Energy companies are often targeted by sophisticated hackers looking to create disruption across national economies. Although they are a challenge to protect, there are clear procedures they can follow to both assess their risk and mitigate it.
Over the past few years we have witnessed a paradigm shift in cybercrime: attacks have moved from focusing on stealing confidential information for gain and reputational damage, to manipulating complex systems to produce real-world effects. Increasingly, industrial control systems are linked to the wider internet. While this has increased efficiency, enabled the collection and analysis of performance data and allowed remote maintenance, it has also left systems vulnerable to malicious interference.
Oil and gas firms, which underpin the economy of the GCC, are exposed across the full spectrum of cyber threat from loss of intellectual property and loss of their reputation, to disruption of operations. While traditional threat actors; rivals, criminals and environmental activists persist, we’re seeing a concerning rise in sophisticated attacks against control systems by state-sponsored agents.
The malware programme nicknamed Stuxnet (discovered in 2010), generally thought to be the product of intelligence service cyber co-operation, targeted computers that controlled centrifuges in a nuclear enrichment programme, altering their rotation speeds, causing the centrifuges to tear themselves apart and producing a cascade of second-order effects. Ukraine also suffered a multi-tiered attack on its energy facilities in December last year. The Ukrainian CERT reported that in total eight facilities were attacked, ultimately leading to a loss of power for 80,000 people in the middle of winter. Although most recovered their power within three hours, after-shocks continued for days with power company employees having to travel along ice-covered roads to remote sub-stations to manually close breakers the hackers had opened remotely. Most sinisterly, the attack was multi-pronged; opening of breakers was accompanied by spoofing of monitoring systems and a distributed denial of service attack on helplines, all designed to systematically prevent the Ukrainian authorities from resuming control. Although no one has claimed responsibility for the attack, one company did manage to trace it to an ISP operated in Russia.
Energy companies are particularly vulnerable to this type of attack because of the sheer complexity of their infrastructure and their intersection with third party suppliers and contractors over whom they may have little control. Energy is a strategic target for malicious actors, as power interruptions, even if minor, can cause a cascade of secondary consequences which may cause longer term chaos. The GCC is particularly vulnerable to the type of cascading attack as it supports millions of people in a desert environment, which in pre-20th century conditions could support only a fraction of their number. A power cut would likely cause damage to any services not backed up with auxiliary generators, potentially affecting everything from transportation links to desalination plants.
Although energy infrastructure is perhaps the core element of critical national infrastructure (CNI) likely to be targeted by a foreign power, this is not a counsel for despair and certainly not for a “head in the sand” approach. CEOs and CIOs of oil and gas companies should take a systematic approach to surveying and then mitigating cyber risk, which can help insulate them from the worst impacts of an attack, even if total prevention remains an impossibility.
Companies need to understand their risk profile before any mitigation can begin in earnest. This involves understanding their assets, the full range of threats they may face and the vulnerabilities. The first is often one of the hardest for energy companies, which have dispersed assets all the way through their business process, from extraction to refining through to distribution. Threat assessment is often best done by a third party, be that a national CERT team, or a private sector security consulting firm; these are likely to have a much clearer notion of the national threat picture. Vulnerabilities may arise from a number of different areas including technology, processes and people. The latter should never be overlooked as a threat, for companies which employ thousands of people, vetting and control systems are vital to prevent either malicious action or incompetence. Once the cyber security function of the company has a firm handle on their risk profile they can then move to take appropriate mitigation measures.
Mitigating the cyber risks can be looked at across three broad areas Visibility, Intelligence and Integration.
Visibility means truly understanding what is on your environment, who is on your environment and how is your environment configuration. Knowing these things and continually monitoring them for vulnerabilities and insecurities allows companies to continuously remediate and mitigate cyber risks. Large companies in particular, often maintain networks patched together over decades, running different generations of hardware and software. It’s a simple truth that you can’t protect what you don’t understand; a thorough audit is vital at the start of any mitigation process. Developing and maintaining the capability to performing this auditing on a continuous basis will increase your security posture and allow for the window of vulnerability to shrink in duration.
Intelligence relates your understanding of the ever changing threat landscape and the constant discovery of vulnerabilities within ICT systems. There is no single source of cyber threat intelligence or vulnerability information so a program needs to be established to identify and capture the most appropriate sources for your organisation. This could include open sources, academic and research institutes, government agencies, commercial feeds, and industry information sharing programs. Intelligence also includes having a clear understanding of the critical information necessary for your particular line of business.
Integration aggregates the information found in the other two phases, and displays them in a format which can be readily understood by decision makers to enable them to act quickly. In particular, attacks should be logged and diagnosed in a systematic fashion. Energy firms armed with this complete picture should then be able to create a continuous monitoring and mitigation capability supported by intelligence and securely integrated technology. As programs mature a well-integrated capability will facilitate advanced mitigation strategies that leverage machine learning and security automation to accelerate remediation and mitigation actions.
It’s going to be a challenging time ahead, but with the right planning, commitment to innovation and sensible practices, nations and companies can mitigate, if not completely prevent, cyber security attacks. It’s the responsibility of both the private and public sectors working hand-in-hand to ensure infrastructure as vital as oil and gas platforms is not just defended from physical attack, but shielded from the predations of hostile states and criminals. To ignore the threat is to leave your nation hostage to the next malware attack.