A fresh ransomware attack on an energy company reminds Boards that cyber threats are still real, and that energy infrastructure remains vulnerable.
This past week, a petroleum products company, Colonial Pipelines of Georgia, suffered a ransom-ware attack, and as a precaution, the company shut down its pipeline operations until the business could be secured.
Unfortunately for business, cyber activity pays off, and handsomely too. In the US, some 4000 ransomware attacks take place daily, the average ransom payment is now $13000 (although I suspect it’s a lot higher than that), and cryptocurrency payments make it devilishly hard to recover any ransoms paid. The costs to the criminal organization are no doubt increasing as organizations harden their operations (off-set by the lower costs of automating their cyber activities), but the probability of getting caught, and lenient punishments involved, don’t seem to deter the market.
The US Department of Homeland Security tries to keep tabs on cyber activity and believes that over 50% of all cyber attacks from 2015 to 2019 have been aimed at energy infrastructure (power, oil, and gas). This is surprising to me as I would have thought the bulk would be aimed at financial institutions, because that’s where the money is.
However, more and more cyber activity originates with state actors who have interests in destabilising entire economies for reasons other than purely theft of financial assets. For example, if Russian hackers can disrupt the reliability of the European electricity grid using cyber, it might strengthen the case for greater reliance on natural gas, a commodity Russia supplies, and with that reliance, a vastly improved longer-term strategic pipeline asset for influencing European politics.
The most alarming development is cyber activity whose aim appears to be sabotage or destruction of industrial plants. In 2018, Saudi Arabia experienced a worrisome attack of one of its petrochemical plants where the goal of the attack was to trigger an explosion. The cyber activity took aim at a very widely deployed process control system from a global supplier of such technology, meaning that the other 18,000 installations of the same process controllers are suddenly vulnerable. An obscure air-gapped device was the weakest link.
Colonial Pipelines does not believe its industrial control systems were impacted, but only time will tell.
In any case, the costs to the victim are much higher than any ransom payments, in terms of an urgent and unanticipated outlay to remediate the attack, an unwanted distraction from operations, a shut down of operations to recover, the costs of brand damage, the potential for customer defection, and potential regulatory penalties. Experts from RigNet believe that the average cost to recover a successful attack in energy is over $17m, more than 5 times the average. Media stories of high profile cases involving consumer and financial data theft point to much higher sums.
Finally, a reluctance by business to acknowledge that they have been successfully attacked impedes efforts to mobilise effective sector-wide responses.
Digital Weapons Are Powerful
Digital technologies are very democratic — anyone can access them. All you need is a reasonably advanced smart phone from any of the big phone suppliers, an internet access (free in coffee shops and malls), and a free account on a cloud service.
Download some apps from the app stores and you’re in business. The apps are mostly free too, which tells you they’re not costly to make. The computer coding languages must be pretty easy to learn, and the techniques for making the apps seductive and mildly addictive must also be widely shared.
Much of this digital world is based on open source technologies, a kind of rocket fuel for propelling innovations forward.
These same technologies are becoming more commonplace in the industrial world of energy manufacturing and distribution. The underlying chip technologies, protocols, standards, and architectures migrate easily between the industrial, consumer, and defence sectors.
And they can be put to more nefarious usage, namely cyber activity. The same processes that are democratising digital are also enabling a booming cyber criminality world. Make no mistake — the smart phone in your pocket doubles as a weapon for evil.
A sticky and growing problem
In my view, there are several additional trends (besides the democratization of technology), that are helping enable cyber activity in the industrial world, and these trends show no signs of slowing down or reversing course.
We have a growing reliance on wireless network connectivity, and we’re about to roll out a new protocol, 5G. Much of the world still labours under 2G, an older and more vulnerable telecoms standard. Wireless links can be compromised at source and during the transmission of data. Both links and transmissions can be hacked.
We are adding sensors of all stripes to many things (the internet of things). These sensors generate lots of data, house software, and enable connectivity, creating a greater attack surface for cyber criminals to target.
