Oil and gas companies might not be the first target you think of when considering cyber attacks. But a combination of internal and external factors has combined to make the threat to energy companies a real and significant danger.
Costs, competitive forces, and fluctuations in resource prices constantly force the energy sector to innovate to reduce expenses and drive efficiencies. Oil and gas companies (O&G) have been quick to recognize the benefits of transformational cloud and IoT technology to help in these regards. With a long and complex supply chain, using cloud services has streamlined internal operations and has made exchanges with business partners and suppliers much easier and more efficient. Upstream operations, especially those in remote or unforgiving conditions have changed dramatically with the introduction of sensors, drones, and other connected devices that provide monitoring and functional data. IoT devices have also become commonplace in midstream facilities and functions, gathering massive amounts of data essential to the safe and efficient handling of resources.
But the use of these technologies has opened O&G to cyber threats. While many energy companies have solid front-line defenses against “routine” cyber risks, cybersecurity programs may not be advanced enough to address more modern, sophisticated attacks.
Key Cyber Threat Agents of Concern for Oil and Gas
State-sponsored attack: In today’s complex geo-political world, well-financed and sophisticated criminals/terrorists have the resources to cause destabilizing damage to energy companies. For example, the hacker group “APT33” (also known variously as Elfin, Refined Kitten, Magnallium, and Holmium) has been linked to a Middle East government. APT33 has reportedly been conducting coordinated attacks to harvest credentials and seek vulnerabilities on a variety of targets for years. Once in, the group uses malware to conduct automated privileged attacks that have wiped servers, and disabled or damaged key infrastructure.
Espionage: The energy sector is highly competitive, and with the wealth of data provided by modern technology, corporate intellectual property can be at risk. Consider the complexity in the production chain of an oil or gas concern. Upstream processes involving the exploration, discovery, extraction, and production combine multiple partners and processes that all need to talk to one another. The heavy use of IoT devices to monitor and gather data are often in remote locations, making these devices an easier target for interception. Any disruption or tampering with this information could affect operations; for example, tainting the decision-making process of where and when to drill, or tipping off outsiders to corporate intelligence. Midstream, any of the elaborate safety, logistics, and quality control processes supported by a proliferation of networked “smart” devices are potential targets for interference and intervention. And the extensive networks of cloud services used for automated B2B communications and administration also make this phase of the production process a significant target for unauthorized access.
Financial Gain: O&G relies heavily on both information technology (IT) to maintain business operations, and operational technology (OT) to maintain facilities and production. Any disruption to these technologies can cause damage to reputation, supply chain, even compromise the health and safety or staff and the general public. Data from IT or OT functions can be a valuable asset for competitors or by other attackers. Any of the threats discussed in the “Espionage” section can be used as a bargaining chip by cyber criminals. Plus, downstream functions involving production and distribution of end products for industry or consumer use are at greater risk from attack for financial gain. Here, most of the operating costs have already been expended, so disruption in distribution or loss of end-products can have particularly damaging results to the business financially and reputationally. Cyber attackers know this and have used ransomware attacks to extort money from breached O&G targets. Malware that has a simple way into the organization (through traditional means like phishing attacks that dupe employees, or enticing disgruntled insiders to help break into systems) can deploy elaborate attack tools that can exfiltrate data and/or deploy ransomware.
Eco-terrorism: O&G interests are often under pressure from environmental and special interest groups. Activists may target oil and gas to disrupt operations and damage corporate reputation. While these groups may lack the resources of state-sponsored actors and sophisticated cyber criminals, the dark web provides an array of tools for nefarious purposes. Activists are often more concerned about sending a message with a lightning attack, in contrast to the “long game” that may be employed by some of the other prominent threat agents.
Despite a host of potential attackers, significant threats to business operations, and numerous documented attacks against oil and gas companies, there is concern that the energy sector has not placed sufficient emphasis on mitigating the risk. In a recent E&Y survey, of the 40 oil and gas companies that participated, 87% reported that have not fully considered the information security implications of their current strategy and plans, and fewer than half felt that their whole boards are knowledgeable about cyber security. And perhaps most alarming: just 17% felt that it was “very likely” that they would detect a sophisticated attack.
Clearly more priority and analysis should be given to understanding, assessing, and addressing cyber risk. Oil and gas industries, and the array of related companies that rely on them, need to raise awareness of cybersecurity threats and share knowledge and insights to help defend against attack. And those companies that don’t have the board support or internal resources to develop adequate cybersecurity programs must reach out for assistance to help assess and mitigate their risks through the construction of policies and processes. The automation and innovation that the cloud and IoT tech offer are essential to stay competitive in today’s economy – but if the implementation of these tools is not done properly, the consequences can be devastating. Fortunately, technologies are available that can help support operations in the cloud without sacrificing security — ensuring that the multiplicity of users, devices, partners, services, and locations only have the bare minimum access required and that all access and activity is tracked and logged. The network of services and devices in modern operations is too complex to monitor and manage without expert assistance and the risks are too great to ignore.
For more information, read Three Chief Information Security Officer Strategies for Digital Transformation Success to learn the differences between security AngelList and line of business priorities and how to bridge the gap between outgoing Oil & Gas initiatives — like those focused on operational efficiency using cloud and IoT — and cybersecurity controls.