Energy companies are at the centre of a dangerous paradigm shift in cyber attacks over the last few years: attacks have moved from focusing on stealing confidential information for financial gain and reputational damage, to manipulating complex systems to produce real-world effects. Increasingly, industrial control systems are linked to the wider Internet. While this has increased efficiency, enabled the collection and analysis of performance data and allowed remote maintenance, it now provides a conduit for malicious interference.
Historically the biggest threat energy companies faced was the loss of sensitive and proprietary information to competitors. This information could be as simple as a list of customers to more complex data like the chemical formula for a gasoline additive or their mineral exploration investment strategy. While different areas are of interest to different types of threat actors they generally shared a single characteristic; the information is held on corporate servers in headquarters and regional offices. Information loss can be significant, having far reaching implications for the profitability and reputation of the firms attacked. I myself was called in as an expert witness for a firm in Houston, Texas which had developed proprietary formulas for the lubricating mud used in drilling processes and had them stolen by a rival firm.
However such attacks rarely affect the day to day operations of the targeted firms; commercial damage is real, but it unfolds over months and years as executives realise their rivals have stolen a competitive advantage on them. It rarely causes processes to be shut down and certainly doesn’t involve disruption to supply and production. Threats are best countered by robust information protection measures including encryption of data in transit and at rest, and access controls to ensure that information is only disseminated to those who genuinely needed it. The Edward Snowden and WikiLeaks cases have vividly shown how the insider threat can often be far more devastating for an organisation, than an external attempt to breach defences.
While traditional threat actors; rivals, criminals and environmental activists persist, we’re seeing a dangerous trend in recent years of energy companies being targeted by state actors with far more ambitious and more dangerous intentions. Energy firms underpin the GCC economy as more and more systems become interconnected with the Internet, they can be targeted by a hostile state looking to attack the underpinning infrastructure of the nations in which they operate. This means successful attacks may well have real world effects, as power outages and disruptions cascade through an economy producing second and third order effects, potentially leading to a perfect storm of chaos. It’s all too easy to imagine a cyber attack as the first stage of a conventional military attack by a hostile power, once a nation’s power system is disrupted its ability to respond effectively to other threats is greatly impaired. This means that energy companies now have to think of threats along the full length of their production, supply and business processes.
The malware programme nicknamed Stuxnet (discovered in 2010), generally thought to be the product of intelligence service cyber co-operation, targeted computers that controlled centrifuges in a nuclear enrichment programme, altering their rotation speeds, causing the centrifuges to tear themselves apart and producing a cascade of second-order effects.
Ukraine also suffered a multi-tiered attack on its energy facilities in December last year. The Ukrainian CERT reported that in total eight facilities were attacked, ultimately leading to a loss of power for 80,000 people in the middle of winter. Although most recovered their power within three hours, after-shocks continued for days with power company employees having to travel along ice-covered roads to remote sub-stations to manually close breakers the hackers had opened remotely. Most sinisterly, the attack was multi-pronged; opening of breakers was accompanied by spoofing of monitoring systems and a distributed telephonic denial of service attack on helplines, all designed to systematically prevent the Ukrainian authorities from resuming control.
Energy companies are very exposed to this type of attack because of the sheer complexity of their infrastructure and their intersection with third party suppliers and contractors over whom they may have little control. Energy is a strategic target for malicious actors, as power interruptions, even if minor, can cause a cascade of secondary consequences which may cause longer term chaos. The GCC is particularly vulnerable to the type of cascading attack as it supports millions of people in a desert environment, which in pre-20th century conditions could support only a fraction of their number. A power cut would likely cause damage to any services not backed up with auxiliary generators, potentially affecting everything from transportation links to desalination plants.
Although energy infrastructure is perhaps the core element of critical national infrastructure (CNI) likely to be targeted by a foreign power, this is not a counsel for despair and certainly not for a “head in the sand” approach. CEOs and CIOs of oil and gas companies should take a systematic approach to surveying and then mitigating cyber risk, which can help insulate them from the worst impacts of an attack, even if total prevention remains an impossibility.
Companies need to understand their risk profile before any mitigation can begin in earnest. This involves understanding their assets, the full range of threats they may face and the vulnerabilities. The first is often one of the hardest for energy companies, which have dispersed assets all the way through their business process, from extraction to refining through to distribution. Threat assessment is often best done by a third party, be that a national CERT team, or a private sector security consulting firm; these are likely to have a much clearer notion of the national threat picture. Vulnerabilities may arise from a number of different areas including technology, processes and people. The latter should never be overlooked as a threat, for companies which employ thousands of people, vetting and control systems are vital to prevent either malicious action or incompetence. Once the cyber security function of the company has a firm handle on their risk profile they can then move to take appropriate mitigation measures.
Mitigating the cyber risks can be looked at across three broad areas Visibility, Intelligence and Integration.
Visibility means truly understanding what is on your environment, who is on your environment and how is your environment configuration. Knowing these things and continually monitoring them for vulnerabilities and insecurities allows companies to continuously remediate and mitigate cyber risks. Large companies in particular, often maintain networks patched together over decades, running different generations of hardware and software. It’s a simple truth that you can’t protect what you don’t understand; a thorough audit is vital at the start of any mitigation process. Developing and maintaining the capability to performing this auditing on a continuous basis will increase your security posture and allow for the window of vulnerability to shrink in duration.
Intelligence relates your understanding of the ever changing threat landscape and the constant discovery of vulnerabilities within ICT systems. There is no single source of cyber threat intelligence or vulnerability information so a program needs to be established to identify and capture the most appropriate sources for your organisation. This could include open sources, academic and research institutes, government agencies, commercial feeds, and industry information sharing programs. Intelligence also includes having a clear understanding of the critical information necessary for your particular line of business.
Integration aggregates the information found in the other two phases, and displays them in a format which can be readily understood by decision makers to enable them to act quickly. In particular, attacks should be logged and diagnosed in a systematic fashion. Energy firms armed with this complete picture should then be able to create a continuous monitoring and mitigation capability supported by intelligence and securely integrated technology. As programs mature a well-integrated capability will facilitate advanced mitigation strategies that leverage machine learning and security automation to accelerate remediation and mitigation actions.
It’s going to be a challenging time ahead, but with the right planning, commitment to innovation and sensible practices, nations and companies can mitigate, if not completely prevent, cyber security attacks. It’s the responsibility of both the private and public sectors working hand-in-hand to ensure infrastructure as vital as oil and gas platforms is not just defended from physical attack, but shielded from the predations of hostile states and criminals. To ignore the threat is to leave your company hostage to the next malware attack.