The recent cyber attacks on Saudi Aramco and Qatar’s Ras Gas have forced oil and gas companies worldwide to re-examine their information technology (IT) security systems. A consensus is growing that these attacks only will get more common and “smarter” in the future, threatening not only energy operations but intellectual property as well.
Oil and gas production was not affected in either case but the attacks were a stern reminder of the threat they pose. In a Guest Editorial in the August 2011 JPT, IT experts Herb Yuan, Mehrzad Mahdavi, and Donald Paul warned that these attacks were likely to continue and even increase, and called for energy companies to make cyber defense a core business process (JPT, August 2011, p. 16). Their advice is even more relevant today.
Reports of cyber attacks on energy appear to be becoming more common, or at least more publicized. Dell recently issued a report on a sophisticated cyber-espionage campaign that targets energy as well as other industries. Dubbed “mirage,” it uses email phishing targeted at executives to infect a computer network, which is then hacked to unveil sensitive company information. The attacks hit firms in Canada, Brazil, Egypt, the Philippines, and Nigeria. According to one report, many of the companies were trying to win oil and exploration rights in the South China Sea.
According to a study issued in September by the Baker Institute at Rice University, cyber attacks threaten primarily process control systems that are interlinked and networked, and also intellectual property and other sensitive information desired by competitors. To this last point, the close relationship between many state-owned oil companies and national governments may increase the number of incidents, or at least suspicions of incidents, because of the sensitive nature regarding many important oil and gas projects. The Baker report says there is a concern that, for example, innovations regarding shale and novel technologies currently being used in North America could be stolen through hacking and brought to market by competitors that have state backing.
There is no going back on digital energy. IT is now heavily involved in all aspects of the energy industry—from internal company email to drilling rigs, refineries, and distribution systems. “Two decades of massive investment in IT have produced significant productivity gains and efficiencies in the energy industry,” the Baker study says. “However, those gains are now being offset by risks such as system compromises—by insider threats, competitors, and national states—that expose proprietary documents and processes.”
A recent survey by PWC reported that most executives in the oil and gas industry have confidence in the effectiveness of their IT security practices. But diminished budgets that have resulted in degraded security programs and new technologies being deployed in cyber attacks, says the firm, mean that that likely is not the case.