‘Cyber blindspot’ threatens energy companies spending too little

What is the cost of securing the nation’s energy from a cyber attack?

 

Amid rising threats, including a recent attack on several US power and natural gas suppliers, energy companies are now spending less than 0.2% of their revenue on cybersecurity, at least a third less than financial institutions, according to Precision Analytics LLC and The CAP Group LLC, security consultants who work within the industry.

 

Meanwhile, Symantec Corporation says it is tracking at least 140 groups of hackers actively targeting the energy industry, up from 87 in 2015. And Symantec is just one of several security firms working with the industry.

 

“It’s scary,” said Brian Walker, a former head of Marathon Oil Corporation’s global IT and now an independent consultant. Executives making funding decisions “aren’t necessarily millennials who intuitively understand” how cyberthreats reach seemingly disconnected units, he said.

 

“It’s guys my age who are the problem,” according to Mr Walker, who said he’s in his early 50’s. “We’ve been 30-years trained in a world which does not work this way anymore.”

 

Earlier this month, at least seven pipeline operators from Energy Transfer Partners LP to TransCanada Corporation said their third-party electronic communications systems were shut down, with five confirming the service disruptions were caused by hacking.

 

Although the attack did not disrupt supply, it served to underscore an ongoing vulnerability to electronic sabotage. It showed how even a minor attack can jump between systems with ripple effects, forcing utilities to warn of billing delays and making it more difficult for analysts and traders to predict a key government report on gas stockpiles.

 

‘Real challenge’

This “cyber blindspot is a real challenge,” Mr Walker said. “Our fear is that we will play an ostrich and put our head in the sand until something blows up and people get killed or until the lights go out for a month.”

 

The threat is not new, but it is escalating.

 

In 2012, Saudi Aramco production was locked down during the disk-wiping Shamoon incursion, and the company was hit again by the same group in November 2016, said Bill Wright, director of government affairs and policy counsel for Symantec in Washington.

 

In 2015 and 2016, Ukraine was hit with blackouts by state sponsored groups, a blow to the economy as well the health and safety of its citizens.

 

Tracking dragonfly

In the US, Symantec has been following another group, nicknamed Dragonfly, which has been around since at least 2011. Last year, the group became “a lot more aggressive,” with the goal of soliciting information on how energy companies work and figuring out how to maintain stealth access on their systems, according to Mr Wright.

 

The Federal Bureau of Investigation and the Department of Homeland Security issued a joint technical analysis about a month ago, tying Dragonfly to the Russian government and describing its ability to conduct sabotage, Mr Wright said.

 

The low levels of spending by the industry comes as it rushed to adapt new ways to produce more product at a lower cost amid and following a historic, three-year rout in oil prices.

 

Over the last few years, the industry has been quickly adding electronic sensors and other monitoring capabilities to track data from 900,000 oil and gas wells, and 300,000 mi of pipelines.

 

Complex computer algorithms at every level of the industry are constantly adjusting the flows of everything from oil and natural gas to electrical power, with automatic valves in place which can shut down flow at a moment’s notice in the case of an accident with no human action needed.

 

And all of it is hackable, according to Walker and other experts.

 

‘Wide open’

“This equipment is fairly wide open from a security perspective,” said Matthew Stegall, director of IT assessments at Precision who performs such assessments for Deloitte & Touche LLP and KPMG LLP. “Companies are starting to more and more look at this. But they are still very much in the infancy stage.”

 

Many of these operations run on separate networks, offering an “air gap” which energy companies often cite as a shield against wider ranging intrusions. But that has also created a false sense of protection, according to Gent Welsh, commander of the 194th Wing of the Washington Air National Guard who has long been involved in developing cybersecurity capabilities.

 

Making the leap from attacking corporate systems to those involving operations “is not hard at all” for experienced hackers, Mr Welsh said.

 

Operational assets

Companies are aware of the need protect raw data, but they are often less sophisticated about the need to protect recently computerized systems for operational assets, according to Mr Stegall. “When you get to a discussion on locking down the operations issues, they kind of look like deer caught in the headlight,” he said.

 

Based on analysis developed over 15 years, energy companies who earn US$1 billion in revenue a year generally spend about US$1 million for cybersecurity, Precision found. In comparison, companies within the financial industrial with US$1 billion in revenue could spend as much as US$3 million. according to the data. Financial services and retailers have been in the limelight for data breaches.

 

Mr Walker, who works directly with energy executives, said he has found it surprising how many believe the Defense Department or Homeland Security is defending them. They cannot, Mr  Walker said, because the government lacks the capability, expertise and, importantly, the legal standing to defend civilian assets before they are attacked.

 

Limited access

At the same time, companies have avoided allowing real-time access to anyone outside their own organisation, “much less to the government,” Mr Walker said.

 

“Our adversaries well know that the soft underbelly of the United States is our critical infrastructure and key resource sectors, from power, to water, to transportation,” said Mr  Welsh, who has testified in front of Congress on multiple occasions. “What our adversaries are really doing is relentlessly probing for weakness than can be exploited down the road for political, economic, and military gain.

 

“I dread the day where we can attribute the first loss of human life in this country directly or indirectly to a cyberattack,” he said.

 

It’s not just a theory: Mr Welsh had a team prove this vulnerability.

 

30-minute break-in

In 2014, the Snohomish County Public Utility teamed up with National Guard cyber operators to test its defence. They were given two weeks. After the meeting adjourned, it took less than 30 minutes to break into a drinking water treatment facility using a phishing e-

mail.

The approach to cybersecurity also is affected by the normal siloing of departments within individual companies, the experts said. At many companies, IT security will typically fall under the purview of the chief information officer while operations security staff report to a different boss, Mr Walker said. The result: a communications gap.

 

It is not that the companies do not care about security. But the threat is growing exponentially, and companies of all types have had a hard time keeping up.

 

For instance, there has been a “dramatic rise” in so called supply-chain attacks where a software update itself has been compromised before it is even introduced into a company system, Mr Walker said.

 

Earlier this year, the Federal Energy Regulatory Commission proposed mandatory reliability standards and reporting requirements for supply chain risks, including counterfeits to the insertion of malicious software.

 

In September, US Representative Derek Kilmer from Washington introduced a bill in Congress to create National Guard Cyber Support Teams in every state and territory.

 

“Whether or not the industry can self-regulate, I do have my doubts,” Stegall said. “But they don’t know what they don’t know.”

 

Source: World Oil