for the same reason.

Unfortunately, as all computer systems become increasingly integrated, this defense strategy is simply not viable in the long term.

More vulnerable?

According to Ernst and Young, oil and gas industry Operational Technology systems, or OT, have historically operated in isolation, unconnected to the company’s externally networked intranet or internet. OT systems are the control points for rigs, drills, refineries, and other industrial equipment. Use of proprietary hardware, software, and communications tools, combined with isolation from office networks, has provided OT technology with a robust layer of protection against attacks.

In recent years, demand for business insight, remote network access, and new kinds of software have caused many companies to integrate control systems with their other information technology networks. The added benefit of sophistication and flexibility has also created profound vulnerabilities—cyber criminals are now, theoretically, able to access and control insecure operational technology systems in ways they never were before.

Unfortunately, as all computer systems become increasingly integrated, this defense strategy is simply not viable in the long term.

In addition to the mere possibility that a malicious cyber threat could compromise an oil and gas company’s operations, there is the added concern that even a brief disruption of operations could yield disastrous results. In the words of Ernst and Young, “Unlike IT systems, which can be shut down at certain times for testing without major consequences, OT is necessary around the clock, every single day. One reason is financial; even momentary disruptions can result in considerable losses in revenue. More importantly, however, disruptions at facilities such as refineries, petrochemical plants or pipelines, can create major safety and environmental issues.”

The Stuxnet worm, for example, was sophisticated enough that it altered the functionality of Iran’s centrifuges, sending them spinning out of control and permanently damaging the existing equipment. A hacktivist targeting the oil and gas industry likely wouldn’t need to develop something quite so advanced—mere momentary disruption of operations is enough to cause loss in revenue and potential damage to equipment or the environment, and also humiliate the company involved.

Adding insult to injury, these same characteristics of oil and gas industry infrastructure also prevent companies from utilizing all necessary protective measures. A typical aspect of a robust cybersecurity program is utilization of “penetration testing,” which uses simulated attacks similar to those used by real-world hacktivists to identify vulnerabilities in a network’s security systems. Penetration testing is the only surefire way to identify weak points, but due to the realistic nature of the testing, can lead to actual disruptions in facility operations. This deters many companies from partaking in a full analysis of the weaknesses in external defenses, potentially opening the door for far more severe disruptions brought on by a successful attack.

An instrument of war?

Cybersecurity and cyberterror are new frontiers in energy security. Not only do they compromise commercial operations, but a severe, well-executed attack has the potential to roil oil markets, disrupt military operations, and cause unprecedented structural or environmental damage. Following the Iranian attack on Saudi Aramco, then-defense secretary Leon Panetta warned of an impending “cyber 9/11” if the United States did not respond more effectively to attacks. Thus, cybersecurity has become a priority at the military level.

In November 2012, a White House draft executive order called for concerted agency action on the issue. According to the New York Times, “The order describes the attacks on critical infrastructure, which have risen exponentially over the last five years, as ‘one of the most serious national security challenges we must confront.’”

Oil and gas infrastructure is a particular vulnerability. Not only do integrated OT systems prevent companies from bolstering their defenses, but also because a single attack can create such a profound impact. In this way, cyberterror has created yet another link between energy supply and the country’s economic and national security.

Domestically, a coordinated effort between national security agencies, cybersecurity firms, and the energy industry could help prevent catastrophic attacks. However, we still live in a global oil market, where a disruption anywhere can cause an oil price spike everywhere. As the attack on Saudi Aramco demonstrates, the security of many of the global oil market’s key players is largely outside of our control.