Last summer, energy companies discovered they were primary targets of the “Energetic Bear” computer virus, so named because it is believed the cyberattack originated in Russia or the Eastern European bloc. The nefarious tactic involved first infecting a legitimate and trusted website commonly used by the target companies, which would then click on a link that downloaded the malware into their corporate industrial control systems (ICS). Once inside, the hackers could poke around the ICS at will undetected and download any intellectual property or sensitive data, such as passwords. Worse, it could completely sabotage the infected systems, potentially disrupting the power grid, pipeline transportation and production.
Of more than 1,000 known compromised companies, fully one-quarter were in the U.S. It is believed the perpetrators of Energetic Bear had access to proprietary information for a year and a half or longer before being detected.
“The reality is, if you are connected to the Internet, you are vulnerable to cyberattack,” said Jim Guinn, senior managing director for PwC and part of the information technology security, privacy and risk practice. “It’s not something that’s going away.”
According to the Department of Homeland Security’s Industrial Control System Emergency Response Team, or ICS-CERT, the energy sector represents more than half of all cyberattacks coming into the U.S.
“There are two kinds of companies,” said Steve Senterfit, vice president of commercial energy for Booz Allen Hamilton, another management consulting firm specializing in cybersecurity—“the ones that have been penetrated and know it, and the ones that have been penetrated and don’t know it.”
And while the power sector is guarded as a potential cybertarget for terrorists looking to disrupt Western society, the upstream oil and gas sector is a vital target as well, for various reasons.
“Upstream oil and gas companies have as much to be concerned about as companies that fall within the country’s critical infrastructure,” said Senterfit.
Theft of intellect
“Espionage is the first threat, and access to intellectual property is a leading motivator, particularly for nation states,” Senterfit said. Foreign intelligence services linked to Russia and China lead the field in identified threats.
“Most nation states that are bad actors in the world today are those with their own oil and gas companies,” Guinn said. “These are highly motivated and well-funded national interests trying to harvest intellectual property. That is a clear and present danger to E&Ps.”
That intellectual property might include engineering schematics on new technology, seismic data on new areas of exploration, financial data that could be used to short or long a stock, or merger and acquisition data. “Is it easier to develop and train engineers, or is it easier to steal someone else’s engineering drawings and schematics?” Guinn asked.
“Wouldn’t you like to know where majors or large independents are looking to explore next? You could get ahead of the curve if they have seismic data that leads them to believe there is a high amount of hydrocarbons in a particular area. That’s the sort of information intruders are trying to take,” Guinn added.
“If somebody obtains your seismic, drilling plans and so forth, they’re able to understand where you’re looking, estimating your reserves and how you plan to drill,” Senterfit said.
Another risk: infiltrators making copies of bid documents for reserves so they can undercut other bidders. “I’ve had executives tell me they were sure that, because of bids lost, somebody had to have information either from the inside or the outside,” Senterfit said. The same scenario compromises companies entering joint ventures.
Not all threats are nation states. Some are simply information brokers looking for a financial haul.
“Some [hackers] don’t really care what they get,” Guinn said. “They get it and post it online, then sell it to the highest bidder.
“If I know what someone’s earnings are about to be, or there is a potential M&A target, or a new discovery that’s about to be released, I can use that for material gain. So whether it’s a nation state or individual bad actor, that’s the type of information that can be very profitable for a criminal to exfiltrate.”
“Hactivists” are another threat—random individuals trying to harm a company for political motives.
“Instead of picketing outside the building, they want to steal information to post to any sort of ‘xyzleaks.com’ website,” Guinn said. Companies have had websites defamed, propaganda put up externally, email systems breached and information collected that could have negative impact to the brand or reputation. “These are one-off, and you don’t know when they’re going to occur, but they are just as important to thwart as nation states.”
Methods of attack
Rather than a full frontal assault, hackers instead breach networks with slow burns. “The intent is to come in undetected, navigate a network, and collect as much information for as long as possible, then use that information when appropriate for whatever commercial or material gain is warranted,” said Guinn.
