Oil and gas companies ‘waking up’ to cyber threats
Following high-profile data breaches of Middle East energy firms and NSA surveillance of Brazilian national oil firm Petrobras, it’s time to ‘step up and be proactive’.
October 14, 2013 2:00 by Steven Bond
Last year, five multinational oil firms were targeted by the hacktivist group Anonymous, which published the details of approximately one thousand email accounts of executives of Shell, Exxon, British Petroleum and others – along with unencrypted passwords.
“We know we’re going up against the most powerful countries and companies in the world, but together we have something stronger than any country’s military or any company’s budget,” reads the statement from Anonymous. “Our shared concern for the planet transcends all of the borders that divide us and – together – makes us the most powerful force today.”
Last August, Saudi Aramco owned up to the fact that they had been hit by a major malware outbreak. While oil production and exploration was supposedly not affected, it suspended its online presence for a short time period. Perhaps the lasting damage was reputational, suggests Paul Wright, manager of professional services and investigation teams for the Middle East, India and Africa at AccessData.
He was a speaker at last week’s Oil & Gas ICS Cyber Security Forum in Abu Dhabi and believes more is being done – but more is required – for energy firms to ramp up security.
Wake up and smell the security
“Oil and gas firms are waking up to the dangers that they face. Rather than come in after the fact, we would rather go in before anything happens and be proactive with security,” says Wright.
“Obviously Saudi Aramco has been hit twice now, which is horrendously embarrassing for the company, and RasGas has been hit once last year. In June, ‘Operation Petrol’ by Anonymous took down more than 130 websites of oil and gas firms, and those related to the industry – that was a huge eye opener”, he adds.
Gaining accurate information on successful data breaches is not so straightforward, according to Wright. Due to the reputational element, it is suspected that many attacks go unreported and a lot of “companies don’t come out and hold their hands up to a breach”.
Part of the issue is that, while many perpetrators penetrate systems, firms are not quite sure who they are blowing the whistle on. In the Aramco case, the firm later claimed the attack, named ‘Shamoon’, was by individuals from the UK. The real financial cost was also hidden.
“We don’t really see figures. People keep saying that ‘according to X, Y and Z a particular amount was lost’, but the true figure is never going to be revealed,” says the AccessData exec.
Nick Coles, director of The Dome, exposed the figure that oil and gas firms are currently facing two million threats per week. Compared with other industries, is there anything surprising about that number, according to Wright.
“That figure includes DDOS (distributed denial of service) attacks, which are growing as well. In 2011, there was more than 1.5 million DDOS attacks, compared with 120 million in 2012. This, I think, is because cyber criminals are going after cash during the good times as well as bad times.”
Suited, booted and ready to hack
Cyber criminals are now seen as business people, as opposed to being just a petty thief. From stealing cash in transit to selling narcotics and then pushing fake pharmaceuticals online, cyber criminals have veered towards the least risky method of making money.
“What’s attractive is simply not getting caught. The internet was seen as a benefit and the first waves of money-making initiatives included counterfeit pharmaceuticals and fraudulent email scams,” says Wright.
“The internet doesn’t have jurisdictional boundaries the same way as law enforcement, so it facilities a criminal. If I were a criminal, I’d live in one country, have my servers in another, attack countries in another country and store my money somewhere else entirely. In addition, I’d make sure to do my tax in countries where they don’t keep logs or enable quick evidence gathering.”
But are we seeing any prosecutions take place? While the private sector needs to be prepared with a cyber security solution, Wright points out that it is the responsibility of the public sector to target the assailants.
“It’s like cyber security itself, we’ve got to work together. Partnerships are a foundation stone to beat cyber crime and cyber criminals. That partnership might be between software companies, private sector firms, academia, military, law enforcement and so on.”
“The region has to step up to the mark and be proactive. We’ve discovered that the best security device is a block of wood, and the attitude ‘it won’t happen to us’ has got to go,” he concludes.