Hackers' Favorite Target: Big Oil and All That Deadly Equipment

Hackers have made the energy industry a favorite target.

A study conducted in April by Symantec Corp., the world’s biggest cybersecurity firm, found that computer-system invaders attacked 43 percent of global mining, oil and gas companies at least once last year. In a separate survey the same month, conducted for the Organization of American States by another security company, Trend Micro Inc., 47 percent of energy organizations reported attacks, the highest among all corporate sectors and surpassed only by governments.

“Nowadays you have computers running everything,” said Alvaro Cardenas, a computer-science professor at the University of Texas at Dallas and a member of the Cyber Security Research and Education Institute. “You can create blackouts or oil spills and hurt a lot of people.”

As if last year’s oil-price drop wasn’t enough, costs for energy companies rose faster than the U.S. average over the last five years, according to a study by the Ponemon Institute for Hewlett-Packard Co. Cybercrimes cost energy and utilities companies an average of $13.2 million each a year for lost business and damaged equipment, higher than in any other industry, according to Ponemon’s survey of 257 businesses.

Spending worldwide on cybersecurity for oil and gas infrastructure will reach $1.9 billion by 2018, according to ABI Research, a technology data company with offices worldwide.

‘Operation Petrol’

Brent crude, a global marker, fell 35 cents to $65.35 a barrel on the London-based ICE Futures Europe exchange at noon London time. West Texas Intermediate, the U.S. standard, dropped 38 cents to $61.05 a barrel at 9 a.m. New York time.

Like all big enterprises, energy companies want to protect sensitive data. But they have another dimension to worry about - - the potential for hackers to cause physical damage to equipment such as drilling rigs or power stations. While the industry has long prioritized physical security, with electric fences and cameras typically standing guard at refineries and power plants, cyberdefenses are only recently getting similar attention.

Last year’s attacks on the energy sector included Anonymous hackers’ “Operation Petrol” and the “Sandworm” attack by Russian hackers trying to infiltrate North American utilities in order to control it at a later date. In 2012, Saudi Arabian Oil Co., the world’s largest crude exporter, said it suffered an attack that affected 30,000 computers.

Energy companies face all the usual threats from hackers who want to make a political point or snoop on confidential data to get an investing edge, according to Tom Kellerman, chief cybersecurity officer of Trend Micro, a Tokyo-based software provider. But their strategic and economic importance also makes them a target.

Unlikely Source

The vulnerability of U.S. companies has an unlikely source. After the 2003 East Coast blackout, power companies connected infrastructure to the Internet to make it more reliable, according to Kellerman.

Those weaknesses could multiply as technology companies market Web-connected home appliances, sometimes called the “Internet of things,” he said. Depending on how these devices are secured, they could create more openings for hackers to enter networks.

“It’s a double-edged sword,” Kellerman said. “Currently the energy sector is woefully unprepared for protecting itself from cyberattacks.”

Susceptibility is also a problem overseas. The Kuwait National Petroleum Co. disconnected the computer network that runs its three refineries from the Internet after hackers with the Anonymous collective announced plans last year to target Middle Eastern oil companies, according to Abdul-Aziz Duaij, the company’s top technology officer. The network wasn’t compromised, he said.

Needs Permission

The KNPC uses software that prevents anyone from installing any program without permission to make it tougher for hackers, Duaij said.

“We consider everybody a threat, even insiders,” Duaij said.

Last week, U.S. officials revealed that hackers breached U.S. Office of Personnel Management computers, stealing confidential records of as many as 4 million current and former government employees.

While sources of attacks can be difficult to identify, U.S. companies such as Mountain View, California-based Symantec point to activity coming from Russia, China, North Korea and Iran. Documents made public by U.S. National Security Agency contractor Edward Snowden suggested the NSA spied on Petroleo Brasileiro SA, Brazil’s state-run oil-company, according to a report by Globo TV.

Monitoring Networks

U.S. Director of National Intelligence James R. Clapper acknowledged that the country does gather information on “economic and financial matters” but doesn’t steal trade secrets and share them with U.S. companies.

Companies can protect themselves by monitoring network traffic for unusual activity and training employees to recognize suspicious e-mails. Still, no matter how secure a company makes its technology, state-sponsored hackers almost always gain access by manipulating people, said Antonio Forzieri, a Symantec strategist.

“I’d love to have a patch to deploy to the humans, but you can’t do that,” he said. “These attacks are not science fiction, they are every day.”

Read this next:

(An earlier version of this story corrected a misspelling of Ponemon Institute.)