Hackers’ favourite target: Big Oil and that deadly equipment

Like all big enterprises, energy companies want to protect sensitive data. But they have another dimension to worry about : The potential for hackers to cause physical damage to equipment such as drilling rigs or power stations

Bloomberg/New YorkHackers have made the energy industry a favourite target.A study conducted in April by Symantec Corp, the world’s biggest cyber security firm, found that computer-system invaders attacked 43% of global mining, oil and gas companies at least once last year. In a separate survey the same month, conducted for the Organisation of American States by another security company, Trend Micro Inc, 47% of energy organisations reported attacks, the highest among all corporate sectors and surpassed only by governments.“Nowadays you have computers running everything,” said Alvaro Cardenas, a computer-science professor at the University of Texas at Dallas and a member of the Cyber Security Research and Education Institute. “You can create blackouts or oil spills and hurt a lot of people.”As if last year’s oil-price drop wasn’t enough, costs for energy companies rose faster than the US average over the last five years, according to a study by the Ponemon Institute for Hewlett-Packard Co. Cybercrimes cost energy and utilities companies an average of $13.2mn each a year for lost business and damaged equipment, higher than in any other industry, according to Ponemon’s survey of 257 businesses.Spending worldwide on cyber security for oil and gas infrastructure will reach $1.9bn by 2018, according to ABI Research, a technology data company with offices worldwide.Like all big enterprises, energy companies want to protect sensitive data. But they have another dimension to worry about - the potential for hackers to cause physical damage to equipment such as drilling rigs or power stations. While the industry has long prioritised physical security, with electric fences and cameras typically standing guard at refineries and power plants, cyber defences are only recently getting similar attention.Last year’s attacks on the energy sector included Anonymous hackers’ “Operation Petrol” and the “Sandworm” attack by Russian hackers trying to infiltrate North American utilities in order to control it at a later date. In 2012, Saudi Arabian Oil Co, the world’s largest crude exporter, said it suffered an attack that affected 30,000 computers.Energy companies face all the usual threats from hackers who want to make a political point or snoop on confidential data to get an investing edge, according to Tom Kellerman, chief cyber security officer of Trend Micro, a Tokyo-based software provider. But their strategic and economic importance also makes them a target.The vulnerability of US companies has an unlikely source. After the 2003 East Coast blackout, power companies connected infrastructure to the Internet to make it more reliable, according to Kellerman.Those weaknesses could multiply as technology companies market Web-connected home appliances, sometimes called the “Internet of things,” he said. Depending on how these devices are secured, they could create more openings for hackers to enter networks.“It’s a double-edged sword,” Kellerman said. “Currently the energy sector is woefully unprepared for protecting itself from cyber attacks.”Susceptibility is also a problem overseas. The Kuwait National Petroleum Co disconnected the computer network that runs its three refineries from the Internet after hackers with the Anonymous collective announced plans last year to target Middle Eastern oil companies, according to Abdul-Aziz Duaij, the company’s top technology officer. The network wasn’t compromised, he said.The KNPC uses software that prevents anyone from installing any programme without permission to make it tougher for hackers, Duaij said. “We consider everybody a threat, even insiders,” Duaij said.Last week, US officials revealed that hackers breached US Office of Personnel Management computers, stealing confidential records of as many as 4mn current and former government employees.While sources of attacks can be difficult to identify, US companies such as Mountain View, California-based Symantec point to activity coming from Russia, China, North Korea and Iran. Documents made public by US National Security Agency contractor Edward Snowden suggested the NSA spied on Petroleo Brasileiro, Brazil’s state-run oil-company, according to a report by Globo TV.US Director of National Intelligence James R Clapper acknowledged that the country does gather information on “economic and financial matters” but doesn’t steal trade secrets and share them with US companies.Companies can protect themselves by monitoring network traffic for unusual activity and training employees to recognise suspicious e-mails. Still, no matter how secure a company makes its technology, state-sponsored hackers almost always gain access by manipulating people, said Antonio Forzieri, a Symantec strategist.“I’d love to have a patch to deploy to the humans, but you can’t do that,” he said. “These attacks are not science fiction, they are every day.”