Sign Up for FREE Daily Energy News
Canadian Flag CDN NEWS  |  US Flag US NEWS  | TIMELY. FOCUSED. RELEVANT. FREE
  • Stay Connected
  • linkedin
  • twitter
  • facebook
  • youtube2
BREAKING NEWS:

Copper Tip Energy Services
Hazloc Heaters
Hazloc Heaters
Copper Tip Energy


Another Day, Another Cyber Attack on Oil and Gas – Geoffrey Cann


These translations are done via Google Translate

This time, it’s in retail

By GEOFFREY CANN

another day, another cyber attack on oil and gas geoffrey cann

Another cyber attack on an oil and gas company reminds the industry that cyber worries are forever.


Last week one of North America’s largest integrated oil and gas companies reported that some of its downstream business activities related to fuel retailing had been struck by a cyber incident. Details were minimal — the loyalty program had been taken off line, pay-at-the-pump services were unavailable, and some car washes had been impacted.

This incident raises a number of questions:

  • How did it happen?
  • How significant is this incident?
  • Who is behind it?
  • What are the likely impacts?
  • What is happening at the company?
  • Should customers be concerned?
  • What about society at large?
  • What does this mean for the rest of the industry?

How did it happen?

The most likely explanation is that some employee at some time clicked on some link in some email where they probably should have exercised some restraint. It was random. It’s hard to imagine a scenario where hackers, facing such a large and imposing company, settled on the downstream business as the most lucrative for a stick up. Their targeting is poor. If they were really serious, surely they would go after the upstream, where the impacts are more decisive.

conspiracist might point out that it is the other domestic fuel retailing majors that stand to benefit from the outage, and perhaps it’s a competitor that is behind the mayhem.  Possibly, but the consequences from getting caught and identified as the perpetrator would be extreme, and even more brand damaging than the outage to the victim.

How significant is this?

The scale and impact of the breach hasn’t been made clear or substantiated yet, so it is hard to declare that the incident is the biggest or the most significant breach of its kind. There have been few other reported breaches of consequence in North American downstream oil and gas in my memory, but that might be just a reflection of the publicity that cyber incidents attract.

After all, it’s not in the best interest of companies to reveal that they have been breached. It’s embarrassing. It creates an advantage for competitors who may offer services or assistance to the company’s customers and suppliers.

In this case, the breach impacted the company’s downstream public facing services (apps, fuel retailing, vehicle services, loyalty points), and so the hapless company was forced to reveal their situation. They elected to provide as little detail as possible, probably because lawyers, who generally lack business sense and empathy, are advising them. Their website still shows normal commercial fuel handling business which implies the cyber breach has been isolated to retail.

A game theorist might note that by not providing much data, the company has set up the opportunity to provide additional more damning detail at a later date, if necessary, while efforts at damage control are underway.

Downstream businesses include fuel movements of all kinds, from the refinery gate to the consumer. The downstream impacts could be quite far-reaching as fuel is distributed to airports (jet fuel), truck stops, construction sites and farming operations (diesel), and marinas (marine fuel). The military is dependent on fuel, as are far northern and remote communities. Should the incident spread, it could be very consequential for industry. In general, though, the computer systems that administer loyalty points, fuel retailing and car washes are far removed from, and technically isolated from card lock facilities for bulk fuel logistics, and oil refinery control systems.

Certainly any event that impacts consumers directly tends to gather media attention because of the human interest angle and the possibilities that personal data has been compromised. But I’m inclined to conclude that the incident is indeed as portrayed, as an interruption in some aspects of the company operations, and while inconvenient and regrettable, it’s business as usual.

Who is behind it?

The assailants are likely ransomware specialists and not state actors, as retail fuel stations aren’t great targets if your goal is to wreak economic disruption. The motoring public has plenty of alternative fuel supply options. Gas stations are ubiquitous, and most stations have cash dispensers. Customers can buy just a few dollars of fuel if they need to get to a rival station who can handle a big fuel purchase. In urban settings, they simply go to another station. In rural settings, the consequences are likely more meaningful as there are fewer convenient alternatives. The absence of car washes is only going to upset those who pre-paid.

There is a kind of macho culture among the hacker community to go after “big game” by trying to take down larger companies. Large businesses have deep pockets to pay large ransoms, and the bragging rights from felling a well-known brand with robust cyber protections likely confer some respect amongst the criminals.

