Saudi Aramco may be back in business after clearing 30,000 of its computers of a malicious virus in August, but the attack should serve as a stark warning that the oil and gas industry is becoming increasingly attractive to digital thieves.
Continual innovation in the sector means that hackers, whether they are greedy competitors or corrupt employees, are on the prowl for information regarding new patents, technologies, systems or devices.
Details surrounding multimillion-dollar contract bids and acquisitions are also open to attacks as oil and gas supplies slowly diminish.
For the Saudi Arabian oil major, workstations were shutdown and hydrocarbon production remained unaffected, but other companies may not get off so lightly.
Here, Denis Edgar-Nevill, chair of cybercrime forensics with the British Computer Society, discusses the greatest cyber threats to the oil and gas industry and explains how firms can prevent attacks.
Sarah Blackman: Is cybercrime is the new biggest threat to the energy industry?
Denis Edgar-Nevill: Well, cybercrime is a threat to all industries and it’s a threat not only to the industrial sector but also to the government, public works and private individuals. So, yes it is a major threat.
Anything to do with energy is to do with critical infrastructure, particularly because some of the systems which energy providers provide are critical to life.
SB: Are oil and gas companies well prepared for cyber threats?
DE: It’s wrong to think that one size fits all. Because of the existing safety procedures and policy procedures which are inherent in a high-tech industry such as oil and gas exploration, they are better prepared than many.
The problem is, we can prepare for things we know about, but it’s hard to prepare for things which haven’t been invented yet.
There are something like a couple of million new virus strains in the world and variants come out every year, but a small number (in the dozens) are what we call zero-day weapons where you don’t know anything about them – they are using a new technique and they are using a clever idea, which somebody has come up with.
SB: Aside from attacking websites what other cyber threats to the energy are out there?
DE: It’s really only limited to the imagination of the people who would want to attack you.
With the type of high stakes you are playing with in oil and gas, companies might want to mount attacks on each other or do a little industrial espionage just to find out information about their dealings with individual customers.
It might be stealing new technologies, processes, devices or patents which will give people competitive advantage, or it could be an attempt just to disrupt and damage.
It really depends on who your friends and enemies are, but nobody should feel secure because nobody is secure.
For anybody who has some means of communicating information to the outside world and accepting information from the outside world there is a potential for some sort of attack.
SB: Is social media also a threat?
DE: It’s a huge threat, absolutely huge. The thing that has astonished is that when the Data Protection Act was introduced in the UK, companies had to spend a lot of money making sure they weren’t holding the wrong information about people that they weren’t lawfully allowed to store, and then social media came along and people are putting unbelievable things about themselves, for anybody to look at.
It’s when social media is used within the employees of an organisation you’ll find all sorts of things leaking out, where somebody makes references to secure projects, for example.
I’ve even seen, in one or two cases, people actually sharing passwords, which is crazy.
SB: Should companies worry about internal sabotage?
DE: The weakest element of security is the people we employ – the human firewall. We tell people what the acceptable process is and we are really at their mercy about whether they follow that process.
People are awfully easy to manipulate and that’s where I do a lot of work, which involves talking to people involved in penetration testing, where a company might employ a firm to test their own defences.
Nine out of ten times the successful attacks which penetration testers will apply to an organisation are against the people. They fool people to into believing they are somebody who should be given detailed information or somebody with legitimate access to a resource.
SB: Reports have shown that digital theft is now a greater threat to the energy industry than terrorist attacks. Do you agree?
DE: It’s a question of if somebody is going to attack you, what’s in it for them? A terrorist organisation might attempt to attack the energy infrastructure to further a political cause, but they’d have to be very sure it has big impact.
With energy, particularly the oil and gas industry, it’s hard to have an immediate impact – you’d have to do something big to cause the industry to stop and generate lots of publicity for their cause. I think terrorists might attack the oil and gas industry if there is an opportunity there, but economic crime is always going to be there. There will always be money to be made.
Oil and gas is one of the areas where there is continual innovation and whether somebody does very well may depend on their new technique for exploiting a particular avenue to make money is available to them.
Oil and gas is also prone to situation where the systems are held to blackmail because whenever something stops, money starts getting wasted. The stakes are very high in oil and gas exploration – a day’s inactivity can mean millions of dollars.
SB: What specific steps can the oil and gas industry take to improve their cyber security?
DE: The trouble is, it’s always the boring things which are most effective and it’s the boring things which actually will solve 95% of the problems. It’s making sure that staff aren’t allowed to bring in software, discs or thumb-drives which you haven’t adequately scanned beforehand.
That’s really one of the biggest threats. It’s always a balance between trying to make you computer system as usable and as easy to access as possible, compared with trying to make sure that those accesses are legitimate. If you take the example of the Stuxnet attack on the Iranian nuclear industry, Stuxnet was actually introduced on thumb-drives.
It’s easy to say let’s ban all thumb-drives, but you’ve got the other problem of how you are going to get information on to these machines and off these machines.
Also, when people find that there is a mechanism that is difficult for them to use, they try and work around security measures and that’s exactly when malware will actually strike and cause damage.
SB: What can firms do to stop cyber threats from spiralling out of control?
DE: It’s about education. You’ve got to have systems in place to stop obvious threats and above all you’ve got to police them – you’ve got to continually make sure that people are following procedures. Making people security conscious is probably the most cost-effective thing you can do.
The Karan gas field is located offshore of the Arabian Gulf in Saudi Arabian territorial waters, in water depths of 40m (131ft) to 60m (197ft). It is the first non-associated gas field being developed in the Kingdom of Saudi Arabia. The field is owned and operated by Saudi Aramco, a state-owned oil and gas company.