How Can You Combat Cyber Crime In Oil & Gas?
In our first article on cyber security we looked at the main threats. But who are behind these threats facing the oil and gas industry? And how can they be combated? Michela Menting of ABI research explains how prepared the energy sector is to combat cyber crime — and how prepared it needs to be
Cyber crime in the oil and gas industry is back in the news again. In mid June Mohammed Atif, managing director of DNV KEMA, a leading name in risk management along the energy value chain, was quoted as pointing out that investments in cyber defence in the Middle Eastern energy sector have been planned but, unlike Europe and the US, there is no cyber security strategy implemented yet.
The Middle East situation is certainly worrying, given last year’s incidents at Saudi Aramco and Qatar’s RasGas in which viruses spread via office computers. And Atif also pointed out that regional cyber attacks, notably on energy supplies and transiting routes, could have an impact well beyond the Middle East.
Which is true. However, pinpointing the Middle East’s failings does not mean that the rest of the oil and gas industry is a great deal readier to fight off cyber attackers. As ABI Research senior cyber security analyst Michela Menting points out, most of the energy sector is not adequately prepared — at least where industrial control systems (ICS) are concerned. As she says, "A serious lack of drive exists in tackling the problem of ICS vulnerabilities in any comprehensive or thorough way." She continues, "The industry perception that cyber risks are low because few and limited attacks have occurred on ICS is not just misguided, but highly dangerous."
There may not currently be a major onslaught by hackers to take down and seriously disrupt ICS, but the slow response of the industry to the need to address cyber security issues is, says Menting, "a grave mistake", and one that could cost billions of dollars in the long run. But the message does seem to be slowly getting through. As Menting says, "The oil and gas sector has been shaken more roughly [than other energy sectors] in the past year. The damage caused by the Shamoon virus at Saudi Aramco has jump-started fears about the potential damage that could result from a large-scale cyber attack on the industry."
Of course dealing with a threat also means trying to understand the motives of cyber attackers. Shamoon, for example, appears to have been used by anti-Saudi forces. Is a disruptive or terrorist attack the norm? Or could there be financial motives? Which rationale is the most likely?
In fact, says Menting, "The most obvious and immediate threat is undeniably the insider: a disgruntled employee with malicious intent, or even a poorly trained employee inadvertently causing an accident." Terrorists groups are the second most likely threat, however — and not just the generally politically motivated groups of the left or right but also environmental militants. Menting explains, "While eco-terrorism is not widespread, there have been past cases of pipeline and well sabotage by individuals like Weibo Ludwig [a Netherlands-born Canadian convicted of oil and gas well sabotage in the late 1990s] or groups like the Earth Liberation Front [an apparently leaderless international movement whose tactics seem to involve economic sabotage and guerrilla warfare]."
But politically motivated terrorism is a more immediate and real danger. Terrorist groups like Al-Qaeda have been targeting the Western-run oil industries for some time. The more recent cyber attacks against Saudi Aramco in September 2012 involving the Shamoon virus are believed to have been instigated by a state-sponsored group intent on disrupting hydrocarbon production. Izz ad-Din al-Qassam is one such; this group of self-proclaimed cyber fighters become widely known recently through its attacks on US banks.
As well as these leading threats, a growing number of perpetrators are hackers. They are not a unified body; they have different motivations and use varying tactics to get access to systems. Menting explains, "Their goals can be intrusion for the purposes of control, data theft or espionage."
Which brings us back to our earlier point. If oil and gas is not as ready as it should be how ready is it? What sort of shape are cyber protection systems in? What can be done — or needs to be done — to improve them?
Despite the relatively gloomy outlook a number of tools do exist to counter cyber attacks directed at the oil and gas industry. "Risk mitigation should be envisioned on two separate levels: at the corporate network level and at the ICS level," Menting explains. The good news is that, for the corporate network, commercial off-the-shelf (COTS) IT threat prevention and management mechanisms are available and adequately suited. Thus you can get your hands on solutions including antivirus software, anti-spam filters, backups, encryption, firewalls, intrusion detection systems/intrusion prevention systems (IDS/IPS), and unified threat as well as identity management solutions, among many others.
Another piece of positive news is that often the corporate network serves as the buffer between an ICS and the Internet. Therefore, a solid cyber security policy at the corporate level can help deter the majority of potential malware targeting ICS vulnerabilities. "Nonetheless," Menting warns, "COTS solutions are not well suited to the specific ICS environment."
What can oil and gas do about this? "Broadly speaking, two ways exist for managing risks that should be considered in the oil and gas industry," Menting suggests. "The first is to control the threat by reducing the likelihood of occurrence; this is done by patching vulnerabilities and strengthening security mechanisms. The second is to ensure that response mechanisms are resilient and robust, and able to ensure business continuity and reduce the impact of downtime. These methods require the use of preventive and reactive security tools as well as deployment of proactive counter measures."
And, apparently, energy companies are now willing to buy those tools and take those measure. As we noted in the first of these two articles, in a review of oil and gas industry cyber security spending ABI Research’s Cyber Security and Smart Grids Research Services1 suggested that realization of the financial implications of persistent cyber threats will boost cyber security spending on critical infrastructure in the oil and gas industry; it will reach $1.87 billion by 2018.
What, then, will the industry be buying? And which sectors will do the spending?
"While the private sector will be the primary driver of cyber security spending, the government side will make some dedicated efforts to invest heavily in securing the oil and gas sector, due in part to its status as a critical infrastructure," suggests Menting. Of course this should hardly be surprising given that quite a few of the top oil and gas producers are essentially government-owned.
The largest amount of spending will be for IT network, ICS, and data security. "This is due to the fact that preventive and reactive measures still form the largest part of cyber security spending for an organization," Menting explains.
The second spending category will be on policies and procedures, including, for example, personnel training and obtaining security certification. In fact audits and standardization will become increasingly important upstream
and downstream in the value chain. As Menting points out, "The oil and gas industry is a massive sector, with individual companies dealing on a daily basis with numerous contractors, some of which may offer an unsecured backdoor for attackers. This is especially true in cyber espionage, where attackers will spend a considerable amount of time scoping all possible points of entry into a particular target company."
The oil and gas industry is at last starting to take cyber security very seriously. However, cyber threats are going to become more sophisticated in the future. As Menting points out, "There is a thriving underground economy which is making a lot of money from this". And not just underground; nation states are now increasingly involved in cyber espionage.
So the energy industry has woken up to the threat of cyber crime — and not a moment too soon. However, there is no room now for turning back or relaxing — as Menting makes clear. "As companies and states ramp up security," she says, "cyber attackers will continue to develop ever more sophisticated tools to get around that security."
Source: Oil Review Middle East 2013