Published September 21, 2012
When it comes to cyber security, banks and stock exchanges get the bulk of the attention, because that’s where the money is.
But don't overlook the massive targets painted on the backs of energy companies, which play a crucial role in the global economy and could be hit by anyone from capitalism-hating hacktivists to state-owned rivals in China and Russia.
These cyber criminals delivered a thunderous wake-up call about this mounting threat when they attacked the computer network of Saudi Arabia’s state-owned oil company over the summer in a move that showed off their growing capabilities.
“It is very, very important these networks are protected because if they’re not, we could not only see oil production impacted but it could impact energy prices -- the economic foundation of the world,” said Cedric Leighton, a former official in the National Security Agency.
The cyber threat was on full display again this week as hackers appeared to create website headaches for three of the world’s biggest financial-services brands: J.P. Morgan Chase (JPM), Bank of America (BAC) and NYSE Euronext’s (NYX) New York Stock Exchange.
Availability Attacks Threaten Infrastructure
These types of availability attacks can lock out customers and clients from their accounts, interrupting the normal flow of business.
For an energy company, the damage of an availability attack on their increasingly-digital infrastructure can be much more damaging, as the August attack on Saudi Arabia’s Saudi Aramco demonstrated.
Saudi Aramco, which at 259.7 billion barrels manages the world’s largest proven conventional crude oil reserves, said it was hit by a “malicious virus that originated from external sources and affected about 30,000 workstations.”
The Aramco attack, which may have been aided by insiders, shows “these systems are vulnerable and unfortunately we’re only as good as the weakest link,” said Leighton, who is now CEO of a Washington, D.C. strategic risk management consultancy bearing his name.
Christopher Bronk, a fellow at Rice University’s Baker Institute, said he found it “a little unnerving” to learn that the digital upstream and downstream operations at many energy companies require Internet protocol operations, which are often easy to hack into.
Cast of Characters Behind Attacks
While some blamed hacktivists for the Aramco attack, Bronk pointed to Iran -- a rival of both Saudi Arabia and the U.S. “It’s worrisome if the Aramco cyber attack was something done to send a message,” he said.
In addition to nation-state enemies, energy companies are obvious targets for availability attacks from terrorists seeking to wreak havoc and activist hackers like Group Anonymous who want to make a political statement.
“Over night, oil, gas and electric generation find themselves under the bad boy category of companies,” said Carl Herberger, vice president of security solutions at Tel Aviv-based security firm Radware (RDWR).
Beware of Cyber Spies
To a greater extent than banks, the energy industry must be vigilant for cyber espionage attacks aimed at gleaning extremely lucrative oil exploration data and other proprietary information such as stats on spare capacity and reserves.
These types of attacks can come from state-owned oil companies in countries known for their hacking capabilities, such as China and Russia. The crucial government backing can give these firms much greater resources and more advanced capabilities than a private rival might have.
For example, state-run Russian energy giant Rosneft is run by Igor Sechin, who has close ties to the KGB’s spy agency successor, the FSB.
Likewise, Leighton said China has been suspected of going after energy companies exploring in the South China Sea in an effort to discover the results of their seismic studies.
“The Chinese are using this information in a geopolitical and geostrategic sense in an effort to beat those companies at their own game,” Leighton said, adding that the damage can potentially cause the energy companies to lose “millions, if not billions in their search for oil in that area.”
Gauging Energy Firms’ Readiness
So just how prepared is the energy industry to deal with these dual cyber threats?
Energy companies contacted for this story were understandably quiet about their cyber defense efforts.
“We have a highly skilled and professional organization that oversees these kinds of issues, and we continuously monitor IT security threats throughout our global operations,” a spokesman from ConocoPhillips (COP) told FOX Business.
Still, due to an earlier focus on cyber as well as legal requirements, some cyber security insiders said big banks and exchanges appear to have a leg up on the energy industry.
“Oil multinationals stand to learn a lot from the financial sector in this field,” said Leighton.
He said that while most American multinationals “are beginning to have a pretty good understanding of what they are up against,” they are “certainly being probed in a computer sense every day” and “still have vulnerabilities.”
A Cyber ‘Fire Brigade?’
On the other hand, Leighton believes state-owned oil companies like Brazil’s Petrobras (PBR) and Mexico’s Pemex, which American multinationals are very dependent on, are “particularly vulnerable” due to less-agile government bureaucracies.
Herberger also doubted that obvious espionage targets like smaller energy exploration companies are devoting enough attention and resources to the cyber threat.
To respond to these challenges, energy firms must “reorient from a reactive, tactical posture regarding intrusions and attacks to a more strategic, holistic view that expands beyond the categorization of the issue as only an IT problem,” Bronk wrote in a paper published earlier this week.
Bronk also said in an interview that energy companies, which have a long history of working together on joint ventures, must be willing to team up on cyber.
“They all have a shared interest in developing the capacity to not only identify threats but to mitigate those attacks very quickly,” he said.
From a public policy standpoint, Bronk was skeptical that installing a new regulatory regime would amount to much more than a “check-the-box exercise.”
Instead, he said the energy industry should explore pooling response resources, creating the equivalent of a “fire brigade for cyber attacks.”