We are interconnecting our systems which allows faster spread of viruses and criminal access. Response time to deal with a threat is shrinking. Computer viruses now spread much faster than human viruses. Staying on top of all the patches is an overwhelming job, with the result that many successful attacks target unpatched kit. Interconnections are growing faster than our ability to keep abreast of the cyber risks that the interconnections create.
We are adding internet links to our legacy infrastructure. That legacy gear was never designed for such a hostile world, and lacks ability to be patched, or even monitored for cyber activity. The documentation from some old kit is still on line, and sometimes the passwords are both hard coded in the system and included in the documentation.
We’re adding code to things, and in extraordinary quantities, that are impossible to fully grasp. The Ford F-150, the world’s most popular pick up truck, has more lines of computer code (150 million), than Facebook, the Hadron large collider, the space shuttle and the iPhone. All that code is potentially vulnerable to hacking.
Finally, we’re going to unleash a brand new wave of innovation — autonomous transportation, smart manufacturing, smart cities, digital farming — that will add to the opportunity for cyber criminality, in ways we have yet to fully understand. Forward thinking criminals are already preparing for this new lucrative playground.
The lightweight human centric tools of the past for managing cyber activity are simply no longer up to the task of managing and repelling the onslaught of attacks. With thousands of access points, sensors, equipment, networks, and industrial assets, each a potential cyber target, companies need all new tools to deal with the rising volume of activity.
Leading companies approach this new problem by applying the latest digital tools, including artificial intelligence, machine learning, and robots, to cope with cyber activity. The resulting struggle pits the human ingenuity, AI tools, and bots of the criminal sector against the trained technical teams, AI tools, and bots of industry. The clash is like a cat-and-mouse face off taking place entirely in the ether, with the cat having to respond to every move by the mouse.
Given the complexity of the environment, if your company is not already bringing digital tools to the combat, you’re showing up to a fire fight with a butter knife.
What Leading Companies Do Differently
Leaders in oil and gas are embarking on a wave of digital transformation of the business. The reasons are largely economic — modest percentage improvements in cost and productivity translate into enormous economic gains because of the scale of the industry.
The most sophisticated are also distinguished by their strategic response to the threats of cyber activity.
Boards take an active interest in cyber issues, hold regular education sessions on cyber topics, and have quarterly briefings from security experts on cyber activity.
Employee education programs incorporate cyber awareness training to highlight the perils of unprotected devices, phishing attacks, and spoofing. Some campaigns even include fake phishing attacks that help capture inattentive employees.
Risk review committees flag cyber risks along side operational risks as high likelihood and high impact. That way, cyber defence gets some organizational attention.
Encryption is on by default for everything. And I mean everything — data, devices, sensors, and data flows. Since it’s only a matter of time before some digital assets are compromised, better that they are at least encrypted.
Particularly sensitive functions, such as encryption, are handled by hardware which can force hackers to need physical access to carry out an effective attack. Hardware-based encryption also lessens the overhead burden on networks.
AI and bots actively monitor the digital environment to detect intrusions, isolate intruders, repel attacks and neutralise many cyber threats. Bots don’t sleep, learn constantly, share openly, can monitor everything at once, and improve faster than humans. AI-backed monitoring is suddenly a mandatory.
Cyber defence teams are world-class, fully equipped and constantly trained, and augmented with industrial-grade tools.
Cyber expertise is organizationally separate to bring independence to standards, testing, and monitoring of the digital assets. Services run a continuous program of penetration testing to detect weaknesses to be corrected.
Access to company digital assets and resources by third parties, suppliers, and contractors is time-boxed. Access to assets is often left open beyond the service window, creating a point of weakness.
Cyber worries are an increasing problem, but fortunately, the digital tools are at hand to help companies secure their perimeters and fend off the robots.
Check out my book, ‘Bits, Bytes, and Barrels: The Digital Transformation of Oil and Gas’, available on Amazon and other on-line bookshops.
Take Digital Oil and Gas, the one-day on-line digital oil and gas awareness course.