Cybersecurity: living dangerously
From pipelines to refineries, oil and gas companies are responsible for critical infrastructure that is a prime target for cyberattacks. But cybersecurity experts say the industry has been worryingly slow to respond, write Katherine Dunn and Herman Wang.
But for a coding error, an attempted cyberattack last year on a petrochemical plant in Saudi Arabia could have led to a catastrophic explosion. Malware implanted into the control system to sabotage the plant accidentally triggered a shutdown, but investigators say the attack was one of the most technologically advanced they had ever seen. Chillingly, they say the assailants – still not publicly identified – have likely already fixed the glitch and are lying in wait to target their next facility.
That close call and several others have many experts convinced that the oil industry, even as it invests millions of hours on safety procedures, is ill-prepared on the cyber front. “The sector is becoming fair game. [Hackers] are seeing opportunities to attack the sector, and facility operators believe they are very well-protected,” a Washington-based cybersecurity analyst at FireEye and former oil industry consultant, Marina Krotofil said, “It is not a good combination.”
Much of the focus on energy-related cybersecurity has been on power plants and grids, but authorities say oil and gas companies — responsible for critical infrastructure including refineries, pipelines and ports — are ripe targets for hackers to implant malware that can disrupt operations, endanger public safety, wreak havoc on markets and disclose sensitive information.
Spending on security measures is insufficient by and large, and collaboration among companies on best practices is woeful, given the secretive and competitive nature of the oil business, according to people in the field. Often, national security can be at stake. In the Middle East alone, which accounts for more than a third of global crude production, cyberattacks cost the oil and gas industry $1 billion last year in outages and loss of confidential data, according to a March report by industrial services provider Siemens and the Ponemon Institute. However, only 47% of Middle East oil and gas companies surveyed in the report said they prioritize continually monitoring all infrastructure for cyber threats and attacks.
“In general, the oil industry is conservative in nature,” said Gary Williams, a senior director for Schneider Electric, which installs control and safety systems in refineries and other critical infrastructure often targeted by hackers. “The industry tends to take an ‘if it ain’t broke, don’t fix it’ approach to how we operate. But we must change this model, and our culture, when it comes to cybersecurity.”
Some experts warn it may take a major successful cyberattack for the industry to fully grasp how great the danger is. “Organizations need to invest in cybersecurity, but they don’t see it’s a major threat,” senior research fellow with Chatham House’s International Security Department Beyza Unal, said. “We haven’t seen an event where an entire critical infrastructure got taken out. But it will happen. So how do you get companies to invest in that?”