Cyber attackers have targeted crude oil and natural gas companies, with attacks growing in frequency, sophistication, and impact as the industry employs ever more connected technology, a report by advisory company Deloitte finds.
Digitalization in the oil and gas sector has exploited new opportunities to increase efficiency and bring down costs, but the integration of operating and business systems has also exposed companies to a whole new array of cyber threats.
Some new-age cyber threats, which did not even exist just a few years ago, can now come from many directions, including internal actors aiming to sabotage production, competitors seeking to cause brand damage, and external parties, such as activist groups who want to shut down operations.
The Cybersecurity For Upstream Oil and Gas report exposes the oil and gas industry’s cyber maturity as relatively low.
“Boards of crude oil and natural gas companies show generally limited strategic appreciation of cyber issues,” the report said, explaining that companies see themselves as an unlikely target for cyber-attacks because “the business is about barrels, not bytes.”
According to the report, remote operations and the industry’s complex data structure provide a natural defense.
However, the report shows that threats are growing rapidly, and the stakes are getting higher with the rapid evolvement of hacker motivations — from cyber-terrorism to industry surveillance, the disruption of operations, the stealing of field data — and with businesses increasingly dependent on connected technology on a daily basis.
-‘Shrugging off cyber threats’
While oil and gas producers are shrugging off cyber threats, Deloitte reported that the energy industry was the second most targeted industry by cyber threats in 2016. Yet, not too many companies see cyber threats as major risks.
In a 2019 security survey conducted by Ernst & Young Global Limited (EY) on 40 participants from the oil and gas industry, it was discovered that 87% of respondents did not thoroughly understand the ramifications of their new policy and strategies for cyber protection.
The survey also showed that 63% of these companies did not fully examine the financial impact of breaches despite suffering an attack that did not appear to be harmful.
Meanwhile, Deloitte said that many non-U.S. oil and gas firms do not even mention "cyber" once in their over 100-page filings.
The attacks are becoming increasingly sophisticated, the report revealed, with hackers launching direct concerted attacks on the industry by either using spyware targeting field data, malware infecting production control systems, or denial of service blocking the flow of information through control systems.
The Shamoon, a disk-wiping malware also known as DistTrack and reportedly created in Iran, came in three waves in 2012, 2016 and 2018. It mostly targeted energy companies affiliated with or owned by Saudi Arabia and destroyed more than 35,000 workstations on the network of Saudi Aramco, Saudi Arabia's national oil company.
Shamoon reappeared in December 2018 and this time attacked oil and gas services or contracting companies, including Saipem (Italy) and Petrofac (U.K.).
In 2014, hackers conducted a destructive attack on 50 European oil and gas firms using well-researched phishing campaigns and sophisticated versions of Trojan horse attacks.
According to Deloitte, the obscure nature of the attacks is making the attackers difficult to pinpoint, and thus, lowering defense efforts.
Citing the Industrial Control Systems Cyber Emergency Response Team in the U.S., Deloitte said more than a third of vital infrastructure attacks in 2015 were either untraceable or had an undisclosed "infection vector" – which enables breaches to remain undetected for days or continue evolving from one form to another.
-Mitigating cyber risks
To mitigate cyber risks, Deloitte said a holistic risk management system is required to include as a first step the acknowledgement of cyber risks followed by forming risk mitigation strategies.
Deloitte said an effective cyber strategy needs to be secure, vigilant, and resilient and added: “A company should focus equally on gaining more insight into threats and responding more effectively to reduce their impact.”
By Sibel Morrow