The U.S. energy sector, including oil and gas producers, was hit by more targeted malware attacks from April to September last year than any other industry, says a new Council on Foreign Relations (CFR) report, citing data from a Houston-based security company, Alert Logic.
U.S. oil and natural gas operations are increasingly vulnerable to cyber attacks that can lead to costly outages at pipelines, refineries or drilling platforms, it says.
Cyber attacks on energy companies are increasing in both frequency and sophistication, making them more difficult to detect and defend against, says the CFR report. Cyber espionage is being carried out by foreign intelligence and defense agencies, even organized crime or freelance hackers, it added.
Just this past spring, U.S. officials revealed that a wave of attacks on U.S. corporations, particularly energy companies, had been underway for several months, the report says.
“The attacks, which were unsuccessful in compromising their intended targets, appeared to have originated in Iran,” the report noted, “adding their objective was apparently to destroy data and take control of critical industrial control systems.”
General Keith Alexander, director of the National Security Agency (NSA) and head of the U.S. Cyber Command, has estimated that cyber crime overall costs U.S. businesses $114 billion a year, with another $250 billion lost in stolen intellectual property. Energy companies were targeted in 41% of the malicious software–attack cases reported to the Department of Homeland Security (DHS) in 2012.
The U.S. has already moved aggressively to stop cyber threats via tighter security and working more closely with foreign officials. In February 2013, President Barack Obama signed an executive order to improve cyber security for critical infrastructure.
Complicating the findings, too, is the belief held by many security experts that most cyber hacking incidents are not reported due to security reasons.
The report warns: “American oil and gas firms are subject to frequent and often successful attempts by insiders, competitors, and foreign governments to access their trade secrets, such as long-term strategic plans, bids tendered for new drilling acreage, and private negotiations with foreign officials. Hackers have been successful in stealing oil companies’ handbooks and geologic data, according to industry reports.”
The report adds that once a cyber invader is in a system, it could theoretically “cause the flow of natural gas through a pipeline to grind to a halt, trigger an explosion at a petrochemical facility, or do damage to an offshore drilling rig that could lead to an oil spill.” It added: “Such threats now have the potential to cause environmental damage, energy-supply outages for weeks or months, and even the loss of human life.”
The report said the most successful known campaign against U.S. oil and gas firms was the “Night Dragon” cyber invasion. According to cyber security firm McAfee, Night Dragon was launched by China-based hackers to steal “confidential data from five major Western energy companies, beginning around 2008 and extending into early 2011.” At that time, BP PLC and ExxonMobil as well as other large oil companies, declined to comment. Chevron at that time said it unaware of any successful hacks into the company's data systems by Night Dragon.
The CFR report noted: “Night Dragon was able to steal gigabytes of highly sensitive material, including proprietary information about oil- and gas-field operations, financial transactions, and bidding data.”
It said: “One U.S. oil executive interviewed said he believed that on at least one occasion a rival national oil company appeared to know his firm’s bidding plans in advance of a lease auction, which resulted in his losing the bid.”
In a 2010 infiltration into its systems, Chevron pointed the finger at Stuxnet, the highly classified computer virus allegedly created by the U.S. and Israel that was used to spy on and disrupt Iran’s nuclear facilities. Stuxnet overtook the Siemens software running the centrifuges to enrich uranium at Iran's nuclear facilities in Natanz.
Chevron has said it was not hurt by Stuxnet, but that it discovered the virus only after Stuxnet was reported on in a blog post in July 2010. The U.S. has never acknowledged, in an official capacity, the existence of the Stuxnet program.
Several of the world's major oil and gas producers, including Saudi Arabian Oil Company (Saudi Aramco), the state oil giant, and Qatar's RasGas, a natural gas company, have been hit by cyber attacks since 2009.
In an attack on Aramco in August 2012, Shamoon malware allegedly created cyber hackers linked to the government in Iran destroyed data and disabled approximately 30,000 computers, the report said. Former secretary of defense Leon Panetta called the Aramco incident, which a perpetrator with inside access launched via a tiny USB drive, “probably the most destructive . . . that the private sector has seen to date,” the report noted. The reported added that Aramco said its oil production was not damaged. However, the thumb drive uploaded unsophisticated malware that ran on the company’s network, “apparently causing millions of dollars of damage.” Aramco has said it expected more such threats in the future.
Government officials also said a cyber attack on Qatar’s Rasgas at that time disabled its website and email servers. Rasgas said its operations were unaffected.
Sometimes, the cyber attack is accidental, In February 2013, for example, malware unintentionally downloaded by workers incapacitated networks on some rigs and platforms.
The report said cyber attacks on oil and gas companies with physical consequences “will likely remain rare” but could be “sizable.” The attacks “are more likely to pose a public-relations problem (by altering a company’s website, for instance) or disrupt business operations (such as email servers) than upset critical physical infrastructure, which is typically harder to penetrate,” it said, adding the computer “systems that undergird the modern oil and gas supply chain are not invulnerable.”