Cyber attacks on the oil and gas industry ranging from espionage by foreign intelligence services to attempts to interrupt a company's physical operations are posing "an increasingly challenging problem for U.S. national security and economic competitiveness," according to a new study by the Council on Foreign Relations (CFR).
CFR analysts Blake Clayton and Adam Segal said that not only have the threats grown more sophisticated over time, making them more difficult to detect and defend against, but so too have the actors behind them, which have evolved from lone hackers with few resources to state-sponsored teams of programming experts.
Over the last few years alone, several of the world's major oil and gas producers, including Saudi Aramco, Qatar's RasGas and Chevron Corp., have fallen victim to cyber attacks. While "some damage" was done in each of these cases, Clayton and Segal warn that the costs of future breaches could be much higher, whether to corporate assets, public infrastructure and safety, or the broader economy through energy prices.
"Successful cyber attacks threaten the competitiveness of the U.S. oil and gas industry, one of the nation's most technically advanced and economically important sectors," Clayton and Segal noted in the report. "While intrusions previously focused on the theft of intellectual property and business strategies, the malware attack on Saudi Aramco reflects a worrying qualitative change toward attacks with the potential for causing physical disruptions to the oil and gas supply chain."
The two categories of cyber threats are cyber espionage, and disrupting critical business or physical operations by attacks on networks. CFR pointed to arguably the most successful known campaign against U.S. oil and gas firms, "Night Dragon" (see NGI, Feb. 14, 2011). According to McAfee, the cybersecurity firm that first disclosed its existence, Night Dragon was a "coordinated, covert, and targeted" campaign by China-based hackers to obtain confidential data from five major Western energy companies, beginning around 2008 and extending into early 2011. Clayton and Segal said Night Dragon was able to steal gigabytes of highly sensitive material, including proprietary information about oil- and gas-field operations, financial transactions, and bidding data.
As for the second form of attack, CFR's report found that while there were no known cases of an attack on an oil- or gas-related target damaging physical operations, U.S. security experts believe this risk is increasingly real.
"A hacker with the right tools, access, and knowledge could, for instance, identify the supervisory control and data acquisition systems and industrial control systems used to operate critical infrastructure and facilities in the oil and gas industry and that are connected to the Internet," according to the report. "Once in the system, an infiltrator could in theory cause the flow of natural gas through a pipeline to grind to a halt, trigger an explosion at a petrochemical facility, or do damage to an offshore drilling rig that could lead to an oil spill."
Researchers said the probability of damages likely to result from different kinds of cyber attacks against oil and gas targets vary enormously. U.S. Army Gen. Keith Alexander, who directs the National Security Agency and who heads the U.S. Cyber Command, estimated that in 2012, cyber crimes cost U.S. businesses $114 billion a year, with another $250 billion lost in stolen intellectual property. Citing an outside study, the CFR report added that the energy sector, including oil and gas producers, and infrastructure operators, were hit by more targeted malware attacks over a six-month period in 2012 than any other industry.
The cyber security threat to the energy sector is alive and well, as evidenced by a Department of Homeland Security (DHS) report in April, which detailed a "spear-phishing" campaign last fall targeting 11 energy companies. The spear-phishing campaign, which started and ended in October 2012, used publicly available information from an electric utility's web site to customize an attack against members of the energy sector. According to the report from the DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), employee names, company email addresses, company affiliations, and work titles were found on the utility's web site on a page that listed the attendees at a recent committee meeting. This publicly available information gave the attacker "the company knowledge necessary to target specific individuals within the electric sector."
In February President Obama signed an executive order to strengthen the cybersecurity of critical U.S. infrastructure by increasing information sharing and by jointly developing and implementing with industry partners a framework of cybersecurity practices (see NGI, Feb. 18). Obama began considering an executive order aimed at protecting critical national infrastructure, including power plants and natural gas and crude pipelines, from cyber attacks, after the U.S. Congress failed to pass the Cybersecurity Act of 2012 last summer (see NGI, Sept. 17, 2012; July 23, 2012).
"Proactive and coordinated efforts are necessary for us to strengthen and maintain secure, functioning and resilient critical infrastructure -- including the assets, networks and systems that are vital to public confidence and the nation's safety, prosperity and well-being," according to a White House statement following the executive order. "This endeavor is a shared responsibility among the federal, state, local, tribal and territorial entities, and public and private owners and operators of critical infrastructure."
The order came just days after the Department of Energy (DOE) said a "cyber incident" at DOE headquarters in Washington, DC, in January targeted the agency's network "and resulted in the unauthorized disclosure of employee and contractor" information (see NGI, Feb. 11). No classified data was compromised by the cyber attack, according to DOE. Federal Energy Regulatory Commission Chairman Jon Wellinghoff went on the record earlier this year that the risks from cyber security threats to generation and gas pipeline infrastructure are increasing (see NGI, April 8).
Despite these recent proactive measures, the CFR researchers noted that industry executives are skeptical as to whether these various efforts will be enough, expressing concern in particular about delays in sharing information between government sources and industry participants who need it.
"These doubts have been exacerbated as several pieces of broad cybersecurity legislation that would apply to U.S. oil and gas producers have been derailed by arguments over how best to share threat information between the government and the private sector, among other issues," Clayton and Segal said. "Yet information sharing should be the central focus of U.S. efforts to improve cybersecurity for oil and gas. Providing more effective mechanisms for sharing threat information among firms and between the public and private sectors might make it more difficult for hackers to exploit an industry-wide vulnerability to move from one target to another."
The CFR report advises the Obama administration to reevaluate the classification level of threat information to make it easier to share with the oil and gas industries. However, when it comes to the bigger picture of cyber security, Clayton and Segal -- citing the continued deadlock over domestic cyber security legislation -- advise that the most effective efforts will be self-help. "Industry must find new ways to scale local efforts to share threat information. In addition, the United States should begin wide-ranging discussions with other oil- and gas-producing countries on cybersecurity."
©Copyright 2013 Intelligence Press Inc. All rights reserved. The preceding news report may not be republished or redistributed, in whole or in part, in any form, without prior written consent of Intelligence Press, Inc.