ROO.AI Oil and Gas Field Service Software
GLJ

But that’s probably a fail in this instance. If the goal was the wholesale business, with its large scale economic impact, and a big payoff, they surely would have waited and bided their time by probing the company’s defenses, lying in wait for a more opportune moment. But car washes? The hackers were a) in for a quick buck; or b) discovered and decided to act while they could, or; c) determined that fuel retail and car washes were the max they could get.

What are the likely impacts?

The impacts are going to be measured in a number of ways:

  • Any marketing plans running at present, or planned for the summer driving season, are completely buggered. Real marketing money aimed at the driving public has been lost.
  • There are real revenue losses which might be covered by insurance, although separating out any losses from general sales variations might be tricky. Certainly some customers who are only willing to pay by card will take their business elsewhere.
  • There are operational problems to address, as refineries run continuously producing fuel. Since the fuel stations are not moving the usual volume level, the company will be storing the fuel not sold if there’s space, or selling the fuel as distressed. Fortunately, fuel is a commodity, and other suppliers will happily take up the volume.
  • Compensation will be offered to the impacted customers, perhaps as more loyalty points. This offer carries a non-cash cost.
  • Any ongoing business improvement or expansion projects in retailing dealing with loyalty systems or pay-at-the-pump are likely delayed as specialist resources are redeployed to fix the cyber issue.
  • There will be some out-of-pocket monies spent on specialist cyber experts.
  • It’s likely that a finance team is working on an eventual insurance claim.
  • Other parts of the company will be distracted from their agendas to focus on investigating any overlooked incursions, and beefing up cyber defenses.

What is happening at the company?

The event is certainly embarrassing for the company as cyber security is a Board level topic (a former senior cyber specialist with the company told me that they were personally briefing the Board on a quarterly basis).

My read is that it’s full on fire drill, with teams working round the clock to discover the source of the breach, and to trace the cyber problem throughout the systems to see how far it went. Specialist cyber resources will have been brought on site to bolster the internal cyber team. If it’s really bad, cots have been brought it so that the recovery team can get some shut-eye. Real money is being spent to get a handle on things, and it won’t be cheap.

There has almost certainly been Board briefings on the situation. It’s being taken very seriously.

Should customers be concerned?

Customer impacts are a little hard to gauge. For example, loyalty point programs are exactly that — a mechanism to create brand loyalty. The inconvenience of this cyber event, which could be a couple of weeks without access to the points program, probably has little consequence to the customer with a large points balance. Points are value, and are not abandoned lightly. If the cyber event has taken customer data (names, addresses, emails, car numbers, profiles), then its seriousness rises. That customer data is very valuable for such pursuits as identity theft, credit card fraud, ransomware, and other scams.

So far there has been no evidence that this is the case, and if it were, the company has an obligation to inform its customers as soon as possible that their profiles have been stolen. And it hasn’t.

If customers are unable to use credit and debit cards at the pumps for any length of time, then the impacts move quickly from one-time annoyance to permanent customer loss. Where I live, a credit card fuel purchase can easily hit $200 or more. Who carries that much cash anymore? Urban drivers will look for alternative suppliers, and if those supply points are convenient, then purchase patterns may change permanently.

On the other hand, if the cyber event extends beyond the retail customer and into the commercial arena, then fuel supply could be disrupted to industry. At that point, commercial buyers should be concerned.

What about society at large?

In western nations that are amply supplied by fuel retailing, such cyber incidents are of little national consequence. The impacts are annoyingdiffuseshort lived, and individually modest. Customers have ample convenient alternatives. In countries where fuel retailing is tightly controlled, as with a national oil company, then incidents like this are more meaningful. The inability to purchase fuel is of national concern.

What does this mean for the rest of the industry?

The energy industry is under constant attack by cyber actors. Energy is so vital to day to day life that disruptions in energy supply are of national interest, and providers are motivated to settle with attackers quickly. It helps that energy companies are also well capitalized and feature robust cash flows so that ransoms can be quickly paid.

Of longer term worry is the on-going conflict in Ukraine. Both sides in the war have stood up cyber armies to go after each other, and in the process are developing skills, tools and talents in cyber warfare. These abilities will likely be turned against other uninvolved nations once hostilities cease. Industry must be prepared.

Conclusions

By not revealing what happened in any detail, the company has created the perfect media opportunity to wildly speculate about the situation, and for the speculation to proceed for days. That’s a shame. I would have been more forthcoming with as much as I knew as quickly as possible so as to calm worried customers and regulators.

Share


Artwork is by Geoffrey Cann, and cranked out on an iPad using Procreate.

Share This:




More News Articles


GET ENERGYNOW’S DAILY EMAIL FOR FREE