The Qatari natural gas giant RasGas and Iran’s nuclear enrichment programs also were attacked in similar ways. These attacks cost these companies billions of dollars, but that isn’t the point.
Aside from the obvious financial disaster for the attacked company, the real threat of such cyberattacks is their possible use for the purpose of crippling major world economies. If Aramco’s production had been crippled by the cyberattack, the world would have been short on oil immediately and the ripple effects would have been huge. The United States would have been especially hard hit – we import 2.5 million barrels from Aramco.
Energy Under Attack
You can begin to see a very worrying pattern here between the attack on the Algerian gas plant and the attack on Aramco – terrorists now understand that they don’t have to blow up a plane. Instead, they can focus on trying to stop the flow of oil and gas. The Department of Homeland Security found that 41 percent of cyberattacks in 2012 were aimed at energy companies. That’s a chilling statistic, and it should be an eye-opener to every company in the energy sector.
Terrorists can attack a well by opening a choke, shutting the well in, opening the well up to damage or destroying it by pulling water in – we don’t even know what all can be done yet, but we do know that those systems are very vulnerable. Equally important and damaging, competitors or terrorists could do a data dump to get all of a company’s proprietary information to sell to the highest bidder.
China was in news in February for a suspected military cyberattack unit, in fact. China is accused of using a Shanghai cyberattack team to gather information from the United States and other countries.
Think about what a foreign competitor could do with full access to a company’s operations. The BP disaster in the Gulf of Mexico was not the result of a cyberattack, but cyberattackers could certainly duplicate it, devastating not only the company but impacting the environment and potentially crippling the economy.
Automation a mixed blessing
Every company, whether mining, electric, or oil and gas is highly interconnected and connected to the internet. Oil and gas companies, for example, have become digital oil fields, using automation for a wide range of activities upstream and down: in drilling, refineries, and pipelines, even in the weld (called Smart Weld). Supervisory control and data acquisition systems (SCADA) control just about everything, including pumps, motors, valves, chokes – you name it. This is great for optimization but also makes oil and gas companies very vulnerable to cyber attack.
Ensuring security against cyberattacks is a tricky and complex proposition. Even companies that have an aggressive security process, including measures like firewalls and so-called “air gaps” between production networks and less secure communications networks, can be vulnerable to penetration from within or access through shared printers or routers. ICS-CERT found 7,200 devices in the United States directly related to industrial control systems that can be accessed via the internet. A 2009 study by Symantec found 240 million malicious programs on the Internet and uncovered reports from businesses of more than 500,000 instances of unauthorized access.
These attack programs are not written by some bored kid sitting in his mama’s basement eating chips and drinking Red Bull. These programs took teams of well-funded professionals three to four years to write.
A Necessary Expense
Securing business systems against cyberattacks is neither simple nor cheap, but the alternative is much more costly. We’re late to the party on our security precautions, reacting now instead of being proactive. The first order of business should be to replace old legacy systems with new ones. The hackers aren’t just on the cutting edge; they’re creating it, so our technology and our practices need to be continually updated.
Proper security monitoring is another top priority, and this means human involvement. As much as we all love our automated systems, we can’t fully automate security monitoring without opening ourselves up to attack. Symantec found that the fastest response to a hacking incident was 25 minutes, but some attacks weren’t detected for weeks or even months. The fastest response times were the result of systems carefully monitored by humans. Imagine how much damage can be done, how much data can be stolen, in weeks or months, and you can clearly see the justification for better security monitoring.
Protecting the “air gap” should be another focus of cyber security measures. Companies should routinely do a thorough assessment of all the ways that they’re potentially connected to and accessible via the internet: shared routers, printers, or other communications can give a hacker a way in.
U.S. Defense Secretary Leon Pannetta warned that a coordinated attack on national infrastructure would be a “cyber Pearl Harbor.” It may sound hyperbolic and alarmist, but when you think about the devastation that could result from a major cyberattack on global energy sources, it is, indeed, alarming.
CHRIS FAULKNER is the founder and CEO of Dallas-based Breitling Energy Companies, the holding company of Breitling Oil and Gas and Breitling Royalties, which he also founded and serves as CEO. The companies are in the oil and natural gas exploration, production and investment business. Faulkner’s diverse and extensive background in the oil and gas industry in North America, Europe and the Middle East covers all aspects of oil and gas, including project management, production, facilities, drilling and business development. Faulkner serves as an advisor to the ECF Asia Shale Committee and sits on the board for the North Texas Commission.