5 Big Cyberattacks in Oil and Gas
Add bookmark
Investigators feared the worst when Colonial Pipeline, which transports nearly half of the gas supplies for the southeastern United States, revealed that it was the victim of a ransomware attack.
The company shut down its pipelines and US President Joe Biden declared a state of emergency as many gas stations in several states ran dry.
The ransomware attack on Colonial pipeline is often held up as the poster child for cybersecurity in oil and gas.
But Colonial is not the only oil and gas company to experience a cybersecurity incident in the past few years.
Cyberattacks on energy and commodities infrastructure are on the rise. Over the past 5 years, there have been 35 major incidents recorded, according to the S&P Global Platts Oil Security Sentinel™ research project. Ransomware attacks are increasingly successful and have risen 150% in the past year alone, according to the WEF.
The reason that oil and gas companies are so attractive to cybercriminals and sophisticated state actors is simple: energy infrastructure is critical to modern economies.
As his war with Ukraine continues, Russian President Vladimir Putin recently warned that energy infrastructure around the world was now “at risk.”
That sentiment matters because digital transformation is blurring the traditional divide between IT infrastructure and Operational Technology (OT).
According to Deloitte, the average large-scale oil and gas company “uses half a million processors just for oil and gas reservoir simulation; generates, transmits, and stores petabytes of sensitive and competitive field data; and operates and shares thousands of drilling and production control systems spread across geographies, fields, vendors, service providers, and partners.”
The result is that critical oil and gas infrastructure is as vulnerable to physical attack by saboteurs as it is to faceless armies of smart computer programmers.
While companies can be tight lipped about cybersecurity breaches, there are some that have had such enormous impact that companies couldn’t help but release the details.
In the lead up to our Cyber Security for Oil and Gas online event later this month (register here, it’s free!), we take a chronological look at some of the biggest cybersecurity attacks on oil and gas companies and infrastructure in the past few years.
#1: Cyberattack on European Oil Refining Ports and Storage Facilities
Year of Attack: 2022
The Low Down: A cyberattack on companies in Northern Europe earlier this year, including the oil refining hub of Amsterdam-Rotterdam-Antwerp (ARA), disrupted the movement of refined cargo. The attack came amidst rising tension in the lead up to Russia’s invasion of Ukraine earlier this year and during deepening concerns about European energy security.
The attack targeted systems at Oiltanking and Mabanaft in Germany, SEA-Invest in Belgium and Evos in the Netherlands. A total of 17 terminals (11 in Germany and six in ARA) were affected, according to Platts. Operational processes, which meant that product couldn’t be loaded or uploaded from barges, jammed up while the companies sought to resolve the attack.
The incident has left enduring concerns about the security of European energy systems at a time of soaring energy prices and geopolitical tensions.
#2: Ransomware Attack on US Colonial Pipeline
Year of attack: 2021
The Low Down: The ransomware attack on Colonial Pipeline is perhaps the most well-known of all the recent cyberattacks in the energy industry.
In response to the breach, Colonial shut down 5,500 miles of pipeline that carries 45% of fuel supplies on the East Coast, citing concerns of the vulnerability of the physical infrastructure in the wake of the attack.
CNN reported that the hackers targeted the company’s billing systems and that the inability to bill customers factored into the decision to shut the pipeline.
The shutdown led to fuel shortages and panic buying in multiple US states. In Washington, DC, more than 87% of fuel stations ran out of gas following the shut down.
The incident brought into sharp relief the increasingly blurred lines between IT and operational technology and the increasing importance of shoring up cybersecurity at critical energy infrastructure.
#2: Triconex Controller Attack at Saudi Aramco
Year of attack: 2017
The Low Down: As one of the world’s biggest single exporter of crude oil, Saudi Aramco has been hit by multiple cyber attacks. One of the biggest and most sophisticated attacks targeted Triconex controllers at the Saudi Arabian company’s oil and gas facilities in 2017.
Triconex controllers are an industrial control system manufactured by American company Schneider Electric. These critical industrial controllers keep equipment operating within safe parameters by regulating attributes like pressure, temperature and voltage.
