After the major data breach at Sony this December, the Houston Chronicle published an article “Imagine If a Major Oil Company Got Hacked.” They proceeded to report “For example, can you imagine reading emails from Exxon Mobil’s top management about relations with Russian President Vladimir Putin? Imagine the documents that hackers could obtain if they broke into the servers at BP, Chevron or Royal Dutch Shell? What would happen to one of these companies’ stock price if suddenly a good portion of their emails became public? What would happen to the sector? Hackers could probably find something embarrassing enough to try to blackmail these companies. Sony has shown that if pressed hard enough, and long enough, a major corporation will crack… most major corporations say they maintain strict cyber-security standards. The problem is that professional, determined hackers tend to stay a step ahead.” The Houston Chronicle got most of it right, except that we don’t have to “imagine” a major oil company getting hacked. It’s happened already.
According to a study by PwC, the number of reported cyber-attacks carried out on oil and gas companies last year soared above 6,500 cases – a 179 percent increase from the year before. Frost & Sullivan has also reported that cyber security uptake is expected to surge and become “the highest-priority area for oil and gas companies”. This is coming at a time in the industry when automation is increasing the oil and gas companies’ risks. The email revelations, typically thought of as a result of hacking, might sound harmless, they could cause damage varying from embarrassing reputations, disruption of supply to millions of dollars in damage, or even health and safety incidents if critical equipment fails or is led astray by faulty data. As the industry is increasingly becoming more automated and technologically advanced, its vulnerability increases. The trend of digital oilfields and other industrial internet advances, sensors are generating more data than people. Temperatures, pressures or drill speeds, can be manipulated. This could disrupt or damage the operations or have potentially more devastating consequences on the safety of those who work with hazardous equipment or processes.
In 2014, National Security Authority Norway revealed 50 companies in the oil sector were hacked and 250 more are now being warned by the government agency. NSM is Norway’s prevention unit for serious hack attacks. Statoil, Norway’s largest oil company was a target of the attack. The attack was the largest of its kind against Norwegian interests to take place. This was believed to be in response to Statoil pursuing a partnership with Russia’s state oil company to explore oil in Norway’s Barents Sea. Indigenous and environmental groups have deep stakes in blocking drilling operations.
In June 2013, the oil and gas industry has found itself in the crosshairs of hacker activist group Anonymous, which recently announced plans to launch cyber-attacks on countries involved in the global oil trade. This was prompted by revelations that European investigators were probing BP, Royal Dutch Shell and Statoil for oil price manipulations. Dubbed Operation Petrol, the attacks focused on countries including the United States, Canada, Russia, China and Saudi Arabia.
Also in 2013, Anonymous attacks shut or slowed websites of businesses that had cut ties with WikiLeaks, including MasterCard Inc., Visa Inc. and PayPal. The campaign, Operation Payback, brought Anonymous new followers from around the world. Via online chat forums and social-media websites, participants disseminated instructions about how to download attack software and about sites to target. Software called LOIC, or low-orbit ion canon, was downloaded tens of thousands of times, security specialists say.
Below are typical cyber-attack tactics used by hacktivists:
Computer users bombard website servers with data in the hopes of knocking them offline. Among targets have been companies, such as PayPal and MasterCard, as well as government sites, including the CIA’s. Such attacks can cost tens of thousands of dollars for the victim, including the cost of defending against the attacks and improving security.
Break-ins into computer systems, potentially giving access to sensitive data such as customer information and internal emails. A hack into Sony’s systems resulted in the theft of personal data of about 100 million online video-game users. Sony shut its popular PlayStation online network for nearly a month, and has estimated the attack cost it about $171 million. Anonymous participants said the group didn’t orchestrate the attack, but couldn’t rule out that someone involved in the group could be involved.
Involves finding personal information about people and disclosing it online. LulzSec this week claimed to rat out two U.S. individuals it said had “tried to snitch” on the group, apparently disclosing names, addresses and other contact information.
— Gene Dieden