Tim Arridge reports on cyber and insider threats to the oil and gas industry
Oil and gas production is a risky business. Hazardous operating environments – often in isolated areas – and extremes of weather, together with the need to provide an ‘always-on’ energy supply, present huge challenges to the industry. Production requires a large investment in money and manpower, and system failures can result in massive losses – not only to finances, but also to business reputation and even to life.
Technological advances that allow more activity to be managed online might be expected to reduce these risks. Instead, the scale and complexity of cyber threats to online activities keeps growing. Whether hackers are targeting data and intellectual property, control and financial systems, or individuals’ and infrastructure security, every new cyber attack adds to the challenges faced by the oil & gas industry. Exploiting the many opportunities that new technologies present while mitigating the cyber threats that could harm your organisation requires a balancing act worthy of tightrope daredevil, Blondin.
Oil and gas companies are key targets for cyber attackers. Motivations may be political, such as the Operation Petrol cyber attack on the petroleum industry by hacktivists Anonymous in June 2014; or financial, as seen in the 2011 Night Dragon malware, which stole bidding plans and other proprietary information. Every area is potentially at risk – from workstations and servers, to industrial control systems and instrumentation. Large-scale attacks can have surprisingly small catalysts: the August 2012 Saudi Aramco incident, which affected over 30,000 workstations and forced the company to shut down all external network connections for a time, was allegedly introduced via a spear-phishing email. Some attacks are less intent on sabotage, and instead focus on espionage: in December 2014 Operation Cleaver hackers obtained sensitive data from a number of companies, including nine in the oil and gas field.
Perhaps, in an industry that deals with life-threatening risks every day, there is a feeling that these ‘virtual’ attacks can’t be that much of a problem. But, with an ever-present terrorist threat, we have to recognise that oil and gas production forms an important part of the critical national infrastructure. For this reason alone, it is a target for attackers who will recognise and capitalise on any weak spots. Whether these vulnerabilities are found in current or legacy control and infrastructure systems, devices that access data and information, the supply chain, or an uninformed or coerced workforce, they can be used by criminals – with potentially devastating consequences to life, supply and business.
The benefits of automating and connecting systems are many – they can streamline production processes, reduce operational costs and provide monitoring information. But attacks on embedded and operational systems are growing, and as control and SCADA systems link to each other, to internal networks, and to other devices such as tablets via TCP/IP, the risks increase. Introducing web-enabled systems before ensuring the policies and technologies are in place to protect them can make a business vulnerable. Respondents to the PWC Global State of Information Security Survey in 2015 reported an increase of 260% from 2014 for exploits of operational systems; while attacks on embedded systems increased by 231%.
Data too, has a multitude of uses in the oil & gas industry. The increase in sensors, analytics tools and data storage capabilities is enabling businesses to capture additional information, from a wider area, at a lower cost. But, just as data is valued by users, it is valuable to cyber criminals. Attacks using malware, such as 2012’s Flame, which spread via a local area network or USB memory sticks and recorded audio, screenshots and keyboard activity, could see an organisation lose business-critical data or intellectual property. And malware infections are widespread: affecting 84% of large organisations in 2015, according to the Government’s Information Security Breaches Survey 2015 (ISBS 2015) carried out by PWC.
But malware is not the only cause of lost data – 81% of respondents from large companies to the ISBS 2015 stated that personnel were involved in some of the data breaches they suffered. This was an increase of over 20% on the previous year. Two-thirds of these incidents involved loss or leakage of confidential information by insiders. So it’s essential that staff are trained to recognise potential cyber threats, such as phishing emails, and about the importance of protecting data. In addition, measures that prevent executable files from being installed on computers, for example, or log and flag up unusual activity by employees may help to protect against a malicious insider who already has privileged access to systems.
This culture of security should extend throughout an organisation, and beyond – its data may be secure, but is it still protected by the company’s supply chain or third parties? Ensure that similar controls to those that you are taking are included in any contract with suppliers and providers: make sure that they have been implemented, and that they work. Don’t think it couldn’t happen to you or your contacts: in the ISBS, 90% of large organisations reported that they had suffered a security breach in 2015, with a median of 14 breaches experienced by each organisation.
The costs of a data breach or malware or virus infection to an oil & gas company can run into thousands. Clean-up costs go far beyond the simple removal of the virus, and include technical, human and material impacts. Systems may need to be restored from back-ups or equipment replaced. Technically, you may need to undertake forensic recovery of system evidence to complete an investigation of the incident, and to prevent it happening again. To do this, you will need to ensure that your system is configured to enable and assist the forensic recovery of digital evidence – and if it is as a result of a malicious act, identify if you have the evidence to prosecute the perpetrator through the courts.
Human resource costs of an infection or data breach extend beyond the working time lost by employees during computer outages, to include the time spent by staff in carrying out remedial actions to resolve the issue. System downtime may also result in unanticipated material expenses: perhaps rental vehicles to distribute items to satellite offices, or increased requirements for peripherals such as paper and printer cartridges. If the virus infection spreads, and infects other systems, then costs would be multiplied and could come in at millions of pounds or more.
Legislative and regulatory costs can be added to the total: with data breaches, these could include fines from the Information Commissioner’s Office; or financial settlements of legal action taken by those whose data has been lost. In the near future, the introduction of the EU Data Protection Directive is likely to see fines related to company revenue – perhaps as much as 4% of a company’s global annual turnover. Less quantifiable, but no less important, is the damage that press coverage of a data breach can cause an organisation’s reputation, and the effect this may have on customers, clients and suppliers.
Protecting your organisation from cyber threats makes it more resilient. Responding effectively to a crisis or issue, and learning and recovering from it, may be critical to your company’s survival and success. But with so many aspects to consider, it can be helpful to call upon an outside point of view – professionals such as those in Frazer-Nash can work with you to understand and manage potential opportunities and threats; and to anticipate and prepare for the unexpected. While the BSI’s Guidance for Organisational Resilience, BS65000, offers a roadmap towards building a resilient organisation, an expert can help you put it into practice within the context of a multi-faceted, complex oil and gas company.
The opportunities that technology offers to the oil & gas industry are huge, and have the potential to benefit every aspect of your organisation. But, as with any aspect of production, it’s important to minimise the risks. Taking action to identify the threats, and to protect your systems from them, can help you face future cyber and insider challenges confidently.
Tim Arridge is a principal consultant at Fraser Nash.