Former Department of Homeland Security Secretary Tom Ridge told an oil and gas industry audience in Pittsburgh last week that digital security should be a top priority at their companies, adding that current policies are outdated and the threat of cyber attacks grows by the day.
Ridge, a Republican who also served as Pennsylvania's 43rd governor, said natural disasters, terrorists and foreign countries are among the leading threats to the intricate industrial control systems used by exploration and production companies, midstream operators and suppliers.
He said with oil and gas development at the forefront of the country's economic recovery, and with billions more devices and users expected to come online in the year's ahead, the industry should be taking extra caution to protect proprietary information and its link to national security.
"I bet in some of your companies you've got some incredible information stuck there on a server somewhere about seismic studies in regard to oil and natural gas potential," Ridge told an audience gathered for the Marcellus Shale Coalition's Shale Insight conference. "Wouldn't it be nice for a competitor, or foreign country, to have the benefit of the millions and millions of dollars of research that you've done?
Quoting from a study released last year by the Council on Foreign Relations (see Daily GPI, June 27, 2013), Ridge said "a major risk facing the oil and natural gas industry is the disruption of critical business or physical operations by attacks on networks, as information technology rules in all phases of oil and gas production." Corporate espionage, terrorism and organized crime all pose equal threats, he said.
Ridge added that the federal government has confirmed cases of malware probing industry SCADA systems, or supervisory controls, that operate certain equipment, "not necessarily to do anything now, but trying to understand the nation's energy framework and networks," he said.
The Council on Foreign Relations report found that cyber security threats are posing an increasing risk to the oil and gas industry, especially as its profile rises with the boom in onshore production. In recent years, several of the world's major oil and gas producers, including Saudi Aramco, Qatar's RasGas and Chevron Corp. have fallen victim to cyber attacks. As recently as 2012, the Department of Homeland Security confirmed an "active series" of cyber attacks on natural gas pipeline companies computer networks (see Daily GPI, May 8, 2012).
"Energy is critical to our national security," Ridge said. "Let's face it, our national security and our economic security are interconnected, you can't have one without the other. One of the pillars of our national security is to supply and generate energy -- the fuel of our economy -- it's a simple idea. Having energy means not depending on others, a few of whom are certainly not our friends."
While Ridge said steady oil and gas production, better federal energy policies and liquified natural gas exports will help to strengthen national security, he said one of the first lines of defense is establishing a set of baseline standards to protect energy networks. He called the issue a "C-Suite" problem that requires immediate attention from top executives and said the policies in place are not as mature as they need to be.
He said energy companies need to sweat every detail when it comes to installing network components, operating them securely and said constant upgrades will be required to deal with the growing number of threats.
"For real energy security, we must be certain that the companies upon whom my state and this country depends on to run our energy infrastructure -- many of you are in this room today -- are guarding the operational controls, the industrial controls, your proprietary information, your financial information, your strategic plans and much, much more."