It is believed that the attack was designed to cause significant damage to Saudi Aramco’s oil and gas operations. Luckily, a bug in the attacker’s computer code shut down the plant’s production systems before it could cause significant damage to operational assets and infrastructure.
A report in the New York Times said that this represented an escalation in the nature of cyberattacks on oil and gas companies.
“The attack was not designed to simply destroy data or shut down the plant, investigators believe,” write Nicole Perlroth and Clifford Kraussw. “It was meant to sabotage the firm’s operations and trigger an explosion.”
The group behind the cyber attack, XENOTIME, has expanded its list of targets to include European, Australian, Middle Eastern and American oil and gas companies, electric utilities in North American and Asia-Pacific, according to Dragos, a cyber security firm.
#4: Shamoom Malware Wipes Data at Saudi Aramco and Other Saudi Arabian Targets
Year of Attack: 2012, 2016 & 2017
The Low Down: The Shamoom Malware story began back in 2012 with reports of a data-destroying virus that was completely wiping out the hard drives of tens of thousands of computers at Saudi Aramco. A report on cybersecurity website Dark Reading said that 35,000 computers were partially or totally wiped by the virus.
Shamoom differs from ransomware; it completely erases the data rather than holds it for monetary gain.
In response to the 2012 attack, Saudi Aramco physically unplugged every office from the internet. The result was a return to paper-based systems, fax machines, and typewriters. While oil and gas production systems were unaffected, payment systems were offline, which meant queues of fuel trucks that were ready to be loaded but couldn’t be paid.
It took 5 months for the company to get its offices set back up and running online again.
The virus resurfaced again in 2016 and 2017 with attacks on other Saudi Arabia entities including Tasnee, a privately owned Saudi petrochemical firm, and Sadara Chemical Company, which is a joint venture between Saudi Aramco and Dow Chemical. As with the Saudi Aramco attack in 2012, the malware completely erased the data from all affected computers within minutes. Recovery from the attack took months.
#5: 50+ Companies in Norway’s Oil and Gas Sector
Year of the Attack: 2014
The Low Down: Norway’s National Security Authority (Nasjonal Sikkerhetsmyndighet – NSM) revealed that 50 companies in the oil sector, including Statoil (now Equinor), were hacked and 250 more were warned by government agency of a potentially serious data breach.
Not many details are readily available of the 2014 attack but it draws attention to the vulnerabilities of the country’s critical oil and gas infrastructure. Norway is currently on heightened alert of attack because of its importance as the key gas supplier European markets in the wake of Russia’s invasion of Ukraine.
“The value of Norwegian gas to Europe has never been higher," Stale Ulriksen, a researcher at the Royal Norwegian Naval Academy, recently told the Associated Press. "As a strategic target for sabotage, Norwegian gas pipelines are probably the highest value target in Europe."
Unidentified drone sightings near the country’s offshore oil and gas platforms and recent sabotage of the Nordstream 1 and 2 gas pipelines have added to fears.
The Financial Times newspaper recently reported that chief executive Nicolai Tangen of Norges Bank Investment Fund, a 1.2 trillion dollar Norwegian Oil Fund, cited cyber security as the number one threat today. He said that the bank was subject to over 100,000 attacks a year, double what it was just 2 or 3 years ago.
“I’m worried about cyber more than I am about markets,” Tangen told the Financial Times. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated.”
With heightened geopolitical and climate risks, the dangers of inadequately secured cybernetworks are rapidly increasing.
“With connected technology’s adoption and penetration getting ahead of current cybersecurity practices, it is not just the new IoT-generated information and value that is at risk. The future opportunity cost—including the safety of personnel and impact on the environment—is at stake,” writes Deloitte authors Anshu Mittal, Andrew Slaughter, and Paul Zonnevald.
The time is now for oil and gas companies to address security concerns and ensure the safety of critical IT and OT networks.
Interested in Learning More About this Topic?
Join us at our upcoming Cyber Security in Oil and Gas Online Summit to find out how you can improve operational visibility, while building a secure future for your up-, mid- and downstream networks.
You’ll learn how to improve risk management while exceeding government regulation, understand which parts of your network are vulnerable and in need of special protection, and unpack how to better manage operational risk by proactively identifying accidental and unintentional cyber incidents. Save Your Seat Here.
