U.S. energy facilities are increasingly being targeted by cybercriminals, according to a recent report released by government and private security officials. Just one agency, the Department of Homeland Security, reported a jump in cases with its investigators receiving reports of 59 significant cyber incidents occurring at U.S. energy facilities in 2016.
The agency handled 290 cybercrime incidents last year involving numerous industrial sites, including factories, power and chemical plants, refineries and nuclear facilities. Many of these incidents originated with “phishing emails” — emails sent by hackers that trick people into downloading virus-infected attachments or links. Many others came from “network probing” and “scanning” schemes.
Some viruses result from malware that was inflicted on systems years ago but keep spreading. Others result from increasingly sophisticated schemes that continue to be created.
In a study conducted in 2015 for Hewlett Packard Enterprise, the Ponemon Institute estimated cybercrimes are costing U.S. energy and utility companies about $12.8 million a year in lost business and damaged equipment. And the possibilities of catastrophic events being caused by cyberattacks are growing.
Consider the “mother of cyberattacks” that hit Saudi Aramco in 2012, when an employee opened a phishing email and released a computer virus. Files quickly began to disappear from the company’s computers. Telephones went dead. As staff desperately yanked cables out of equipment, computers shut down. In just a few hours, 35,000 computers were wiped or totally destroyed.
Saudi Aramco, which supplies 10 percent of the world’s oil, was unable to conduct business or communicate with customers. After about two weeks, the company had to give oil away for free to keep inventories from overflowing. It took five months for the company to come back online. A bigger disaster was averted because some of the company’s functions were not networked with the infected system.
The motivations for these attacks are many: nation-states waging war by attacking adversaries’ energy supplies and production; politically or ideologically driven groups advancing their causes; criminals seeking to steal data, divert production or extort money; and competing companies engaging in industrial sabotage or espionage.
Among the most common risks are plant shutdowns, equipment damage, utilities interruptions, production cycle shutdowns, product quality problems, undetected spills and safety breaches that result in injuries and death.
Imagine, for example, what would happen if a hacker changed critical settings that controlled the filling of a tank. A cybercriminal could engineer an explosion when the tank reached its maximum capacity.
Imagine what would happen if a hacker changed the temperature and pressure settings on a remote plant, triggering a shutdown and a time-wasting, expensive investigation.
Imagine if a hacker changed the oil stock information of a company to incorrectly indicate it had a much bigger inventory. When the demand exceeded supplies, the company could no longer service customers. Havoc would be inflicted on the company, oil prices and marketplace.
The number of cybercrimes occurring in the energy industry likely is underreported because many companies do not want to divulge their vulnerabilities. But companies are increasingly addressing these risks.
ABI Research, a technology market intelligence company, estimates oil and gas companies will be spending $1.87 billion on cyber security by 2018. Industry and government initiatives also are underway to develop standards and requirements for reporting breaches and improving security.
But there are immediate steps companies can take to protect their systems.
• Make cyber-security a priority — from top management to line employees, as well as contractors. This includes investing in cybersecurity systems.
• Understand vulnerabilities. Don’t assume any operation is safe from hackers. Network systems when it makes business sense. Create “firewalls” when possible.
• Share security concerns with others in the industry. A “common enemy” should encourage common, timely solutions.
• Disseminate sensitive information on a “need to know” basis. This should not create barriers for a company’s efficient operation. Rather it should be to minimize exposure to security breaches.
• Educate the workforce. Train employees how to recognize hacking and other cyber intrusions, as well as how to prevent these crimes from occurring.
— Alphonso Rivera is the founder and CEO of Advanced Micro Resource, a Bakersfield-based digital forensic company that specializes in digital audits involving cell phone and computer evidence for attorneys, private investigators, human resources consultants and companies.