Essential thinking

How can hackers impact the oil and gas industry?

30 Jul 2015

Person wearing white gloves, typing on a keyboard

Hackers have built a substantial web of fear that tends to intimidate the most powerful entities in the world. Feelings of trepidation and anxiety related to hackers are completely valid due to the devastating aftermath of a cyber attack. One of the most infamous corporate take-downs occurred in China in 2000. Chinese hackers breached the security of Nortel Networks, one of the largest and most powerful telecom equipment manufacturers in the world. By 2009, Nortel declared bankruptcy, which was the result of hackers selling corporate secrets to telecom competitors.

Hackers have the power to greatly affect the economy on local, national, and global levels. Oil and gas are counterparts of the energy industry with a substantial presence in our everyday lives. Similar to other sizeable industries, oil and gas network systems are at great risk for potential cyber attacks. There is an immeasurable amount of information that is constantly being transferred with hackers looking for an inevitable weakness or opening to gain access to this wealth of information.

What Hackers Do

The sole intent of hackers is to breach network securities, email servers, and web servers to gain access to information that is often intended to be confidential. They utilize specialty software to find overlooked loopholes or weaknesses that will ultimately compromise virtually any type of security measure. Hackers collect information for a number of reasons, with exploitation being the primary purpose of hacking into a system. Hackers can attack on an individual basis, but they are more interested in the challenge associated with authoritative entities and larger corporations. Hacking into a massive network system can cause widespread “hidden” destruction to a corresponding economy.

McAfee and the Center for Strategic and International Studies, released a report with some disturbing numbers. In the United States, over 500,000 jobs are lost on an annual basis due to corporate espionage initiated by hackers. Furthermore, the report revealed that hackers cost the US a staggering $100 billion per year in costs related to security, purchasing insurance, and repairing corporate reputations following a cyber attack. Hackers are a powerful force to be reckoned with, and the energy industry is a likely target due to the amount of information constantly being transferred.

Why it Matters
There is reason to have serious concerns if a hacker prevails over a network system within the oil and gas industry. First and foremost, the personal information of millions of clients can be sold, or traded, to land in the hands of others that have nothing but ill intentions. Personal information is obtained using tactics that are more common rather than complex- known as, spear-phishing and waterholing.

is sending what appears to be a legitimate email to a particular group of people that are usually included on a target list. In the field of energy, the target list would include some of the upper echelon that had control over the transfer of monies and information. The email is prepared strategically according to the information surrounding an individual that a hacker has already collected. The email will typically appeal to the targeted individual creating a higher probability that it will be opened. A malicious link is contained in the email that directs the user to a malicious site that will download software that will infect the computer system being used.

involves hacking into websites that the intended targets are sure to visit. Hackers replace site codes with duplicate malicious codes to ensure that a computer system will be infected by a user. Both methods put the user at risk of infecting their own system unknowingly that can lead to hackers taking over the control system within an energy establishment that links to every aspect of an operation. This attack combination can result in dire consequences at every level of an operation.

The oil and gas industry uses control systems to monitor and control processes linked to processing, storage, and movement of product. Typically control systems are believed to be a waste of time for hackers to pursue, and cyber security is not necessary for these systems because they are considered standalone or not connected. This thought process is flawed because control systems are in fact connected somehow to the Internet, typically through a business network.

The ability of a hacker to reach a control system with the above tactics is completely feasible. The takeover of a control system in oil and gas can affect the processing of goods in detrimental ways. The storage and transfer of products could be directed to provide an extreme amount of oil and gas to a location that was not necessarily en-route for delivery, while causing an absence of product in a location or country that is highly dependent on oil and gas.

The Overall Impact
Executives in the oil and gas industry are aware and warn that a cyber attack could cause “real-world” damage compared to a typical breach in the security of information systems. They also warn of the realistic chance that a hacker could take over a control system that would lead to grave damages including a negative environmental impact. Take into consideration all of the compressors, oil wells, turbines, and power plants that a control system manages. Hackers gaining control of the components of an energy system could ultimately affect every level of operation including innocent bystanders.

Countries that are highly dependent on gas and oil would literally be shut down by a cyber attack. 60% of the energy in the United States is produced by gas and oil. The impact of a cyber attack would be detrimental, and the costs associated with rebuilding the nation would be immense. The threat of hackers interrupting the daily operation of the oil and gas industry is real. Corporations need to take a proactive approach to meet the threat with a prepared defense. Hackers live for the opportunity to attack when organizations seem to be the most vulnerable.