The threat of cyber attacks is becoming increasingly likely within the energy industry, as organized "threat actors" aggressively attack operations and pilfer data from global businesses, according to a global survey by PwC.
In PwC's Global State of Information Survey (GSISS) 2015, analysts said oil and gas companies are in the "crosshairs of malicious cyber adversaries," with well funded operators infecting industrial control systems of thousands of organizations across North America, Asia and Europe.
In recent years, state-sponsored cyber espionage campaigns have included Dragonfly and Energetic Bear. One attack directed at natural gas companies was a "spear-phishing campaign that implanted malware on company systems in an attempt to exfiltrate information about drilling projects and bids."
Most cyber intrusions against oil and gas companies haven't resulted in physical damage, however, that is beginning to change.
"An attack on a Middle Eastern oil company in 2012 destroyed 30,000 computers and erased a range of significant documents," PwC's report noted. "It was revealed in late 2014 that the 2008 explosion of an oil pipeline in Turkey was caused by hackers, making it one of the first times a cyber attack has successfully been used to destroy critical infrastructure."
The attacks to date have not impacted production capabilities but they are becoming "progressively maleficent, sophisticated and difficult to detect," PwC found. Increasingly, cyber criminals target oil and gas companies to lift intellectual property (IP), sabotage websites, harm reputations and disrupt production.
"Companies must treat cyber security as an operational imperative, just as they do with their health, human and safety programs," said PwC's Jim Guinn, a managing director in the advisory practice who focuses on cyber security and privacy. "Having personally worked offshore, I know that energy companies invest a lot of capital in training their staff on what to do in an actual emergency, and cyber security should be no different."
The GSISS found that many energy companies have yet to deploy up-to-date monitoring detection technology, and they are behind in personnel training.
EY, which also consults with oil and gas companies on issues such as cyber security, offered a case in point in its recent report. An oil and gas company "didn't believe it had any data leakage," but it hired EY to ensure information was secure after a peer was attacked.
"On day two of EY's assessment, our team discovered that a foreign jurisdiction was accessing sensitive information about proprietary intellectual property and sending it overseas. Our client had no customers in that jurisdiction and no good business reason for the information to be flowing in that direction."
The results "surprised the board and the audit committee," leading the organization to rethink its approach to handling information and how to protect data.
PwC's total survey respondents who link incidents to "sophisticated threat actors like nation-states, activists/hacktivists and organized crime" are comparatively low, those are among the fastest growing sources.
"In fact, the number of respondents who cite foreign nation-states as the cause of incidents soared 108% in 2014," PwC noted. "These threat actors are keenly interested in the IP of oil and gas companies, including drilling techniques, oil and gas findings, refinery engineering information, and merger and acquisition (M&A) plans."
M&A risks are a big threat, said the survey respondents.
"As an example, cyber adversaries may infiltrate smaller or distressed acquisition targets that presumably have less mature security programs via third-party vendors, then lie in wait for the target to be acquired by a larger organization. When the organizations' information systems are integrated, the threat actors may attempt to access the networks of the acquiring firms and exfiltrate trade secrets, M&A data and other valuable information."
Employees also were found to be a "rapidly expanding source" of security incidents. Almost half of the respondents attributed security incidents to current employees, which was an 85% increase over 2013.
Perhaps not a surprise is the news that the improving digital technologies may increase energy industry threats. Those remotely deployed sensor-based field equipment connects to operational and IT systems, expanding the threat from cyber attacks. In 2014, 15% of respondents say embedded systems were exploited and 13% report that operational systems were compromised.