“They sit on a wall and listen and exfiltrate data until such time that it is useful to act upon it, because once they act, there is a high degree of probability that they’re going to be detected.”
Energetic Bear used a technique known as a watering hole attack to infiltrate systems. In this case, hackers compromised a website frequented by certain energy and industrial companies, which then unknowingly downloaded the virus through a routine update of ICS system software. The malware was used to spy on these companies.
Phishing is another common method of invasion, where an individual clicks a link or downloads a document sent via email, presumably from a trusted source. “These organizations doing this are getting more sophisticated. People will get an email that actually looks like it came from somebody within the company.”
Cyberattacks are rarely publicized and often dealt with internally, thus creating a perception of low risk. But Senterfit confirmed, “Yes, there have been attacks on E&P companies.”
The catch is that companies don’t know they are breached until it’s too late. Booz Allen and PwC work directly with companies to proactively detect threats in advance and thwart them. Oil and gas companies need to move beyond simple electronic barriers such as virus detection software and move toward proactive threat detection across what is turning into a multidimensional threat surface, Senterfit said.
“It’s not just an IT thing. The C-suite has to get their arms around this and it has to have their sponsorship. It has to move from the back office to the boardroom. They need to take it seriously.”
Senterfit said upstream companies should be every bit as diligent about preparing for cyberthreats as they are about health, safety and environment (HSE).
“Oil and gas companies have a phenomenal culture around HSE. They need that same culture around cybersecurity where it’s part of their industrialized DNA. That doesn’t happen overnight.”
Guinn emphasizes the point. “Everybody knows to wear their steel-toed boots and hard hats, and knows when to leave a platform when there’s a problem. They know where the big red button is to sound the alarm. That’s because they have an emergency plan and test their plan frequently. They should also have a cyberinternet management plan. What do you do when you find you have a breach?
E&P C-suites and boards are beginning to understand the risks, Senterfit believes.
“Now, they need to integrate the business continuity and crisis management plans to include cyberincident response. They need to be proactive, make sure they have all the pieces in place, and understand what to do around incident response like they do around normal business continuity.”
Cyberhelp
Oil and gas companies do not have to go this alone. In addition to the federal Ics-cert, which monitors and counterattacks cyberthreats, the oil and gas industry has formed its own clearinghouse of cyberintelligence.
The Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) is an independent nonprofit organization formed to serve as a central hub for the rapid collection and distribution of intelligence on cyberthreats against U.S. energy networks.
Members can share information anonymously at http://ongisac.org/.
“If one company is seeing a particular type of cyberintrusion, it is probably going to hit the other ones too,” Senterfit said.
And while more and more energy companies are deploying security information officers to guard the gate, Guinn suggests hiring a firm experienced in cyberthreats to identify vulnerabilities, design a strategy and execute both a process and technology solutions. “At least figure out what you’re dealing with,” he said. “You don’t want to be the weakest link in the chain.”
Recommended Reading
CNX, Appalachia Peers Defer Completions as NatGas Prices Languish
2024-04-25 - Henry Hub blues: CNX Resources and other Appalachia producers are slashing production and deferring well completions as natural gas spot prices hover near record lows.
Chevron’s Tengiz Oil Field Operations Start Up in Kazakhstan
2024-04-25 - The final phase of Chevron’s project will produce about 260,000 bbl/d.
Rhino Taps Halliburton for Namibia Well Work
2024-04-24 - Halliburton’s deepwater integrated multi-well construction contract for a block in the Orange Basin starts later this year.
Halliburton’s Low-key M&A Strategy Remains Unchanged
2024-04-23 - Halliburton CEO Jeff Miller says expected organic growth generates more shareholder value than following consolidation trends, such as chief rival SLB’s plans to buy ChampionX.
Deepwater Roundup 2024: Americas
2024-04-23 - The final part of Hart Energy E&P’s Deepwater Roundup focuses on projects coming online in the Americas from 2023 until the end of the decade.