The oil and gas industry is one of the most heavily targeted sectors when it comes to cybercrime, but companies are not doing enough to prevent the consequences that could very quickly cost them dearly through the disruption of oil and gas production and the loss of sensitive business data.
"The threat is very real," says Edward Hamilton, head of threat and vulnerability management at PwC. "We’ve responded to a number of severe network intrusions in oil and gas organisations, and our threat intelligence unit has observed an increase in targeted supply chain compromises and ‘watering hole’ attacks."
PwC’s cybersecurity practice advises companies on issues ranging from threat intelligence, detection and prevention, to regulation and the broader impact of breaches on business performance. Last year, it conducted the 2013 Information Security Breaches Survey on behalf of the UK’s Department for Business, Innovation & Skills, revealing estimates of the costs of security breaches, with several individual incidents reaching over £1 million.
"The cost of breaches varied widely, but the average cost of the worst security breach for small organisations was between £35,000 and £65,000, and for large organisations between £450,000 and £850,000," says James Rashleigh, director of cyber-forensic services at PwC.
Another worrying statistic from a study conducted by the US Department of Homeland Security was that, of the 93% of businesses that had a security breach in 2012, 53% were from the energy sector.
"It’s not a matter of if but when a company will be attacked," says Hamilton. "The extent of cybercrime is very difficult to measure because a lot of what goes on isn’t reported, so we only see where there’s a regulation to report it, like in some US states, or when the press becomes aware of it. The UK Government did an analysis of how much it would cost to the UK economy and came up with a figure of £27 billion. How that relates to oil and gas specifically, there are no hard facts. All we can go on is what we see in the press and what we hear on forums."
From behind closed doors
The first major cyberattack on the energy sector to hit the headlines was in 2010, when the Stuxnet virus destroyed 10% of Iran’s nuclear capability. In August 2012, the Shamoon virus was unleashed on Saudi Aramco, with activist group Cutting Sword of Justice claiming responsibility; while production was unaffected, the virus wiped data from 30,000 workstations. A few days later, Qatar’s RasGas suffered a similar attack, leading it to shut down its website and email systems.
And media reports are increasing. In May last year, US News revealed hacker group Anonymous’s intentions to attack the global oil trade; in November, The Scotsman reported on the vulnerability of North Sea installations to cyberterrorists; and, that same month, the Financial Times revealed that a system used by the CME Group to process big futures trades was hacked (its customers include major oil companies).
The secretive nature of the oil and gas business is the main reason that the extent of cybercrime in the sector has been difficult to gauge. Much of Rashleigh’s work is spent monitoring discussions by industry members within closed-door forums, but companies need to be more open about their experiences of cybercrime.
"Some organisations are beginning to share information, but the industry could benefit from more open discussion," says Rashleigh. "At the SMI Oil and Gas Cyber Security conference in November last year, Saudi Aramco talked about its experience with Shamoon. That was a fundamental shift – a year ago, they wouldn’t have been so open. We’ve also seen increased information-sharing across other sectors, such as energy talking to financial, and the Centre for the Protection of National Infrastructure has made companies aware of the importance of sharing information about incidents."
Slow progress
With cybercrime incidents on the increase, how are oil and gas companies responding? One of the biggest problems, according to Hamilton, is that many firms still operate on their historical perspective of security, relying on their IT departments to prevent system breaches, and staying ignorant of the scale of the problem, which has gone beyond regular security measures such as passwords and firewalls.
"One of the biggest threats comes from members of staff using unchecked USB sticks or software, which may have viruses," he explains. "They also go on social networks and give out confidential information such as the projects they are working on. These breaches can be difficult to control unless an integrated, business-aligned security strategy is implemented, and that needs to come from the board."
And therein lies the main stumbling block. Most of the security teams that Hamilton’s team talks to understand what the risks are, but have trouble communicating to the board what it means for the business.
"The board members are not experts," says Hamilton. "Unless it’s explained in a language they understand – how it will affect business – all they’ll hear is a technology pitch, something that they think they’ve already spent money on, so there’s a disconnect. It’s improving – security people are getting better at communicating and, thanks to the press, the board is becoming more aware that there is a threat to business, but there’s still a long way to go."
Preparation and response
More proactive companies have accepted that their security landscape has changed, and realise that they need to be prepared. Assessing a cyber-risk strategy often means starting from scratch, with a dedicated team responsible for dealing with digital security. First steps involve learning who the attackers (see ‘Cyberthreat actors’) are and focusing on securing the company’s assets – what Hamilton and Rashleigh call ‘the crown jewels’, which include not just aspects of production, but also high-value information such as geological maps, survey results, reservoir information, technology blueprints, customer and supply chain data, and M&A details.
"Historically, the targets were static – SCADA, rigs, pumps and valves, things that were never designed to be connected to the internet," says Rashleigh. "Today, everything in business is digitally connected, so the risk is a constantly moving target."
Deploying monitoring equipment will help determine how quickly the organisation will be compromised, but will also require staff with the right skills to drive these tools and the supporting processes to make them as useful as possible to the business.
"It’s very easy to buy tools, but finding the right people with the right skills in the countries that they operate is difficult, and it takes time to train them," explains Hamilton.
And, for when attacks do occur, a rapid response strategy is crucial.
"Once the company is aware it’s under attack, the next step is implementing a rapid response plan," says Hamilton. "This could be calling in a pool of specialists to help mobilise events and address the extent of the attack. Then there’s the marketing angle – how to control the news to the public and limit brand damage. It’s a massive thing that needs to be thought about very carefully."
What of the companies that are still relying on their traditional security methods?
"If you are not actively looking for attacks, you won’t find them; if you aren’t finding them, then you may not be looking hard enough," says Hamilton. "If I had my five minutes with an oil and gas executive, I would like them to make sure that they are investing in the right places, that they are protecting what really matters and to ensure that they have the appropriate balance of people, processes and technology. It’s all about protecting and mitigating breaches."